Limited interactive rights on Windows 2003 standalone server

Hi all

I have a standalone server with local accounts setup for some staff to do the following:

- Access via Remote Desktop
- Create/Delete IIS sites
- Stop and start IIS
- Stop and Start certain services like the WWW and Adobe Coldfusion or JREE services.
- Copy code to and from the Inetpub folder structure.

At the moment all the users that need to be able to do the above are in the local Administrators group, but since we've run into issues with some cowboys installing WinZip and all kinds on servers, I need to tighten this quite heavily but not cripple what they need to be able to do. As long as they can't run any dodgy scripts, install applications, etc.

Any clear instructions? I've had a rummage around the web and trawled some forums, but haven't found anything that helps me really.

Thanks people!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Managing rouge users behaviour is never easy, administrators dicipline is allways preferable, and defining 'dodgy' scripts even harder.

You could:
1) Create user accounts and place in the RemoteUsers group forRemote Desktop Access
2) Ensure NTFS permissions on the relevant folders allow for read/write access for these users
3) Change the permissions on the services to allow defined users to start/stop them, as here

theB0FHAuthor Commented:
Hi StinkyPete (I'm not even going to ask what that means!)

Thanks for the rapid response. That would make sense to me, and I'm trying to do the steps (1+2 is OK but I'm stuck at 3).

In John's article at step 2 he says to go to Computer Configuration/Windows Settings/Security Settings/System Services - which I don't have! See the attached jpg.

This server is standalone Windows 2003 Web Edition.

This service setting is not visible throught the GUI, as the server is not in a windows domain.

So, we need to use some command line tools. They are less user friendly however, but it can be achieved.

Look here for some reading on how to set this manually.

P.S. StinkyPete is the name of the Gold Prospector from ToyStory2


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

Any update?
theB0FHAuthor Commented:
Hi Pete

That article looks very interesting but also very dangerous! I don't have a problem with command line (in fact, I prefer it), but when you have to start dealing decrypting descriptors and using SSIDs I get a bit nervous.

Anyway,  I've not had time to test it on a non-production web server yet, but I'll update as soon as I know.

Thanks for your update.

In terms of achieveing your request, the steps I have explained will do this.
However, it should be noted that this is not a common ocurrance, and its worth mentioning that using technology to prevent users from mis-behaving only makes the situation, and their behaviour, worse.

Technical User Discipline is always preferable to trying to lock systems down for a number of reasons
1) There will always be something missed
2) You encourage users to believe its not their behaviour, its your inability to stop them
3) You actively promote the idea that technology can provide solutions to poor discipline or behaviour

Something to bear in mind.
theB0FHAuthor Commented:
Hi Pete

Definitely noted - problem is policing what people actually do and the resource that that requires. In our case (and specifically in this scenario) prevention would be better than cure. If some rogue muppet of an engineer from one of our overseas offices messes something up on a live server, it's too late to then start disciplining - damage is already done.

theB0FHAuthor Commented:
Hi Pete

I started messing around with the descriptors and SSIDs etc, but ran into problems early on - as I don't have loads of time to try and sort this out we've decided to put a domain controller in place for these standalone servers in order to be able to control the service rights better.

Thanks for your help
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.