Solved

admin'ing a windows server

Posted on 2011-03-25
17
291 Views
Last Modified: 2012-06-27
What are common tools/software in a windows environment for systems administrators to remotely access windows server for admin purposes, from their workstation? And as windows admins what types of day to day reasons would an admin need to actually logon to the server (remotely) on say a file server? Is it typical for say a file server/database server running server 2003, that an admin or admins will log in several times per day, once per day, once per week, once in a blue moon etc?
0
Comment
Question by:pma111
  • 8
  • 3
  • 3
  • +2
17 Comments
 
LVL 2

Accepted Solution

by:
viscogel earned 50 total points
ID: 35214036
I use the admin tools pack to remote admin many of my servers.
You download it from here:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 50 total points
ID: 35214046
Normally admin are lazy ;) so they use tools to do the monitoring for them.
Have a look at WWW.paesler.com/prtg or www.spiceworks.com for example.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35214056
Oops, should be www.paessler.com/PRTG
0
 
LVL 29

Assisted Solution

by:Rich Weissler
Rich Weissler earned 50 total points
ID: 35214065
Remote Access on Windows 2003: Remote Desktop.  (Or via console in my VMWare Infrastructure environment.)  I frequently use Computer Manager as well, and connect to a remote machine.  (But I also run SCOM to monitor the servers, etc.)  (On my SQL servers, I have the SQL tools (Enterprise Manager/Management Studio) loaded on my workstation, which provides plenty of access to the server in the way I need.)

I connect to check logs, especially if there are problems.  Stop and restart services.  Patch existing software.  Install new software.  Giving the server a reality check for memory/popups.  I usually only need a Remote Desktop for the last two.

How often depends on the purpose of the server and 'how well it behaves'.  I have some application servers on which I have a remote desktop connection almost constantly (so daily during problems).  I have a lot of servers that I only connect to when patches are required (so once a month or so.)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35214073
Also have a look at this page: http://www.experts-exchange.com/Software/System_Utilities/Q_26748566.html?cid=748#a34841205

You don't want to be actively checking servers and stuff all day, you want them to tell you when something is going wrong......
0
 
LVL 3

Author Comment

by:pma111
ID: 35214297
When you use RDP or whatever, are you doing it from workstations with internet enabled, tools like adobe installed, open USB ports? Or more hardened workstations? All the bad guys who have intentions of targetting servers and data target client side apps on workstations in domains that can access these servers.
0
 
LVL 3

Author Comment

by:pma111
ID: 35214316
PS - if you do use RDP, is this enabled by default on every 2003 server?
What about server 2008? is there a similar tool there?
And is RDP available from xp/vista/win 7 workstations by default?
And can you limit who is allowed to RDP onto servers, above and beyond trusting the connection as they have the neccesary password?
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 35214512
RDP on 2008, yes there is a similar port there.
RDP (tcp/3389) is only open in my environment from specific subnets, via ACLs (Access Control Lists) on the routers.
If I'm not at my desk, we use access thru a Citrix server.

If you are talking about truly remote administering systems... we also have DRACs to remote control systems... (Compaq/HP used to have Remote Insight to do the same thing... I'm assuming most of the server vendors have similar capabilities).  Our DRACs all use IP addresses that are not publically routable, and tightly controlled at the routers.

No, I absolutely do not trust administrative management to just a single ID and password.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 3

Author Comment

by:pma111
ID: 35214544
Is RDP connection from workstation to server encrypted by default?
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 50 total points
ID: 35214567
No, You have to enable remote desktop services.
You could enable it remotely using wmic.

http://www.itworld.com/windows-remote-desktop-wmic-nlswindows-080212
http://www.christiano.ch/wordpress/2009/09/30/enable-rdp-remote-desktop-protocol-using-wmi-remotely/

non administrative users will be denied access by default unless they are members of the "Remote Desktop Users" group (local to the server or within the Domain).


You could use GPO to restrict who can connect to the server by defining a group (make sure when you set the GPO active on the server's OU that you include domain admins, local admins and the new group as the only ones who can connect via the RDP.
computer configuration
      windows settings
             security settings
                    user rights assignment
                             Allow log on through terminal services
                             Deny Log on through terminal services

You can either define who can connect or who can not connect.  note that if you use the deny rule, a user that is a member of several groups and one on the deny list, I think, will be denied RDP access.
make sure if you make changes to the allow, to include the default (administrators, remote desktop users) or they will be excluded.

0
 
LVL 3

Author Comment

by:pma111
ID: 35214597
arnold, when you say not, is this based on usernames/passwords. I was coming at this from the angle what if someone had compromised, say a domain admin password and wanted to use it to RDP onto the server, as opposed to which domain groups can RDP on which the right credentials
0
 
LVL 3

Author Comment

by:pma111
ID: 35214867
>>If I'm not at my desk, we use access thru a Citrix server.

Razmus, excuse my ignorance, but how is this more secure than other means?
0
 
LVL 3

Author Comment

by:pma111
ID: 35214899
>>No, I absolutely do not trust administrative management to just a single ID and password.

@Razmus, What I was getting at here was, (and I havent used RDP) but I assume you essentially interactively logon to tthe server using domain credentials, what I was saying is can you trust who is RDP'ing onto that server with say a domain admin set of credentials is actually an admin, or can you have a whitelist of say "admiin" IP who can RDP onto windows servers, and if anyone else tries, regardless of if they have domain username/password it blocks the connection?
0
 
LVL 3

Author Comment

by:pma111
ID: 35214912
By the way when we say "RDP", on my XP machine, I have mstsc.exe, is that what tool we are referring too, or something else? I am pretty sure I can use mstsc.exe to access any server if I have a domain admin pwd
0
 
LVL 76

Expert Comment

by:arnold
ID: 35215463
if someone has compromised a domain  administrative account and has gained access to any system on the network, they can pretty much do anything they want without regard to what you've put in place.
I.e. an admin account is compromised and the access is gained to a windows XP workstation (remote or local) the "logged in admin" can install tools on the workstation i.e. adminpack, GPMC, support tools, resource kit, sysinternal tools etc. and in short order change what restrictions you placed.

You could assign different functions to different users by using the built-in group server operators to manage the servers, account operators to manage the AD, print operators, backup operators etc.
And then use these group to localize which groups can access which servers to do what job.
But this approach will waste an inordinate number of resources for no reason.
You could using adminpak allow account operators to manage the AD with a need for those users to have direct access to any server.
Many server configurations can be done without being on the server, but some can only be performed while on the server.

mstsc is the client (Terminal Services Client) RDP is the new name MS gave the tool I think after Windows Xp/Vista as it gives the user a Remote Desktop (Protocol) as well after additional security features were added and standardized for use outside the Windows platform. i.e. on linux, there is the tsclient application that lets a Graphical Linux system access to a windows RDP session.

This is a feature extended that was previously being provided by VNC to users who need to be able to access a system remotely.
0
 
LVL 3

Author Comment

by:pma111
ID: 35215670
Thanks. When you say you have to enable remote desktop services, are you saying on the windows server? and it isnt turned on by default, and until its turned on people cant RDP onto the server from their workstations?
0
 
LVL 76

Expert Comment

by:arnold
ID: 35215981
That is correct, by default remote desktop/terminal services is disabled unless the server is configured as a terminal server (role), properties of my computer or computer in the windows 2008 and you need to select the advanced settings in the left pane, remote and activate the remote access option. This will enable Administration mode which would only allow two active session at any one time.
 
0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Join & Write a Comment

Suggested Solutions

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now