Re: Allow User Interactive Login to Server

• From: Susan Bradley <sbradcpa@xxxxxxxxxxx>
• Date: Thu, 10 Jan 2008 20:12:11 -0800

Actually there is even more in the way of security that I am confronted with, but that's for a later post. Running the client app on the server is bogus. If that crisis ever did occur I would just log in for him and launch the app for him to play with. The hardware systems are all namebrand and high end (and my office door is literally 30 ft away from theirs) so that crisis is not likely anyway. I don't want anyone but admin to be able to log in remotely if I can help it. So, if they insist on him logging in to the server, what about one of the built-in accounts like server admin? If that one can only log in interactively (yes?) at least he would not have full administrator rights and he would not be able to log in remotely. And my client could see who is walking in to log in. I think the software is ok, but the vendor's configuration recommendations sure don't fit my idea of security. At this point maybe I'm looking for the least bad solution. And, I really appreciate your comments.
Dave
"Susan Bradley" <sbradcpa@xxxxxxxxxxx> wrote in message news:evzVd4%23UIHA.3568@xxxxxxxxxxxxxxxxxxxxxxx

What crappy accounting software is this?

Jeeze does my industry not understand security or what?

Owen Williams [SBS MVP] wrote:

In article <SCxhj.30393$L27.1103@xxxxxxxxxxxxxxxxxxxxxx>, dhdavis1
@bellsouth.net says...

We have a customer running SBS 2003 Premium R2. We installed a client/server accounting package. At vendor recommendation we installed client side app and a server side management tool on the server too. The tool is used to manage the accouting database, backup, etc. The client app is there in case the network goes down and they must have access to their accounting data anyway. Accounting app is maintained by their CPA, an outside firm. I need to protect the administrator password. The CPA wants to be able to log in interactively at the server to run the management tool and to open a specific folder to check database backup results. Also he might need to run the client app on occasion. How can I set up a user account for him that will allow him to login interactively and be restricted to the specific tasks he needs to perform? It would be good if also he could use remote desktop to do these tasks as well. I have never set up a user to login to the server before and have a real security concern.

Your concerns are justified.

Out of the box, SBS only allows users with administrative rights to logon locally to the server. Power Users can remotely login but get only a stripped-down version of Server Management which restricts them to a subset of administrative functions, like resetting passwords.

Frankly, that's the way it should be. I would be EXTREMELY leery of letting anyone except the administrator logon to the server. You never know what mischief they might get into, even - perhaps ESPECIALLY - accidentally.

The rationale here ("The client app is there in case the network goes down and they must have access to their accounting data anyway.") is, in my opinion, very weak. If that's really an issue, make sure all the network components are of high-quality and keep some spare components (NIC, switch, etc.) on-site.

If the client insists on pursuing this approach, I would absolutely demand that they - and probably the CPA firm as well - sign a disclaimer. Once someone else has local server access, all bets are off and you can no longer ensure the condition of the server. I'm serious. If this were my client and they refused to sign a disclaimer, I would terminate the relationship. I am not a lawyer, but to do otherwise it seems to me you are exposing yourself to a lot of potential liability.

-- Owen Williams (SBS MVP)

• Follow-Ups:
  • Re: Allow User Interactive Login to Server
    • From: Claus

• References:
  • Allow User Interactive Login to Server
    • From: Dave Davis
  • Re: Allow User Interactive Login to Server
    • From: Owen Williams [SBS MVP]
  • Re: Allow User Interactive Login to Server
    • From: Susan Bradley
  • Re: Allow User Interactive Login to Server
    • From: Dave Davis

• Prev by Date: Re: Allow User Interactive Login to Server
• Next by Date: Re: Problem joining SBS 2K3 to existing 2K domain. "Unable to contact all domain controllers"
• Previous by thread: Re: Allow User Interactive Login to Server
• Next by thread: Re: Allow User Interactive Login to Server
• Index(es):
  • Date
  • Thread

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint