Re: Least amount of privileges
- From: "Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx>
- Date: Fri, 10 Feb 2006 08:08:42 -0600
It depends on what the domain users group has for permissions. Normally the
domain users don't have permissions at the root of a partition, the local
"Users" group is given read rights and within the . Is What permissions
does the domain users have and is there a local users group that is provided
ACL's at the root?
Does this third party program have a service account that runs the app for
the users in an elevated session? This can often be the case. One of the
ways you can determine this is to download filemon from www.sysinternals.com
and have it running while you are doing some of the functions that these
users perform with this app. Filemon will list out ALL activity for all
users so you will have to learn to start and stop it during the activity
only and also filter the details as much as you can. This info should show
you what user was creating , deleting, etc... From there you can determine
if it is the ordinary user or a service account. Also you should consider
moving this app off of your sql server and put it on a seperate server.
Install this on a pertition other than the system partition and you chould
be able to have a much higher level of authority and control.
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no rights.
"John" <IDontLikeSpam@xxxxxxxxxxx> wrote in message
news:%23WO4$MbLGHA.3936@xxxxxxxxxxxxxxxxxxxxxxx
Hello,
I apologize if this is a novice question as I'm not too familiar with
active directory and hope this is the appropriate place to post this.
We have a Windows 2000 Server that runs a 3rd party application that
connects to our SQL Server 2000 that is running on this same server. Our
users are getting to this 3rd party program through Terminal Services that
is set up on this same Windows 2000 Server. Our users are currently
members of ordinary Active Directory Domain Users. I notice recently that
this 3rd party program allows users that use this program to create files
and asks for folder locations, etc... which I'm a little weary about. In
this case I'd like to limit these ordinary Active Directory Domain Users
who are part of the Remote Desktop Users group that allows them to run the
Terminal Services to only be able to run this 3rd party program that
connects to the SQL Server 2000 database that is on this server and give
them write/read access to only the 'C:\Program Files\3rd party application
folder location\'. I was about to right click our server's C drive and
remove the Active Directory ordinary Domain User group from the security
tab but was second guessing in wondering if they would need some type of
write, execute or some other privileges to the Windows and SQL Server
system folders, files and subfolders and not have anything crash on them
while they're connected through Terminal Services. I just want to give
them the lease amount of privleges on this server and only 1 folder that
they can do their 3rd party writing/viewing permission to. Sorry if this
sounds confusing or is too much detail but am hoping this is possible.
Thanks in advance.
John
.
- Follow-Ups:
- Re: Least amount of privileges
- From: John
- Re: Least amount of privileges
- References:
- Least amount of privileges
- From: John
- Least amount of privileges
- Prev by Date: Re: Replication
- Next by Date: Re: Authentication problems on member server (file/print)
- Previous by thread: Least amount of privileges
- Next by thread: Re: Least amount of privileges
- Index(es):
Relevant Pages
|
