|
Posted by Harry on August 11, 2005, 3:21 pm
Please log in for more thread options Do I trust this person? I don't trust anyone but myself when it comes to
console access to a server, but I have no choice in this one. It's coming
from the "top brass". Yes, I am running W2k3. Thanks for the tips. I'll
test it out before turning it over to the new app. admin.
> First - do you trust them?
> There are times when vulnerabilities have existed, and likely will
> in the future again, where a key part of their exploitation is the ability
> to log in locally (or via TS / RD).
>
> You can make them a Users member only, perhaps restrict them from
> sensitive areas on the server also, and yet grant them RD login on
> the server. It sounds like this is W2k3 as you are saying RD, in which
> case just make sure use of RD login is enabled and that their restricted
> account is a member of predefined Users and of the RD login groups.
>
> When I get forced into this situation, I also configure TS on the server
> so that the RD user cannot hog the allowed RD connections - setting
> TS so that disconnected sessions are killed after a short time (hr +/-)
> and so that idle sessions are also killed after a time.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
>> I need to give someone console access to our server because one of the
>> server applications is only managable from the server. I don't want to
> make
>> the person an admin over the server, but do need to have them login via
>> remote desktop from their workstation. What is the best way to set this
> up?
>>
>>
>
>
| 
XML Sitemap