theB0FH
asked on
Limited interactive rights on Windows 2003 standalone server
Hi all
I have a standalone server with local accounts setup for some staff to do the following:
- Access via Remote Desktop
- Create/Delete IIS sites
- Stop and start IIS
- Stop and Start certain services like the WWW and Adobe Coldfusion or JREE services.
- Copy code to and from the Inetpub folder structure.
At the moment all the users that need to be able to do the above are in the local Administrators group, but since we've run into issues with some cowboys installing WinZip and all kinds on servers, I need to tighten this quite heavily but not cripple what they need to be able to do. As long as they can't run any dodgy scripts, install applications, etc.
Any clear instructions? I've had a rummage around the web and trawled some forums, but haven't found anything that helps me really.
Thanks people!
TB
I have a standalone server with local accounts setup for some staff to do the following:
- Access via Remote Desktop
- Create/Delete IIS sites
- Stop and start IIS
- Stop and Start certain services like the WWW and Adobe Coldfusion or JREE services.
- Copy code to and from the Inetpub folder structure.
At the moment all the users that need to be able to do the above are in the local Administrators group, but since we've run into issues with some cowboys installing WinZip and all kinds on servers, I need to tighten this quite heavily but not cripple what they need to be able to do. As long as they can't run any dodgy scripts, install applications, etc.
Any clear instructions? I've had a rummage around the web and trawled some forums, but haven't found anything that helps me really.
Thanks people!
TB
ASKER
Hi StinkyPete (I'm not even going to ask what that means!)
Thanks for the rapid response. That would make sense to me, and I'm trying to do the steps (1+2 is OK but I'm stuck at 3).
In John's article at step 2 he says to go to Computer Configuration/Windows Settings/Security Settings/System Services - which I don't have! See the attached jpg.
This server is standalone Windows 2003 Web Edition.
TB
Picture-1.jpg
Thanks for the rapid response. That would make sense to me, and I'm trying to do the steps (1+2 is OK but I'm stuck at 3).
In John's article at step 2 he says to go to Computer Configuration/Windows Settings/Security Settings/System Services - which I don't have! See the attached jpg.
This server is standalone Windows 2003 Web Edition.
TB
Picture-1.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Any update?
ASKER
Hi Pete
That article looks very interesting but also very dangerous! I don't have a problem with command line (in fact, I prefer it), but when you have to start dealing decrypting descriptors and using SSIDs I get a bit nervous.
Anyway, I've not had time to test it on a non-production web server yet, but I'll update as soon as I know.
Thanks
That article looks very interesting but also very dangerous! I don't have a problem with command line (in fact, I prefer it), but when you have to start dealing decrypting descriptors and using SSIDs I get a bit nervous.
Anyway, I've not had time to test it on a non-production web server yet, but I'll update as soon as I know.
Thanks
Thanks for your update.
In terms of achieveing your request, the steps I have explained will do this.
However, it should be noted that this is not a common ocurrance, and its worth mentioning that using technology to prevent users from mis-behaving only makes the situation, and their behaviour, worse.
Technical User Discipline is always preferable to trying to lock systems down for a number of reasons
1) There will always be something missed
2) You encourage users to believe its not their behaviour, its your inability to stop them
3) You actively promote the idea that technology can provide solutions to poor discipline or behaviour
Something to bear in mind.
In terms of achieveing your request, the steps I have explained will do this.
However, it should be noted that this is not a common ocurrance, and its worth mentioning that using technology to prevent users from mis-behaving only makes the situation, and their behaviour, worse.
Technical User Discipline is always preferable to trying to lock systems down for a number of reasons
1) There will always be something missed
2) You encourage users to believe its not their behaviour, its your inability to stop them
3) You actively promote the idea that technology can provide solutions to poor discipline or behaviour
Something to bear in mind.
ASKER
Hi Pete
Definitely noted - problem is policing what people actually do and the resource that that requires. In our case (and specifically in this scenario) prevention would be better than cure. If some rogue muppet of an engineer from one of our overseas offices messes something up on a live server, it's too late to then start disciplining - damage is already done.
Cheers
T
Definitely noted - problem is policing what people actually do and the resource that that requires. In our case (and specifically in this scenario) prevention would be better than cure. If some rogue muppet of an engineer from one of our overseas offices messes something up on a live server, it's too late to then start disciplining - damage is already done.
Cheers
T
ASKER
Hi Pete
I started messing around with the descriptors and SSIDs etc, but ran into problems early on - as I don't have loads of time to try and sort this out we've decided to put a domain controller in place for these standalone servers in order to be able to control the service rights better.
Thanks for your help
TB
I started messing around with the descriptors and SSIDs etc, but ran into problems early on - as I don't have loads of time to try and sort this out we've decided to put a domain controller in place for these standalone servers in order to be able to control the service rights better.
Thanks for your help
TB
You could:
1) Create user accounts and place in the RemoteUsers group forRemote Desktop Access
2) Ensure NTFS permissions on the relevant folders allow for read/write access for these users
3) Change the permissions on the services to allow defined users to start/stop them, as here
http://www.windowsitpro.com/article/permissions/q-how-can-i-control-how-to-stop-or-start-certain-services-.aspx