Re: Remote web workplace

Ok

So in short.

1. There are not any group policy settings that can be changed to allow or
deny users acces to RWW. eg in Terminal services u can allow or deny users
in the group policy or by group membership.

2. VPN rights have nothing to do with RWW

3. Terminal Services rights have nothing to do with RWW

4. To use RWW u must be a member of the RWW group.

5. One connected thru RWW, TS rights will limit yr access to different
machines (these rights can be set up in Group policy).

6. The only place where we can control which users can use RWW is in the
membership of the RWW group.

Grey area now????

7. A user with admin rights automatically has RWW rights and these rights
cannot be removed (if I check the membership of the RWW group the
administrator is not listed but RWW can still be used)

OR

8. Remove the admin template from the RWW group before giving a user admin
rights; This user will then not have RWW rights.
......

We do want to use RWW for some users so disabling RWW for all users is not
an option.


Once again....Thanks


"Cris Hanna [SBS-MVP]" <crisnospamhanna@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:%230BuJV7mHHA.4412@xxxxxxxxxxxxxxxxxxxxxxx
Agree with Henry, changing the Admin Template has no effect on current
users

I'd like to be clear on terminology so we make sure we are talking about
the same thing

When I say Administrator....this is typically, in the small business
setting, the person who has over all responsibility for setting up and
maintaining the network and all related access (i.e. new user accounts,
security on folders, new shares, printers, etc.) The nature of the job
requires unfettered access to all resources.
In some businesses, this is a company employee; in some this role is
contracted out. In either circumstance, the individual holding that
role, pretty much requires complete access. If this is a contracted
individual, then remote access will certainly be essential.

In the companies I administer and support, I have unrestricted access to
every thing, two of the companies use quick books. I have unrestricted
access to the Quickbooks share, but I DO NOT have an account in the
Quickbooks application. So even if I hijack the file...its of little use

But I also have a written agreement with my customers, which holds me
financially and legally responsible for the unauthorized disclosure of any
and all company confidential information to which I may access to in the
course of performing my duties.

As Henry suggested, if you have Office personnel who have a need to
perform "elevated" tasks from time to time, a second user account for
those folks should be created with those priviledges.

You should check the membership of the Remote Web Security Group and
modify if necessary

You may also have to modify the "Default Domain Security Policy" (think I
got that right) and look at the permission to "logon via terminal
services"



--
Cris Hanna [SBS-MVP]
-------------------------------------------------
Microsoft MVPs
Independent Experts (MVPs do not work for MS)
Real World Answers
---------------------------------------------------------
Please do not contact me directly regarding issues

"Doug Taylor" <dtaylor@xxxxxxxxxx> wrote in message
news:uwLXmFmmHHA.4032@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for your reply.

Its not a question of trusting the admin we just dont wont administrators
connecting to our network remotely.

We have a local domain administrator that has all the rights blah blah
and has a weeker password. We then have a remote admin user that is also
a domain admin has a stronger password and is able to connect over remote
web workplace. Infact they are the same person. We however at times
need to get the the office manager to carry out certian tasks when we are
unable to attend site. We give them the local admin user details. They
dont have the skills (and would not want) to reconfigure the server to
give themselves remote access and we trust them in this matter. However
if these details fall into the wrong hands we would like to restrict
access to RWW from this user (the local amin) so that they cant access
the network externally through RWW.

This is not a matter of semantics but a question of how is it achieved .
To test things we have removed the admininstrator template(the only
reference to the administrator was the administrator template under the
member tag) from the RWW group but the adminiustrator is still able to
connect using RWW.

1. Perhaps now the template has been removed we need recreate the local
admin users to remove his rights etc. ... worth a try.

2. Under group policy u can achieve things like restricting logon
locally, access computer from the network etc but I have not found any
setting related to RWW.

3. Do we have any control over which users can utilise RWW eg through
GPolicy settings (have not seen any ).

Rather than the reasoning behind the question does any one know how to
achieve the task at hand.

Once again thanks in advance

Cheers

Douglas


"Cris Hanna [SBS-MVP]" <crisnospamhanna@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:OWp$$CLmHHA.4772@xxxxxxxxxxxxxxxxxxxxxxx
Sure its possible to remove them from the group..
Whats to stop him from putting himself back? He is after all the admin

If you don't trust the Administrator of your network enough that you
feel you have to start revoking priviledges (that obviously he can
restore)
Its time to get a new admin


--
Cris Hanna [SBS-MVP]
-------------------------------------------------
Microsoft MVPs
Independent Experts (MVPs do not work for MS)
Real World Answers
---------------------------------------------------------
Please do not contact me directly regarding issues

"Doug Taylor" <dtaylor@xxxxxxxxxx> wrote in message
news:%23wKGzTHmHHA.3484@xxxxxxxxxxxxxxxxxxxxxxx
Hiya

We are running sbs2003 r2. Is there any way to deny the administrator
the ability to connect through remote web workplace. There dont seem
to be any settings in the group policy for enabling or disabling
users. I want the admin to be able to rdp into the server when
connected to the local lan but not remotely from the internet. Is it
possible to remove the administrator form the remote web workplace
users group etc.

Thanks
in advance

Douglas









.

Relevant Pages

  • Re: New IE flaw and exploit sites/migration to non-MS browser
    ... If an application is written for TODAY's Windows XP logo it will run as a non administrator. ... That is the quick and dirty test to see if you have admin rights... ... You have administrator rights to your machine. ... And make sure your folks that are making the purchasing decisions know that this needs to be a requirement...because in this day and age of computer technology there is NO EXCUSE for a vendor to code like we are running Windows 98 around this place. ...
    (Focus-Microsoft)
  • Re: Securing Laptops in an AD environment
    ... Danny is right don't give users Administrator rights, ... Remember if the users have Admin rights, all programs (including virus, ... They would have to have a local account that is in the local admin group ... I would suggest not giving them a local account and not giving them admin ...
    (microsoft.public.windows.server.active_directory)
  • Re: Prevent Admin Logon to RWW
    ... 'Administrator' does not have RRAS rights, if I wish to VPN to a server I do ... OR since the introduction of RWW RDP Proxy I would prefer ... My preference is not to lock out the domain admins from RWW, ... you can still do remote admin work ...
    (microsoft.public.windows.server.sbs)
  • Re: Remote web workplace
    ... changing the Admin Template has no effect on current users ... You should check the membership of the Remote Web Security Group and modify ... We have a local domain administrator that has all the rights blah blah ... network externally through RWW. ...
    (microsoft.public.backoffice.smallbiz)
  • Re: AD Domain Administrator Priv/rights
    ... As an added clarification, if it is only fille control, then one may also ... >> controller then they would need to be an administrator for the domain ... I need to know if there is a way to give admins the rights they ... >>> we don't want to put any Admin into the Domain Admin Group, ...
    (microsoft.public.security)
Loading