Re: Allow User Interactive Login to Server

That explains a lot :.)

--
Claus
"Susan Bradley" <sbradcpa@xxxxxxxxxxx> wrote in message
news:O8xrkgAVIHA.3400@xxxxxxxxxxxxxxxxxxxxxxx
BTW I "am" a CPA.

Dave Davis wrote:
Actually there is even more in the way of security that I am confronted
with, but that's for a later post. Running the client app on the server
is bogus. If that crisis ever did occur I would just log in for him and
launch the app for him to play with. The hardware systems are all
namebrand and high end (and my office door is literally 30 ft away from
theirs) so that crisis is not likely anyway. I don't want anyone but
admin to be able to log in remotely if I can help it. So, if they insist
on him logging in to the server, what about one of the built-in accounts
like server admin? If that one can only log in interactively (yes?) at
least he would not have full administrator rights and he would not be
able to log in remotely. And my client could see who is walking in to log
in. I think the software is ok, but the vendor's configuration
recommendations sure don't fit my idea of security. At this point maybe
I'm looking for the least bad solution. And, I really appreciate your
comments.
Dave
"Susan Bradley" <sbradcpa@xxxxxxxxxxx> wrote in message
news:evzVd4%23UIHA.3568@xxxxxxxxxxxxxxxxxxxxxxx
What crappy accounting software is this?

Jeeze does my industry not understand security or what?

Owen Williams [SBS MVP] wrote:
In article <SCxhj.30393$L27.1103@xxxxxxxxxxxxxxxxxxxxxx>, dhdavis1
@bellsouth.net says...

We have a customer running SBS 2003 Premium R2. We installed a
client/server accounting package. At vendor recommendation we
installed client side app and a server side management tool on the
server too. The tool is used to manage the accouting database, backup,
etc. The client app is there in case the network goes down and they
must have access to their accounting data anyway. Accounting app is
maintained by their CPA, an outside firm. I need to protect the
administrator password. The CPA wants to be able to log in
interactively at the server to run the management tool and to open a
specific folder to check database backup results. Also he might need
to run the client app on occasion. How can I set up a user account for
him that will allow him to login interactively and be restricted to
the specific tasks he needs to perform? It would be good if also he
could use remote desktop to do these tasks as well. I have never set
up a user to login to the server before and have a real security
concern.
Your concerns are justified.

Out of the box, SBS only allows users with administrative rights to
logon locally to the server. Power Users can remotely login but get
only a stripped-down version of Server Management which restricts them
to a subset of administrative functions, like resetting passwords.

Frankly, that's the way it should be. I would be EXTREMELY leery of
letting anyone except the administrator logon to the server. You never
know what mischief they might get into, even - perhaps ESPECIALLY -
accidentally.

The rationale here ("The client app is there in case the network goes
down and they must have access to their accounting data anyway.") is,
in my opinion, very weak. If that's really an issue, make sure all the
network components are of high-quality and keep some spare components
(NIC, switch, etc.) on-site.

If the client insists on pursuing this approach, I would absolutely
demand that they - and probably the CPA firm as well - sign a
disclaimer. Once someone else has local server access, all bets are off
and you can no longer ensure the condition of the server. I'm serious.
If this were my client and they refused to sign a disclaimer, I would
terminate the relationship. I am not a lawyer, but to do otherwise it
seems to me you are exposing yourself to a lot of potential liability.

-- Owen Williams (SBS MVP)


.

Relevant Pages

  • Re: What doesnt lend itself to OO?
    ... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...
    (comp.object)
  • This is going straight to the pool room
    ... or not the client has privilege to do what they're trying to do, ... The server environment is this: ... 3GL User action Routines that Tier3 will execute on your behalf during the ... Routine Name: USER_INIT ...
    (comp.os.vms)
  • Re: New SBS2003 Server - Old sbs2000 Server
    ... They had been thru several IT guys since the server ... expected to have to the have the accounting users type logins that would be ... if figured the client ... computer accts are created in the new SBS. ...
    (microsoft.public.windows.server.sbs)
  • [Full-Disclosure] R: Full-Disclosure Digest, Vol 3, Issue 42
    ... Full-Disclosure Digest, Vol 3, Issue 42 ... SD Server 4.0.70 Directory Traversal Bug ... Arkeia Network Backup Client Remote Access ...
    (Full-Disclosure)
  • Re: What doesnt lend itself to OO?
    ... > rather than client code. ... no way to do that without also touching the object with clock semantics ... will not encapsulate both clock semantics and network semantics. ... The server can do whatever it wants ...
    (comp.object)