Re: Allow User Interactive Login to Server

Actually there is even more in the way of security that I am confronted
with, but that's for a later post. Running the client app on the server is
bogus. If that crisis ever did occur I would just log in for him and launch
the app for him to play with. The hardware systems are all namebrand and
high end (and my office door is literally 30 ft away from theirs) so that
crisis is not likely anyway. I don't want anyone but admin to be able to log
in remotely if I can help it. So, if they insist on him logging in to the
server, what about one of the built-in accounts like server admin? If that
one can only log in interactively (yes?) at least he would not have full
administrator rights and he would not be able to log in remotely. And my
client could see who is walking in to log in. I think the software is ok,
but the vendor's configuration recommendations sure don't fit my idea of
security. At this point maybe I'm looking for the least bad solution. And, I
really appreciate your comments.
Dave
"Susan Bradley" <sbradcpa@xxxxxxxxxxx> wrote in message
news:evzVd4%23UIHA.3568@xxxxxxxxxxxxxxxxxxxxxxx
What crappy accounting software is this?

Jeeze does my industry not understand security or what?

Owen Williams [SBS MVP] wrote:
In article <SCxhj.30393$L27.1103@xxxxxxxxxxxxxxxxxxxxxx>, dhdavis1
@bellsouth.net says...

We have a customer running SBS 2003 Premium R2. We installed a
client/server accounting package. At vendor recommendation we installed
client side app and a server side management tool on the server too. The
tool is used to manage the accouting database, backup, etc. The client
app is there in case the network goes down and they must have access to
their accounting data anyway. Accounting app is maintained by their CPA,
an outside firm. I need to protect the administrator password. The CPA
wants to be able to log in interactively at the server to run the
management tool and to open a specific folder to check database backup
results. Also he might need to run the client app on occasion. How can I
set up a user account for him that will allow him to login interactively
and be restricted to the specific tasks he needs to perform? It would be
good if also he could use remote desktop to do these tasks as well. I
have never set up a user to login to the server before and have a real
security concern.

Your concerns are justified.

Out of the box, SBS only allows users with administrative rights to logon
locally to the server. Power Users can remotely login but get only a
stripped-down version of Server Management which restricts them to a
subset of administrative functions, like resetting passwords.

Frankly, that's the way it should be. I would be EXTREMELY leery of
letting anyone except the administrator logon to the server. You never
know what mischief they might get into, even - perhaps ESPECIALLY -
accidentally.

The rationale here ("The client app is there in case the network goes
down and they must have access to their accounting data anyway.") is, in
my opinion, very weak. If that's really an issue, make sure all the
network components are of high-quality and keep some spare components
(NIC, switch, etc.) on-site.

If the client insists on pursuing this approach, I would absolutely
demand that they - and probably the CPA firm as well - sign a disclaimer.
Once someone else has local server access, all bets are off and you can
no longer ensure the condition of the server. I'm serious. If this were
my client and they refused to sign a disclaimer, I would terminate the
relationship. I am not a lawyer, but to do otherwise it seems to me you
are exposing yourself to a lot of potential liability.

-- Owen Williams (SBS MVP)


.

Relevant Pages

  • Re: UnauthorizedAccessException when using MSDTC
    ... dispatcher2 is the user logged on the client pc. ... Event Source: Security ... Object Server: SC Manager ... Primary Domain: BLITZ ...
    (microsoft.public.data.ado)
  • Re: Routing and Remote Access - Authentication Failure
    ... because the real client computer can tunel through it's local NAT router, ... travel the Intrenet, join the VPN and access the server, when this feature ... Their security system decided that the server was trying to steel ...
    (microsoft.public.windows.server.networking)
  • Re: WCF security advice (and clarification) needed
    ... You, the client, resolve the foo.mycompany.com hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ...
    (microsoft.public.dotnet.framework.webservices)
  • RE: Using kerberosSecurity Throws Security Exception
    ... I am experiencing this error while trying to use a Windows XP client ... application to access a web service located on a W2k3 server. ... client app on the server, ... > Account with a Custom Principal Name using SetSPN.exe utility. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • RE: Problems with security requirements in Windows WorkGroups.
    ... "A remote side security requirement was not fulfilled during authentication. ... small chat application between a client and a server ... When I try to use the TCP channel I get the error (with NO inner exception ...
    (microsoft.public.dotnet.languages.csharp)