Vendor Access And Remote Tools: How To Stay Safe

A Point Clear law firm called us after their data appeared on a ransomware leak site. The attacker got in through their IT vendor — a local MSP that managed the law firm's servers, email, and workstations.

The MSP had a remote monitoring tool installed on all client systems. The MSP got compromised (a phishing attack on the MSP's admin). The attacker used the MSP's remote access to log into the law firm's systems.

The law firm hadn't given the MSP a dedicated admin account with limited access. The MSP used a shared account with full admin rights. When the MSP got compromised, the attacker inherited those rights.

Vendor access is a real and common attack vector. Here's how to manage it safely.

What this solves (in real business terms)

Vendor access means giving external parties (IT vendors, software vendors, contractors) access to your systems. HVAC companies need access to your building automation. POS vendors need access to your payment systems. IT providers need access to your network.

Each access point is a potential entry for attackers. If your vendor gets compromised, your open access becomes their highway in.

The goal: give vendors the access they need to do their job, no more. Make that access temporary when possible. Monitor what they do. Revoke it when work is done.

What can go wrong

IT MSP compromise = all clients compromised. The Point Clear scenario. The MSP had admin access to every client. One MSP breach = dozens of client breaches.

Stale vendor accounts never revoked. Your POS vendor installed software five years ago. The technician who did the install left. The account is still active. Nobody remembers to disable it.

Shared vendor credentials. "Use admin / admin1234 for remote support." These credentials get reused across dozens of clients. When one client is breached, attackers try the same credentials elsewhere.

Vendor with more access than needed. Your email vendor doesn't need admin access to your network. Your HVAC vendor doesn't need access to your financial systems. But they ask for it "for convenience," and businesses comply.

Remote access tools left running. TeamViewer, AnyDesk, or similar installed "temporarily" and forgotten. Attackers find these running on public IP addresses and brute-force the login.

No logging of vendor activity. You have no idea what vendors did while connected. If something went wrong, you can't reconstruct the timeline.

What it costs (honest ranges)

• Vendor credential management tools (Bomgar, BeyondTrust): $1,500-$5,000/year — enterprise tools for managing vendor access securely
• Microsoft Remote Desktop Gateway: Included with Windows Server — limits who can access what
• Just-in-time access tools (Cherwell, Servicenow): $500-$2,000/month for enterprise tools
• Managed security provider: Usually $10-$30/user/month includes vendor access review and management

For most SMBs: configure your existing tools properly and establish policies. Expensive vendor access management tools are for enterprises with dozens of vendors and compliance requirements.

Vendor questions (copy/paste)

Ask your IT vendor:

1. "What access do you have to our systems? How is it authenticated?"
2. "Do you use shared credentials across clients, or unique credentials for each?"
3. "How do you monitor and log your access to our systems?"
4. "When work is done, do you automatically revoke access, or does it stay active?"
5. "Do your technicians use their own accounts, or shared accounts?"

Ask any vendor asking for remote access:

1. "What specific access do you need and why?"
2. "Can this be done without remote access?"
3. "Can you work on a scheduled basis rather than having permanent access?"
4. "Do you have your own security certifications? Do you have cyber insurance?"
5. "Who in your organization will have access to our systems?"

Minimum viable implementation

Step 1: Inventory all vendor access

Make a list of every vendor with remote access:

• IT provider
• Security alarm/monitoring company
• HVAC building automation
• POS vendor
• Accounting software vendor
• Phone system provider
• Any contractor who's ever had remote access "temporarily"

For each, note:

• What access they have (admin, read-only, specific systems)
• How they connect (VPN, remote desktop, vendor's own tool)
• Who's account it is (vendor's account or yours)
• Last time access was reviewed

Step 2: Audit current access

In Microsoft 365 Admin Center:

• Go to Users > Active users
• Look for accounts with admin roles you don't recognize
• Check "Sign-in logs" for vendor accounts logging in from unexpected locations

In your network:

• Check for running remote access tools (TeamViewer, AnyDesk, LogMeIn) you didn't authorize
• Check your firewall for open RDP ports or VPN connections

Step 3: Replace shared credentials with individual accounts

If your vendor uses "admin" or shared credentials:

• Demand unique credentials for your organization
• Ideally, create vendor-managed accounts in your system (so you control the password and can revoke it)

Step 4: Implement least privilege for vendors

Vendors should have:

• Minimum necessary access (not admin unless they genuinely need it)
• Time-limited access (auto-expires)
• Access only during approved maintenance windows

Step 5: Require MFA for vendor accounts

Every vendor account accessing your systems should require MFA. This is non-negotiable.

Step 6: Document and schedule reviews

Create a quarterly task: review vendor access.

• Is this vendor still active?
• Does the access level still match what they need?
• Any technicians who've left who still have access?
• Any old remote access tools still installed?

Step 7: For critical vendors (IT MSPs), require:

• Your MSP uses unique credentials per client
• They have their own security controls (MFA, logging, employee training)
• They notify you of any security incidents at their organization
• They provide cyber insurance (ask for certificate of insurance)

When to hire help

Do it yourself if:

• You have fewer than 10 vendors with access
• You're comfortable navigating admin panels and reviewing accounts
• Your vendors are responsive to access requests

Get help if:

• You have 20+ vendors with access
• You have complex vendor relationships (multiple MSPs, security vendors, software vendors)
• You've had an incident related to vendor access
• You want someone actively managing and monitoring vendor access
• You're in a regulated industry with specific vendor access requirements