Re: Administrator rights for legacy appliations

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Graham Taylor (gt2002_at_freeuk.com)
Date: 08/05/04 

Date: Thu, 5 Aug 2004 23:51:06 +0100

Vera

You miss the point. But also you highlight the point. If that makes sense!

These users have no access to the internet. At all. No email, no browsing.

Additionally - all apps are hosted on the TS. All of them.

Even if we had a separate server to run the AD... so what.

If the AD server fails - users cannot authenticate - so cannot logon to the
TS. No work.

If the TS fails - users can authenticate - but no TS to work on. No work.

The ansa I know too well is to make the AD redundant as well as the TS - so
now I am looking at 4 servers not 1. I'd love to do that. But I live in an
all too real world of small business where there is no cash flow. No matter
how many arguments you can present about the downfall of their business if
the non-redundant system fails - you cannot get the investment.

But then in reality I have experienced a number of catastrophic failures in
IT systems in small business - a number of thefts and a couple of fires. The
business can cope on paper whilst you get the new kit in and working and of
course you have tape backup off site (don't you!!!??).

You cannot do more than this and as long as you explain it and ensure the
offsite rules are followed a major failure is an inconvenience not a
disaster.

Welcome to the SME world not the MS ideal. The SME market is so ridiculously
large compared to the large corporates. It sometimes feels like you are
shoehorning an MS product into an SME to make it fit. You don't need 80% of
the function or 80% of the license cost. But you do it cos it 'fits' the
other apps and removes a learning curve.

This doesn't make me angry... MS have a #1 position for a reason. They give
most ppl what they want most of the time.

Cheers
Graham

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message
news:Xns953CF3348CF1Everanoesthemutforsse@207.46.248.16...
> It's not a question of highly skilled, malicious users, just
> innocent users running workstation applications and browsing the
> Internet and your filesystem.
>
> Look at it this way: your users are all working interactively on
> your Domain Controller. They will surf to all kinds of malicious
> websites, try to download software, etc.
> They will need quite some permissions to be able to run
> applications at all, even if you try to lock them down as best as
> you can.
>
> Another problem is that a lot of applications are not 100% TS-
> compatible and can cause various problems on your server. If your
> TS hangs because of such an application, your whole DC is down as
> well, meaning all non-TS users are also affected.
>
> And then there's the performance impact: when you install Terminal
> Services, the internal tuning of the OS changes quite a bit. If
> the same server also is a DC, running AD, DNS and maybe more, you
> could create a serious performance problem.
>
> --
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> http://hem.fyristorg.com/vera/IT
> --- please respond in newsgroup, NOT by private email ---
>
> "Graham Taylor" <gt2002@freeuk.com> wrote in
> news:#sQkKzyeEHA.3028@TK2MSFTNGP12.phx.gbl:
>
> >
> > Are there any links or info as to why having a DC as a multiple
> > user workstation is a security risk?
> >
> > Would the users in question need some MS networking experience
> > to take advantage of the situation or is it a differnet kind of
> > exploit vulnerability?
> >
> > Regards
> > Graham
> >
> > "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote
> > in message
> > news:Xns953CDEA9D4C95veranoesthemutforsse@207.46.248.16...
> >> I would download FileMon and RegMon from
> >> http://www.sysinternals.com/. Run them as administrator, start
> >> a TS session as a normal user and try to run the application.
> >>
> >> FileMon and RegMon will show you all "access denied" errors
> >> that occur, so that you can give your users the necessary
> >> permissions on a file-to file or Registry subkey basis.
> >>
> >> Even if you manage to have users run the application without
> >> making them Administrators, you still have a security problem,
> >> since you actually are using your DC as a multiple-user
> >> workstation. I would try to purchase a second server as soon as
> >> possible, and make that a dedicated TS (as a member server in
> >> your domain).
> >>
> >> --
> >> Vera Noest
> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> http://hem.fyristorg.com/vera/IT
> >> --- please respond in newsgroup, NOT by private email ---
> >>
> >> "Will G" <wgrever@crcm.edu> wrote in
> >> news:#pssRcveEHA.708@TK2MSFTNGP09.phx.gbl:
> >>
> >> > I am running W2K3 standard srever with Terminal Services in
> >> > application mode and this box is the only server in the
> >> > forest / domain / enterprise (my AD lingo is not what it
> >> > should be) any way, it is the only serer so it is also the
> >> > one and only domain controler.
> >> >
> >> > My problem is that I have several applicatons on the
> >> > server that require
> >> > the user to have admin rights in order for the applicatoin to
> >> > function properly. I do not want to give full admin right to
> >> > the users when they log on to a TS session to run these
> >> > applications, but I have been unable to come up with any
> >> > other solution. My impression is that these applications are
> >> > doing something in the registry, but I am not sure.
> >> >
> >> > Is there a way to have a TS session with the user having
> >> > Administrator
> >> > rights of the session but not local Admin rights on the
> >> > server itself? And would this solve my problem?
> >> >
> >> > Thank you,
> >> > Technet alias: wgrever@crcm.edu

Relevant Pages

  • Re: why have a server?...advice needed
    ... I don't need to know EXACT SPECIFIC DETAILS, but I'm being forced to generalize because I know nothing of what the business will do, other than it will have 20-30 users and many with laptops. ... If your web site were BUSY, THEN you want it hosted on a reliable system in a data center somewhere where they have emergency generators and multiple connections to the internet in case one fails. ... SBS will allow you to redirect everyone's My Documents and Desktop folders to a folder on the server. ... why not use an online backup tool for each computer. ...
    (microsoft.public.windows.server.general)
  • Re: Small business thinking about backing up data, having a server and 2-3 users - is SBS200
    ... If cost is important you should consider other small business offerings like ... Cost is a very important factor here. ... Currently I'm building the server, awaiting for some of the parts to be ... B - They would like to be able to use the internet securely on any of the ...
    (microsoft.public.windows.server.sbs)
  • Re: last 24 hour port scan log
    ... users,some small businesses) are even bigger morons because their users ftp ... for example to a publicly accessible IIS stand-alone server you can use ... Not every small business has a wad of cash to burn ... not be made relatively safe over the internet and that is simply not true. ...
    (comp.security.firewalls)
  • Re: Administrator rights for legacy appliations
    ... innocent users running workstation applications and browsing the ... Internet and your filesystem. ... applications at all, even if you try to lock them down as best as ... compatible and can cause various problems on your server. ...
    (microsoft.public.windows.terminal_services)
  • Re: SBS 2007/8 Edition Request
    ... Small business live in the office world. ... Because it was the Office set applications that took over the world, ... for the server side of computing in the small business environment ... it's not really *installed* - the installation image is put there ...
    (microsoft.public.windows.server.sbs)