Re: user account for server (SBS 2003 Premium SP1)
- From: "SuperGumby [SBS MVP]" <not@xxxxxxxxxxx>
- Date: Thu, 12 Jun 2008 09:01:01 +1000
Why do you wish to have _any_ ID "permanently" logged on at the server? Most
Windows servers, and most SBS's, do not require anyone to be logged on.
"Mike in Nebraska" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:%23$9WvK$yIHA.1768@xxxxxxxxxxxxxxxxxxxxxxx
Interesting. I had thought I was on the right track. A powerful book I
just finished, that spurred me to act, was "Protect Your Windows Network
From Perimter to Data", by Jesper M. Johansson and Steve Riley. Chapter 8
implied it (at least to me). I've also read both of Harry Brelsford's
books on SBS BP's, the Sam's book and MS Press's. I feel pretty sure I've
run across this in SBS blogs or SBS-related security blogs.
In any event, it feels wrong to be "permanently" logged into the server
with the Administrator account. Maybe I'm wrong. Maybe if I have the
right amount of physical and network security in place to meet or exceed
our risk analysis, then I'm okay.
Mike
"Joe" <joe@xxxxxxxxxxxxxx> wrote in message
news:uKoLZA$yIHA.6096@xxxxxxxxxxxxxxxxxxxxxxx
Mike in Nebraska wrote:
To answer both of you, I've read in several blogs, papers and SBS books
that the admin account should never be used for routine, day-to-day
functioning. The idea was to login with a plain User account, use
'RunAs' when needed, etc., so that, if the server got hacked, they
wouldn't have the admin account and all it's rights and priveleges.
This has been routine in *nix circles for some time, but I don't think
XP/2003 is up to it. Even in Vista I've occasionally had to log off and
back on as an admin to do something, but not often, whereas XP is fairly
poor in that respect. I assume child processes are not always granted the
RunAs credentials properly. I would expect 2008 to have Vista's greatly
improved admin functionality.
Admins also do not generally have full file/folder privileges in a lot of
areas of Vista. It's necessary to take ownership to even read certain
areas, and I wouldn't be surprised if some system software reads the
privileges here and there to check. Again in *nix, some files/folders
*must* have restrictive permissions or the software that uses them
refuses to run.
Possibly I've missed it so far, but even Vista doesn't seem to have a
built-in equivalent of sudo. There's at least one third-party tool that
does it, but I don't think I'd trust something like that. sudo is a means
of pre-arranging particular combinations of permitted users and commands,
and specifying whether a user or admin password is necessary. Generally
*nix admins only ever use the root account to configure sudo for the
first time. Posting about logging on as root in a *nix newsgroup will
earn fairly sharp rebukes, and even using su (more or less opening a
command prompt with RunAs) raises eyebrows.
.
- Follow-Ups:
- Re: user account for server (SBS 2003 Premium SP1)
- From: Mike in Nebraska
- Re: user account for server (SBS 2003 Premium SP1)
- From: Larry Struckmeyer [SBS-MVP]
- Re: user account for server (SBS 2003 Premium SP1)
- References:
- user account for server (SBS 2003 Premium SP1)
- From: Mike in Nebraska
- Re: user account for server (SBS 2003 Premium SP1)
- From: SuperGumby [SBS MVP]
- Re: user account for server (SBS 2003 Premium SP1)
- From: Mike in Nebraska
- Re: user account for server (SBS 2003 Premium SP1)
- From: Joe
- Re: user account for server (SBS 2003 Premium SP1)
- From: Mike in Nebraska
- user account for server (SBS 2003 Premium SP1)
- Prev by Date: RE: Microsoft Connector for POP3 Mailboxes service terminated with the following err
- Next by Date: Re: Spam attack
- Previous by thread: Re: user account for server (SBS 2003 Premium SP1)
- Next by thread: Re: user account for server (SBS 2003 Premium SP1)
- Index(es):
Relevant Pages
|
