Re: user account for server (SBS 2003 Premium SP1)

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Good to know, thanks.

"SteveB" <newsgroup@xxxxxxxxxx> wrote in message
news:eLo2rYKzIHA.1236@xxxxxxxxxxxxxxxxxxxxxxx
Yes a server has services that are running even when you're logged off and
functions fine. There are unfortunately some odd ball 3rd party programs
that don't behave properly this way and require a login. However, its a
security risk to always be logged in.

"Mike in Nebraska" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:%23AexWnIzIHA.5716@xxxxxxxxxxxxxxxxxxxxxxx
This one shocks me ... I'd never heard that. You mean I can log off the
server and it still functions fully?

"SuperGumby [SBS MVP]" <not@xxxxxxxxxxx> wrote in message
news:O0zGEcBzIHA.5892@xxxxxxxxxxxxxxxxxxxxxxx
Why do you wish to have _any_ ID "permanently" logged on at the server?
Most Windows servers, and most SBS's, do not require anyone to be logged
on.

"Mike in Nebraska" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:%23$9WvK$yIHA.1768@xxxxxxxxxxxxxxxxxxxxxxx
Interesting. I had thought I was on the right track. A powerful book I
just finished, that spurred me to act, was "Protect Your Windows
Network From Perimter to Data", by Jesper M. Johansson and Steve Riley.
Chapter 8 implied it (at least to me). I've also read both of Harry
Brelsford's books on SBS BP's, the Sam's book and MS Press's. I feel
pretty sure I've run across this in SBS blogs or SBS-related security
blogs.

In any event, it feels wrong to be "permanently" logged into the server
with the Administrator account. Maybe I'm wrong. Maybe if I have the
right amount of physical and network security in place to meet or
exceed our risk analysis, then I'm okay.

Mike
"Joe" <joe@xxxxxxxxxxxxxx> wrote in message
news:uKoLZA$yIHA.6096@xxxxxxxxxxxxxxxxxxxxxxx
Mike in Nebraska wrote:
To answer both of you, I've read in several blogs, papers and SBS
books that the admin account should never be used for routine,
day-to-day functioning. The idea was to login with a plain User
account, use 'RunAs' when needed, etc., so that, if the server got
hacked, they wouldn't have the admin account and all it's rights and
priveleges.

This has been routine in *nix circles for some time, but I don't think
XP/2003 is up to it. Even in Vista I've occasionally had to log off
and back on as an admin to do something, but not often, whereas XP is
fairly poor in that respect. I assume child processes are not always
granted the RunAs credentials properly. I would expect 2008 to have
Vista's greatly improved admin functionality.

Admins also do not generally have full file/folder privileges in a lot
of areas of Vista. It's necessary to take ownership to even read
certain areas, and I wouldn't be surprised if some system software
reads the privileges here and there to check. Again in *nix, some
files/folders *must* have restrictive permissions or the software that
uses them refuses to run.

Possibly I've missed it so far, but even Vista doesn't seem to have a
built-in equivalent of sudo. There's at least one third-party tool
that does it, but I don't think I'd trust something like that. sudo is
a means of pre-arranging particular combinations of permitted users
and commands, and specifying whether a user or admin password is
necessary. Generally *nix admins only ever use the root account to
configure sudo for the first time. Posting about logging on as root in
a *nix newsgroup will earn fairly sharp rebukes, and even using su
(more or less opening a command prompt with RunAs) raises eyebrows.










.

Relevant Pages

  • Re: Restored Server but SharePoint refusing admin access
    ... > SID/BID or remove the user from the database and add it again. ... >, In SQL Configuration Manager go to SQL> Server ... > you had) you cannot access the database from that account. ... > newly added administrator account (for me, since I added a new admin ...
    (microsoft.public.windows.server.sbs)
  • Web Server - User Access and Priviledges.
    ... restriction policy that came out with the server 2003 ... Have a logon for your everyday use and one admin ... account that your or only a few people have access to. ... >Create a second Administrator account on each Web Server. ...
    (microsoft.public.win2000.security)
  • Re: Restored Server but SharePoint refusing admin access
    ... SID/BID or remove the user from the database and add it again. ... In SQL Configuration Manager go to SQL Server ... you had) you cannot access the database from that account. ... newly added administrator account (for me, since I added a new admin account ...
    (microsoft.public.windows.server.sbs)
  • Re: Protecting database from administrators
    ... If you remove the Builtin\Administrators account all you ... This resolves any of the below issues. ... server resides. ... removing "System Admin" role ...
    (microsoft.public.sqlserver.security)
  • At wits end with Portal Search errors
    ... Content for this URL is excluded by the server because a no-index ... account to access this URL. ... Added in a correct Proxy server and a fake one in Central admin ...
    (microsoft.public.sharepoint.portalserver)