Re: Allow User Interactive Login to Server
- From: Susan Bradley <sbradcpa@xxxxxxxxxxx>
- Date: Thu, 10 Jan 2008 17:05:52 -0800
What crappy accounting software is this?
Jeeze does my industry not understand security or what?
Owen Williams [SBS MVP] wrote:
In article <SCxhj.30393$L27.1103@xxxxxxxxxxxxxxxxxxxxxx>, dhdavis1.
@bellsouth.net says...
We have a customer running SBS 2003 Premium R2. We installed a client/server accounting package. At vendor recommendation we installed client side app and a server side management tool on the server too. The tool is used to manage the accouting database, backup, etc. The client app is there in case the network goes down and they must have access to their accounting data anyway. Accounting app is maintained by their CPA, an outside firm. I need to protect the administrator password. The CPA wants to be able to log in interactively at the server to run the management tool and to open a specific folder to check database backup results. Also he might need to run the client app on occasion. How can I set up a user account for him that will allow him to login interactively and be restricted to the specific tasks he needs to perform? It would be good if also he could use remote desktop to do these tasks as well. I have never set up a user to login to the server before and have a real security concern.
Your concerns are justified.
Out of the box, SBS only allows users with administrative rights to logon locally to the server. Power Users can remotely login but get only a stripped-down version of Server Management which restricts them to a subset of administrative functions, like resetting passwords.
Frankly, that's the way it should be. I would be EXTREMELY leery of letting anyone except the administrator logon to the server. You never know what mischief they might get into, even - perhaps ESPECIALLY - accidentally.
The rationale here ("The client app is there in case the network goes down and they must have access to their accounting data anyway.") is, in my opinion, very weak. If that's really an issue, make sure all the network components are of high-quality and keep some spare components (NIC, switch, etc.) on-site.
If the client insists on pursuing this approach, I would absolutely demand that they - and probably the CPA firm as well - sign a disclaimer. Once someone else has local server access, all bets are off and you can no longer ensure the condition of the server. I'm serious. If this were my client and they refused to sign a disclaimer, I would terminate the relationship. I am not a lawyer, but to do otherwise it seems to me you are exposing yourself to a lot of potential liability.
-- Owen Williams (SBS MVP)
- Follow-Ups:
- Re: Allow User Interactive Login to Server
- From: Dave Davis
- Re: Allow User Interactive Login to Server
- References:
- Allow User Interactive Login to Server
- From: Dave Davis
- Re: Allow User Interactive Login to Server
- From: Owen Williams [SBS MVP]
- Allow User Interactive Login to Server
- Prev by Date: Re: POP3 Manager
- Next by Date: Re: Allow User Interactive Login to Server
- Previous by thread: Re: Allow User Interactive Login to Server
- Next by thread: Re: Allow User Interactive Login to Server
- Index(es):
Relevant Pages
|
