?
Solved

Limited interactive rights on Windows 2003 standalone server

Posted on 2010-04-08
8
Medium Priority
?
303 Views
Last Modified: 2013-11-21
Hi all

I have a standalone server with local accounts setup for some staff to do the following:

- Access via Remote Desktop
- Create/Delete IIS sites
- Stop and start IIS
- Stop and Start certain services like the WWW and Adobe Coldfusion or JREE services.
- Copy code to and from the Inetpub folder structure.

At the moment all the users that need to be able to do the above are in the local Administrators group, but since we've run into issues with some cowboys installing WinZip and all kinds on servers, I need to tighten this quite heavily but not cripple what they need to be able to do. As long as they can't run any dodgy scripts, install applications, etc.

Any clear instructions? I've had a rummage around the web and trawled some forums, but haven't found anything that helps me really.

Thanks people!
TB
0
Comment
Question by:theB0FH
  • 4
  • 4
8 Comments
 
LVL 6

Expert Comment

by:StinkyPete
ID: 30102382
Managing rouge users behaviour is never easy, administrators dicipline is allways preferable, and defining 'dodgy' scripts even harder.

You could:
1) Create user accounts and place in the RemoteUsers group forRemote Desktop Access
2) Ensure NTFS permissions on the relevant folders allow for read/write access for these users
3) Change the permissions on the services to allow defined users to start/stop them, as here
http://www.windowsitpro.com/article/permissions/q-how-can-i-control-how-to-stop-or-start-certain-services-.aspx


0
 

Author Comment

by:theB0FH
ID: 30128638
Hi StinkyPete (I'm not even going to ask what that means!)

Thanks for the rapid response. That would make sense to me, and I'm trying to do the steps (1+2 is OK but I'm stuck at 3).

In John's article at step 2 he says to go to Computer Configuration/Windows Settings/Security Settings/System Services - which I don't have! See the attached jpg.

This server is standalone Windows 2003 Web Edition.

TB
Picture-1.jpg
0
 
LVL 6

Accepted Solution

by:
StinkyPete earned 2000 total points
ID: 30149668
This service setting is not visible throught the GUI, as the server is not in a windows domain.

So, we need to use some command line tools. They are less user friendly however, but it can be achieved.

Look here for some reading on how to set this manually.

http://msmvps.com/blogs/erikr/archive/2007/09/26/set-permissions-on-a-specific-service-windows.aspx

P.S. StinkyPete is the name of the Gold Prospector from ToyStory2
http://images1.fanpop.com/images/image_uploads/Stinky-Pete-Toy-Story-2-disney-villains-1038360_1024_576.jpg

Regards
StinkyPete
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
LVL 6

Expert Comment

by:StinkyPete
ID: 30494317
Any update?
0
 

Author Comment

by:theB0FH
ID: 30595049
Hi Pete

That article looks very interesting but also very dangerous! I don't have a problem with command line (in fact, I prefer it), but when you have to start dealing decrypting descriptors and using SSIDs I get a bit nervous.

Anyway,  I've not had time to test it on a non-production web server yet, but I'll update as soon as I know.

Thanks
0
 
LVL 6

Expert Comment

by:StinkyPete
ID: 30617164
Thanks for your update.

In terms of achieveing your request, the steps I have explained will do this.
However, it should be noted that this is not a common ocurrance, and its worth mentioning that using technology to prevent users from mis-behaving only makes the situation, and their behaviour, worse.

Technical User Discipline is always preferable to trying to lock systems down for a number of reasons
1) There will always be something missed
2) You encourage users to believe its not their behaviour, its your inability to stop them
3) You actively promote the idea that technology can provide solutions to poor discipline or behaviour

Something to bear in mind.
0
 

Author Comment

by:theB0FH
ID: 30617884
Hi Pete

Definitely noted - problem is policing what people actually do and the resource that that requires. In our case (and specifically in this scenario) prevention would be better than cure. If some rogue muppet of an engineer from one of our overseas offices messes something up on a live server, it's too late to then start disciplining - damage is already done.

Cheers
T
0
 

Author Comment

by:theB0FH
ID: 32126755
Hi Pete

I started messing around with the descriptors and SSIDs etc, but ran into problems early on - as I don't have loads of time to try and sort this out we've decided to put a domain controller in place for these standalone servers in order to be able to control the service rights better.

Thanks for your help
TB
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

594 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question