Disaster Recovery/Sabotage Protection for a small business
Solution 1:
Here are a few bullet points off the top of my head:
MOST IMPORTANTLY: Document EVERYTHING between you and the other two partners - EVERYTHING. Get everything signed. Keep extremely detailed logs of everything you do, when you visited, telephone conversations (including time), the lot. I've heard of consulting firms being taken to the cleaners in situations like this. The excluded partner gets wind of what's going on, and then initiates legal proceedings against the other partners. Guess who ends up in the firing line? You. Can you prove you were authorized to access their systems? Is the permission of 2 or 3 partners enough to authorize this type of engagement? And if you don't end up as the victim in this scenario, you can bet your sweet ass you'll be dragged through the courts to validate or deny claims made by one party or the other. And cases like this can drag on for years.
Remove Domain Admin privs. A lot of small firms like this traditionally hand out Domain Admin privs like candy. Cut this back as far as possible.
Look into an online backup solution. This would save you the weekly visit to the site, and you know the data is residing somewhere off-site, secured, without lots of potential questions of "who's this guy in every week?" from the oblivious partner. Of course, this would be contingent on a decent internet pipe to the world.
As you mentioned, move the potential IP sitting on peoples workstations to the server. Best approach to this is Folder Redirection through GPO. This is more of a general good-practice issue than a critical issue to this case
Ensure you have remote access (depending on hardware, this may just be a case of enabling the HTTP interface for internet IPs) to the router for the office/building. If you get a call along the lines of "ALL HELL HAS BROKEN LOOSE!" you may want the option of shutting their connectivity down. This would stop any malicious acts via Terminal Services, Citrix etc.
Secure the Customer Database. Set a scheduled task to copy this data (and it is the lifeblood of any organisation) to an obscure location. It's not uncommon in this situation, when it hits the fan, for the customer database to suddenly vanish, leaving the business on its knees.
Solution 2:
Personally I wouldn't get involved with this. What if the 2 that are contacting you are the ones that will be causing the issues? Also if things go bad and you lose their data because you missed a hole somewhere expect the first two partners to go after you for that one as well + number 3 for being cut out.
Anyway though my points:
VM the entire server, should the box go missing you can just bring it back up on a new one. You'll have to figure out how frequently you want this done.
Secure and re-do all the remote access. Reduce the foot print as much as you can to things only you control, password the router to something only you know the PW to so no one else can open it up.
Can you put another off domain box in somewhere locally, ideally in a location only you have access to. Then backup everything to this box into a write only share. If the box is physically safe then no one but you has access to the data on it to delete it. This can be your real time backup.
Solution 3:
make sure they have all the original installation disks or files and make copies of them
Don't forget any license keys. Install media means nothing when you're stuck at a licensing prompt. And in whose name are the keys held/registered (or name on the invoice)? The company's? One of the partners?