Your thoughts on vendor requiring all users to login to a MS terminal server with the same username and password

windows windows-server-2008 remote-desktop-services rdp citrix

Solution 1:

If the files are stored at the filesystem level without user-based encryption and with no ACLs then yes, run away. If ALL data was stored within the database then I would feel slightly less hesitant but even still, any vendor that says it's ok (especially when HIPPA is in the mix) to use shared ID's is suspect in my book. If you join the machine to a domain then there is nothing confusing from the end user's standpoint about using their own individual ID. Rather, it would be more confusing for them to have the additional shared ID.

Solution 2:

Agreed, with profile sharing comes a whole host of issues - not the least of which is the inability to have good accountability (or even ANY accountability) for exactly who did exactly what and exactly when it happened. Find another vendor - one that adheres to basic security principals. Try to find someone with a SAS 70 type II certification if possible. I'll guarantee those organizations won't allow profile sharing. Thanks for asking before jumping into this one and regretting it later.

Related

How can email be resent that has been delivered to the Badmail folder in IIS?
MX Record Propagation
Practical uses of the immutable flag in Linux [closed]
Hardware vs software license keys in a VM environment
What's the common practice of when to update a soon expiring SSL certificate?
Create a block device in RAM
Why does `crontab -` remove crontab, and can it be cancelled?
Lets Encrypt OpenVPN AS
Scale-Out File Server with Storage Spaces Direct
Can I create a CAA record for all sub-domains
Slicehost Alternatives [closed]
Linux or Windows 2003 (64 bit) for hosting an Oracle database?