Re: Prevent Admin Logon to RWW

SuperGumby [SBS MVP] wrote:
No, the domain admin account cannot be locked out of RWW. I have raised this as an issue with MS, can't say there's been much reaction.

"spm" <nospam@xxxxxxxxxxxxxxxxxx> wrote in message news:xn0emr386aln2g000@xxxxxxxxxxxxxxxxxxxxx
Is there a way to prevent the sbs2k3 administrator from logging on via
RWW? I want to allow domain users to logon via RWW, but not the domain
admin, for reasons of security.


To avoid confusion here, it's the built-in one that can't be locked
out. The best you can do is to put an enormous and computationally
unbreakable password on it, write it down, put it in a locked cash
box in a locked company safe and never use it. Having made a couple
of domain admins first, of course.

I've said before that I also disagree with MS on this. They say it is
to make sure that you can never be locked out of a server. I'd agree
that this is the reason, and it's also the reason many people won't
hang the WAN NIC of a Microsoft product directly onto the Internet.
I'm sure there are also more subtle ways into Windows, but this is an
obvious one. Personally, given the choice of travelling to fix a
server I'm locked out of, or rebuilding it after it's been cracked,
I'd prefer the former.

My preference is not to lock out the domain admins from RWW, but to
open RWW only via VPN and not to allow the admins to remote in. It's a
bit slower, but not much. That way, you can still do remote admin work
on workstations (I also don't allow admin TS except over VPN) but only
after supplying two passwords, the second after you're connected and
being logged by both firewall and SBS. The bigger the glare of the
spotlight the cracker has to operate in, and the more machines he has
to compromise to cover his tracks, the better. Oh, and the firewall also
logs to a third machine running a syslog daemon.
.

Relevant Pages

  • Re: Remote web workplace
    ... Restricting access for remote Web desktop on SBS/2003 ... Create two special Security groups (maybe called RWW Domain Users and RWW ... A user with admin rights automatically has RWW rights and these rights ... We have a local domain administrator that has all the rights blah blah ...
    (microsoft.public.backoffice.smallbiz)
  • Re: Prevent Admin Logon to RWW
    ... 'Administrator' does not have RRAS rights, if I wish to VPN to a server I do ... OR since the introduction of RWW RDP Proxy I would prefer ... My preference is not to lock out the domain admins from RWW, ... you can still do remote admin work ...
    (microsoft.public.windows.server.sbs)
  • Re: Remote web workplace
    ... VPN rights have nothing to do with RWW ... Terminal Services rights have nothing to do with RWW ... A user with admin rights automatically has RWW rights and these rights ... We have a local domain administrator that has all the rights blah blah ...
    (microsoft.public.backoffice.smallbiz)
  • Re: RWW Security was compromised.
    ... It's not RWW that's the issue... ... you have a port open, ... If that port is open you are STILL at risk for admin account ...
    (microsoft.public.windows.server.sbs)
  • Re: OWA through RWW requires second log on
    ... As I recall - this has something to do with the login names and/or email ... Les Connor [SBS Community Member - SBS MVP] ... Yes, when you have the RWW interface on the screen, you click on the OWA ...
    (microsoft.public.windows.server.sbs)
Loading