Re: Prevent Admin Logon to RWW
- From: "SuperGumby [SBS MVP]" <not@xxxxxxxxxxx>
- Date: Sun, 28 May 2006 21:04:31 +1000
it should be a simple matter, 'Do not allow 'Administrator' to logon from
outside our local subnet'. I adhere to this principal in all other items.
'Administrator' does not have RRAS rights, if I wish to VPN to a server I do
so using a less priveleged account, I may then use the VPN to RDP as
'Administrator', OR since the introduction of RWW RDP Proxy I would prefer
to 1st 'Connect to my computer at work' as a non-priveleged user and then
RDP to the server with elevated priveleges.
I consider the fact that _ALL_ SBS2003 systems suffer from this obvious
security issue a 'problem'.
"Joe" <joe@xxxxxxxxxxxxxx> wrote in message
news:e5btmo$b5s$1$8300dec7@xxxxxxxxxxxxxxxxxxx
SuperGumby [SBS MVP] wrote:
No, the domain admin account cannot be locked out of RWW. I have raised
this as an issue with MS, can't say there's been much reaction.
"spm" <nospam@xxxxxxxxxxxxxxxxxx> wrote in message
news:xn0emr386aln2g000@xxxxxxxxxxxxxxxxxxxxx
Is there a way to prevent the sbs2k3 administrator from logging on via
RWW? I want to allow domain users to logon via RWW, but not the domain
admin, for reasons of security.
To avoid confusion here, it's the built-in one that can't be locked
out. The best you can do is to put an enormous and computationally
unbreakable password on it, write it down, put it in a locked cash
box in a locked company safe and never use it. Having made a couple
of domain admins first, of course.
I've said before that I also disagree with MS on this. They say it is
to make sure that you can never be locked out of a server. I'd agree
that this is the reason, and it's also the reason many people won't
hang the WAN NIC of a Microsoft product directly onto the Internet.
I'm sure there are also more subtle ways into Windows, but this is an
obvious one. Personally, given the choice of travelling to fix a
server I'm locked out of, or rebuilding it after it's been cracked,
I'd prefer the former.
My preference is not to lock out the domain admins from RWW, but to
open RWW only via VPN and not to allow the admins to remote in. It's a
bit slower, but not much. That way, you can still do remote admin work
on workstations (I also don't allow admin TS except over VPN) but only
after supplying two passwords, the second after you're connected and
being logged by both firewall and SBS. The bigger the glare of the
spotlight the cracker has to operate in, and the more machines he has
to compromise to cover his tracks, the better. Oh, and the firewall also
logs to a third machine running a syslog daemon.
.
- Follow-Ups:
- Re: Prevent Admin Logon to RWW
- From: Cris Hanna [SBS-MVP]
- Re: Prevent Admin Logon to RWW
- References:
- Prevent Admin Logon to RWW
- From: spm
- Re: Prevent Admin Logon to RWW
- From: SuperGumby [SBS MVP]
- Re: Prevent Admin Logon to RWW
- From: Joe
- Prevent Admin Logon to RWW
- Prev by Date: Re: Login as local admin
- Next by Date: Re: SBS2003 & RWW access to seperate TS server
- Previous by thread: Re: Prevent Admin Logon to RWW
- Next by thread: Re: Prevent Admin Logon to RWW
- Index(es):
Relevant Pages
|
