Temporary agency staff and administrative access

[dsk]

We are getting some agency staff in to cover a couple of people who are off sick in the IT department. Never really had a need for this before, and previous managers never really looked into this.

Whats the best way to go about giving them access to the system. I have no qualms about giving them their own logins so they can access applications and do day to day stuff, but we also access servers with the administrator account and domain password.

Do i duplicate the admin account and give them that if they need access, do i avoid them doing any admin work all together, or do i draw up an agreement with regards to use of our network and passwords?

[nephilim]

avoid all admin access if possible, that way they cant do too much

[john]

What roles are they in for is the first question, if its just fixing dead PCs probably limited admin is needed, however if there a Network Techy they will need admin won't they to do the job.

Surely the contract you have with the supplier of said people covers things like Data Protection, CRB Clearance, Confidentiality etc....

[j17sparky]

As said what do they need to do? Access can be quite granular; only give them access to what they need. If they need to reset passwords delegate the permission to them. If they will be imaging machines just give them access to that, GPO permissions can be granted without full admin access, etc. If they are only temps then they ain't gunna need to be "on" the servers are they, but they may need access to certain functions.

[dsk]

They will be in to help with the summer project work. I suppose any domain user can join the machine to the domain, but they will need access to our local passwords and bios passwords when it comes to setting these machines up.

Our passwords are somewhat consistent across our apps (smoothwall, papercut, moodle) though im sure i can probably get around them for this purpose.

I only have one member of staff, when i should have three.

Taken over as manager, but dont really have any junior staff to support me...

[GrumbleDook]

To some extent you have to trust external companies doing work for you. If we trust Smoothwall to get into their devices then I trust them to know what they can and can't do on a network. If we trust the folk putting in our VLANs or managed wireless networks then we should let them get on with it.

The considerations in this case are around data protection and system security.

Local passwords can always be forceably changed at a later date so give them a temp one for now.
BIOS passwords should be different to other passwords anyway so this is a chance for you to make a start changing it. If they need the old one, then you have to consider teh chances they might do damage elsewhere ... if there is little chance then trust them. If they need access to perform certain domain level tasks then delegated authority, or give them a user account with domain admin access, but not the administrator account.

No doubt there is something in their contract to get them to agree to a code of conduct anyway ... if they breach it at a later date when they are not meant to have any access then it is a breach of the Computer Misuse Act. Let them know that this is the case and that you *have* to mention it to them as a standard thing ... not that you don't trust them (even if you don't trust them!)

If you really need to keep an eye, then look at increasing the logging on the desktops and servers, and make sure you set aside enough time to sample through what has gone on.

[dsk]

To be fair they seem like decent enough people, ive spent a good hour with them all grilling them and making sure they know what they are in for. One even got back to his agency contact saying he was even more interested in the job after i told him how much work we had to do, haha!

In the past we've had people come in, one that i remember was for our wireless setup. My manager at the time made a duplicate of the admin account just so this person could do their stuff and get things working.

Thank you all for the advice and comments, its actually been really helpful!