Re: Remote access to member server

As this is just a short-term issue (once the upgrades are done I will turn
off access) I kind of wanted to avoid making too many changes.

In the end this worked:

1) Create a new "mobile" user for the contractor, no email.
2) Remove the "Domain User" group from the user (leave others for now).
3) Restrict the new users "Log On To... " rights to just SBS (for RWW) and
the member TS.
4) Add this user as an administrator on the member TS server.

With this setup the contractor uses the RWW screen and logs in with their
login. They then use the "Connect to my company's application-sharing
server" link to logon to the member terminal server with the same login. On
this setup the HISERVER isn't shown and they can't use their login to login
to any other PC's so I think it's fairly secure. I do trust this contractor
(you are all trustworthy, right? ;-) , so I'm not too worried. Once the job
is done I'll disable the user until it's needed again.

--
Allan Williams



"Larry Struckmeyer" <lstruckmeyer(at)mis-wizards(dot)com> wrote in message
news:ezAb2U63HHA.484@xxxxxxxxxxxxxxxxxxxxxxx
Hi Al:

Given the restrictions you need / want to apply to this user, I am
thinking along these lines.

Give the user Local Admin Rights and Log On Remotely Rights on the TS.
Deny Logon Remotely on the SBS.

Then:

What would happen if there were two nics in the TS, the second connect to
and pointed to the router, and you opened the VPN ports on your router and
point them to the second nic in the TS to keep him from passing though the
SBS? Probably requires you to configure RRAS on the TS?

He could then RDP to the TS without touching the SBS.

Or, perhaps, you could just deny this account logon remotely rights on the
SBS server. but allow him those rights on the TS?.

He could then RDP to the TS, but he would be denied if he tried to RDP to
the SBS.

Larry


"Al Williams" <donotreplydirect@xxxxxxxxxxxxxxxx> wrote in message
news:%23qK3a203HHA.3940@xxxxxxxxxxxxxxxxxxxxxxx
He needs to have administrator rights on the member terminal server to
run some LOB utilities - nothing else (ie: no access to the SBS server or
the user desktops). The problem is I can't figure out how a way to let
him use RWW/Connect to Server Desktops without giving him full domain
access.

--
Allan Williams



"Larry Struckmeyer" <lstruckmeyer(at)mis-wizards(dot)com> wrote in
message news:%23JtDTqq3HHA.600@xxxxxxxxxxxxxxxxxxxxxxx
Hi:

Did not read the thread that Merv posted, so this may have been covered.

First, seems to me that once the LOB person is connected to anything on
your LAN, you have exposed your entire network to him. Browse Network
Neighborhood???

Second, he will need access, so either he is a 'user' or he is an
administrator. If he poses as one of the existing users, you won't need
a license for him, but you will want to change password after he is
done?

Third: have not tried this with SBS2003 as the front end, but for years
we VPN'd to the SBS 2000 servers, then RDP to the ip of our choice,
either the ip of the SBS or the IP of the TS. You might could keep the
LOB guy from logon to any system but the TS with policies for that user?

Larry


"Merv Porter [SBS-MVP]" <mwport@xxxxxxxxxxxxxxxxxxx> wrote in message
news:Oc5xfcq3HHA.5740@xxxxxxxxxxxxxxxxxxxxxxx
Take a look at this thread Al...

SBS 2003 and ISA 2004, publish TS Server
http://groups.google.com/group/microsoft.public.windows.server.sbs/browse_thread/thread/f6e4d5e6ad382c4f/6d6db9c2395c8fc8?lnk=st&q=rww+isa+2004+terminal+server&rnum=1&hl=en#6d6db9c2395c8fc8

--
Merv Porter [SBS-MVP]
============================

"Al Williams" <donotreplydirect@xxxxxxxxxxxxxxxx> wrote in message
news:uYTsJJq3HHA.5984@xxxxxxxxxxxxxxxxxxxxxxx
What about outside of RWW - does anything exist to just goto the
remote login for that server?

The member server is a terminal server, so I suppose I should be able
to set it up for remote users to login to directly but I'm not sure
how (currently it is for internal LAN use only).

Thx

--
Allan Williams



"Merv Porter [SBS-MVP]" <mwport@xxxxxxxxxxxxxxxxxxx> wrote in message
news:OLhuCdp3HHA.1484@xxxxxxxxxxxxxxxxxxxxxxx
Hi Al,

Unfortunately, per user restrictions can't be done within RWW. Now,
if you want to always restrict access for that user (both when on
the LAN and when using RWW), you can use:

Server Management | Standard Management | Users | (rt click) the user
account | Properties | Account (tab) | Log On To... | The Following
Computers...

Then add the target member server to the list AND also add the SBS
server. You need the SBS server specified so that the user can
authenticate to the server when logging into RWW (however, he will
not be able to log onto the SBS server itself).

The user will "see" all workstations (and the member server) in the
RWW list of computers, but will only be able to log onto the member
server itself.

--
Merv Porter [SBS-MVP]
============================

"Al Williams" <donotreplydirect@xxxxxxxxxxxxxxxx> wrote in message
news:e5htnBo3HHA.4476@xxxxxxxxxxxxxxxxxxxxxxx
We have a contractor who needs remote access to a Windows 2003
member server in our SBS 2003 Premium network to do some short-term
maintenance on a LOB application we run on it. I know I can get him
remote access via the remote web workplace (access server desktops)
but is there anyway to just give him access to just the member
server directly without using RWW? I don't really want to expose the
RWW interface to our entire system to them if I don't have to.

Thanks.

--
Allan Williams


















.

Relevant Pages

  • RE: Remote Office Configuration Suggestions?
    ... The additional DC at the remote site, could not be the SBS server, as you ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Unable to Connect to Server/Client Desktop using RWW
    ... Please post the results of an ipconfig /all for the sbs server. ... I did another test after turning off the firewall on the remote. ... If port 4125 was not forwarded on the sbs machine, ...
    (microsoft.public.backoffice.smallbiz)
  • Re: Remote Desktop Problem
    ... connectivity issues in SBS Server: ... This newsgroup only focuses on SBS technical issues. ... |> this computer on the Remote tab of properties of My Computer on SBS ...
    (microsoft.public.windows.server.sbs)
  • RE: Cannot Connect via remote desktop
    ... please ensure the domain name vpn.XXX.co.uk resolve to the ... As you want to connect the SBS via VPN, I suggest you also perform the ... select Disable Routing and Remote ... You have to rerun the CEICW to make sure your SBS 2003 server have right ...
    (microsoft.public.windows.server.sbs)
  • RE: Adding a Remote Office Domain Controller
    ... For licensing question, the SBS 2003 supports the branch office scenario. ... We need configure licensing on the Windows DC server in the remote site. ...
    (microsoft.public.windows.server.sbs)
Loading