Re: Allow User Interactive Login to Server

In article <SCxhj.30393$L27.1103@xxxxxxxxxxxxxxxxxxxxxx>, dhdavis1
@bellsouth.net says...

We have a customer running SBS 2003 Premium R2. We installed a client/server
accounting package. At vendor recommendation we installed client side app
and a server side management tool on the server too. The tool is used to
manage the accouting database, backup, etc. The client app is there in case
the network goes down and they must have access to their accounting data
anyway. Accounting app is maintained by their CPA, an outside firm. I need
to protect the administrator password. The CPA wants to be able to log in
interactively at the server to run the management tool and to open a
specific folder to check database backup results. Also he might need to run
the client app on occasion. How can I set up a user account for him that
will allow him to login interactively and be restricted to the specific
tasks he needs to perform? It would be good if also he could use remote
desktop to do these tasks as well. I have never set up a user to login to
the server before and have a real security concern.

Your concerns are justified.

Out of the box, SBS only allows users with administrative rights to
logon locally to the server. Power Users can remotely login but get
only a stripped-down version of Server Management which restricts them
to a subset of administrative functions, like resetting passwords.

Frankly, that's the way it should be. I would be EXTREMELY leery of
letting anyone except the administrator logon to the server. You never
know what mischief they might get into, even - perhaps ESPECIALLY -
accidentally.

The rationale here ("The client app is there in case the network goes
down and they must have access to their accounting data anyway.") is, in
my opinion, very weak. If that's really an issue, make sure all the
network components are of high-quality and keep some spare components
(NIC, switch, etc.) on-site.

If the client insists on pursuing this approach, I would absolutely
demand that they - and probably the CPA firm as well - sign a
disclaimer. Once someone else has local server access, all bets are off
and you can no longer ensure the condition of the server. I'm serious.
If this were my client and they refused to sign a disclaimer, I would
terminate the relationship. I am not a lawyer, but to do otherwise it
seems to me you are exposing yourself to a lot of potential liability.

-- Owen Williams (SBS MVP)
.

Relevant Pages

  • RE: Using kerberosSecurity Throws Security Exception
    ... I am experiencing this error while trying to use a Windows XP client ... application to access a web service located on a W2k3 server. ... client app on the server, ... > Account with a Custom Principal Name using SetSPN.exe utility. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Questions about Remoting, objects, threading. lease lifetime and object cleanup, and a couple of
    ... so long as the Client app is ... always refering to the same server object. ... it sets its ClassOne object to nothing and goes away. ... >>The client app at some point is going to become an ASP.Net app also. ...
    (microsoft.public.dotnet.framework.remoting)
  • Re: Remoting or windows service
    ... Thanks for writing up such a decent overview of the remoting dev process ... the client and the server. ... > 2) Implement this class in the server app and say that it can be accessed ...
    (microsoft.public.dotnet.framework.remoting)
  • Re: Schannel and Session Renegotiation
    ... Schannel does not support the server sending app ... We are discussing the option of providing support for the client blowing off ...
    (microsoft.public.platformsdk.security)
  • Re: Getting Events, for Windows Service
    ... else tries to run my client app he gets an timeout error. ... The server application has a public object called logger, ... So it seems that the logger is properly instantiated and works. ...
    (microsoft.public.dotnet.framework.remoting)