|
Posted by Dana Epp [Security MVP] on August 24, 2007, 1:21 am
Please log in for more thread options
Hey there!
You are asking a lot of different questions. However, they all root back to
controlling access policies.
As an example, you could create a Security Group called "ShutdownGroup" and
create a GPO and link it to any OU containing the server(s) in question.
Then you can specify the "Shutdown the system" policy which is located in
"User Rights Assignment" for the local Policy to give this group the
privileges needed. Of course you will need to assign the user(s) you want to
have these privileges to that group.
A question I would like to pose is why you would want a person that you
cannot trust to run code to have interactive logon privileges to your domain
controller and/or SQL server in the first place. You would be far better off
using the security permissions built into SQL to allow your user to remotely
connect to the SQL server and do whatever queries and maintenance that you
want. There are built in stored procedures in SQL like sp_grantlogin and
sp_grantdbaccess that would allow you to manage login for users through
Windows Authentication. You can use the built in roles and permissions to
then provide fine granted access control to which ever databases you want
them to backup. Of course, you would be better served to have regular
automated backups so a user wouldn't even need these privileges in the first
place.
You may have a good reason to require a user to have such privilege.
However, I would recommend that you consider using least privilege here and
find ways to apply the built in technical safeguards in AD and SQL to
restrict the privileges to the lowest set possible. There really is no
reason they need interactive logon rights for a lot of this.
---
Regards,
Dana Epp [Security MVP]
http://silverstr.ufies.org/blog/
> Hello all,
> I am a new guy and its my first job as a System Manager of a Windows 2003
> Server Domain with Windows XP Clients. I want to create a Secondary Logon
> (User) at the Windows 2003 Domain Controler (apart from Domain
> Administrator)who should have ONLY below mentioned Rights:
> PART: A
> 1. Can Logon at the Domain Controler / Server and from any of the Client
> Systems.
> 2. Should only be able to Restart and Shut Down the Server.
> 3. Should not be able to Start any Application, specialy SQL Server
> Enterprise
> Manager / Query Analyzer at any cost at the Server.
> 4. Should not be able to Install any Program at the Server or at the
> Clients.
>
> PART: B
> 1. Apart from the above rights (with a little change in point no 3 above)
> is
> it posible
> to allow this user to start SQL Enterprise Manager or Query Analyser for
> Backing
> up Databases only. That is He should not be able to Create, Drop,
> Modify,
> Insert
> or Update Databases.
>
> Any help is highly appreciated. With regards,
>
> Barun Kumar Tiwari
> New Delhi, India.
>
| 
XML Sitemap