Re: Allow User Interactive Login to Server

Thanks. I've decided to be less compliant and go the consultant/advisor
route. I'm going to meet with the parties involved and see if reasonable
people can can come to a reasonable compromise. If not, then maybe a written
disclaimer is in order to protect me. I'll let you know what happens.
Dave

"Claus" <cjobes@xxxxxxxxxxxxx> wrote in message
news:%23v2cr3AVIHA.4196@xxxxxxxxxxxxxxxxxxxxxxx
That explains a lot :.)

--
Claus
"Susan Bradley" <sbradcpa@xxxxxxxxxxx> wrote in message
news:O8xrkgAVIHA.3400@xxxxxxxxxxxxxxxxxxxxxxx
BTW I "am" a CPA.

Dave Davis wrote:
Actually there is even more in the way of security that I am confronted
with, but that's for a later post. Running the client app on the server
is bogus. If that crisis ever did occur I would just log in for him and
launch the app for him to play with. The hardware systems are all
namebrand and high end (and my office door is literally 30 ft away from
theirs) so that crisis is not likely anyway. I don't want anyone but
admin to be able to log in remotely if I can help it. So, if they insist
on him logging in to the server, what about one of the built-in accounts
like server admin? If that one can only log in interactively (yes?) at
least he would not have full administrator rights and he would not be
able to log in remotely. And my client could see who is walking in to
log in. I think the software is ok, but the vendor's configuration
recommendations sure don't fit my idea of security. At this point maybe
I'm looking for the least bad solution. And, I really appreciate your
comments.
Dave
"Susan Bradley" <sbradcpa@xxxxxxxxxxx> wrote in message
news:evzVd4%23UIHA.3568@xxxxxxxxxxxxxxxxxxxxxxx
What crappy accounting software is this?

Jeeze does my industry not understand security or what?

Owen Williams [SBS MVP] wrote:
In article <SCxhj.30393$L27.1103@xxxxxxxxxxxxxxxxxxxxxx>, dhdavis1
@bellsouth.net says...

We have a customer running SBS 2003 Premium R2. We installed a
client/server accounting package. At vendor recommendation we
installed client side app and a server side management tool on the
server too. The tool is used to manage the accouting database,
backup, etc. The client app is there in case the network goes down
and they must have access to their accounting data anyway. Accounting
app is maintained by their CPA, an outside firm. I need to protect
the administrator password. The CPA wants to be able to log in
interactively at the server to run the management tool and to open a
specific folder to check database backup results. Also he might need
to run the client app on occasion. How can I set up a user account
for him that will allow him to login interactively and be restricted
to the specific tasks he needs to perform? It would be good if also
he could use remote desktop to do these tasks as well. I have never
set up a user to login to the server before and have a real security
concern.
Your concerns are justified.

Out of the box, SBS only allows users with administrative rights to
logon locally to the server. Power Users can remotely login but get
only a stripped-down version of Server Management which restricts them
to a subset of administrative functions, like resetting passwords.

Frankly, that's the way it should be. I would be EXTREMELY leery of
letting anyone except the administrator logon to the server. You
never know what mischief they might get into, even - perhaps
ESPECIALLY - accidentally.

The rationale here ("The client app is there in case the network goes
down and they must have access to their accounting data anyway.") is,
in my opinion, very weak. If that's really an issue, make sure all
the network components are of high-quality and keep some spare
components (NIC, switch, etc.) on-site.

If the client insists on pursuing this approach, I would absolutely
demand that they - and probably the CPA firm as well - sign a
disclaimer. Once someone else has local server access, all bets are
off and you can no longer ensure the condition of the server. I'm
serious. If this were my client and they refused to sign a disclaimer,
I would terminate the relationship. I am not a lawyer, but to do
otherwise it seems to me you are exposing yourself to a lot of
potential liability.

-- Owen Williams (SBS MVP)




.

Relevant Pages

  • Re: New SBS2003 Server - Old sbs2000 Server
    ... They had been thru several IT guys since the server ... expected to have to the have the accounting users type logins that would be ... if figured the client ... computer accts are created in the new SBS. ...
    (microsoft.public.windows.server.sbs)
  • Allow User Interactive Login to Server
    ... At vendor recommendation we installed client side app ... and a server side management tool on the server too. ... the network goes down and they must have access to their accounting data ...
    (microsoft.public.windows.server.sbs)
  • Re: Allow User Interactive Login to Server
    ... What crappy accounting software is this? ... Owen Williams [SBS MVP] wrote: ... At vendor recommendation we installed client side app and a server side management tool on the server too. ... The client app is there in case the network goes down and they must have access to their accounting data anyway. ...
    (microsoft.public.windows.server.sbs)
  • Re: Allow User Interactive Login to Server
    ... Running the client app on the server is bogus. ... And my client could see who is walking in to log in. ... The client app is there in case the network goes down and they must have access to their accounting data anyway. ... Accounting app is maintained by their CPA, ...
    (microsoft.public.windows.server.sbs)
  • Re: Allow User Interactive Login to Server
    ... Running the client app on the server ... And my client could see who is walking in to log ... The client app is there in case the network goes down and they ... must have access to their accounting data anyway. ...
    (microsoft.public.windows.server.sbs)