admin'ing a windows server

What are common tools/software in a windows environment for systems administrators to remotely access windows server for admin purposes, from their workstation? And as windows admins what types of day to day reasons would an admin need to actually logon to the server (remotely) on say a file server? Is it typical for say a file server/database server running server 2003, that an admin or admins will log in several times per day, once per day, once per week, once in a blue moon etc?
Who is Participating?
viscogelConnect With a Mentor Commented:
I use the admin tools pack to remote admin many of my servers.
You download it from here:
Ernie BeekConnect With a Mentor ExpertCommented:
Normally admin are lazy ;) so they use tools to do the monitoring for them.
Have a look at or for example.
Ernie BeekExpertCommented:
Oops, should be
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Rich WeisslerConnect With a Mentor Professional Troublemaker^h^h^h^h^hshooterCommented:
Remote Access on Windows 2003: Remote Desktop.  (Or via console in my VMWare Infrastructure environment.)  I frequently use Computer Manager as well, and connect to a remote machine.  (But I also run SCOM to monitor the servers, etc.)  (On my SQL servers, I have the SQL tools (Enterprise Manager/Management Studio) loaded on my workstation, which provides plenty of access to the server in the way I need.)

I connect to check logs, especially if there are problems.  Stop and restart services.  Patch existing software.  Install new software.  Giving the server a reality check for memory/popups.  I usually only need a Remote Desktop for the last two.

How often depends on the purpose of the server and 'how well it behaves'.  I have some application servers on which I have a remote desktop connection almost constantly (so daily during problems).  I have a lot of servers that I only connect to when patches are required (so once a month or so.)
Ernie BeekExpertCommented:
Also have a look at this page:

You don't want to be actively checking servers and stuff all day, you want them to tell you when something is going wrong......
pma111Author Commented:
When you use RDP or whatever, are you doing it from workstations with internet enabled, tools like adobe installed, open USB ports? Or more hardened workstations? All the bad guys who have intentions of targetting servers and data target client side apps on workstations in domains that can access these servers.
pma111Author Commented:
PS - if you do use RDP, is this enabled by default on every 2003 server?
What about server 2008? is there a similar tool there?
And is RDP available from xp/vista/win 7 workstations by default?
And can you limit who is allowed to RDP onto servers, above and beyond trusting the connection as they have the neccesary password?
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
RDP on 2008, yes there is a similar port there.
RDP (tcp/3389) is only open in my environment from specific subnets, via ACLs (Access Control Lists) on the routers.
If I'm not at my desk, we use access thru a Citrix server.

If you are talking about truly remote administering systems... we also have DRACs to remote control systems... (Compaq/HP used to have Remote Insight to do the same thing... I'm assuming most of the server vendors have similar capabilities).  Our DRACs all use IP addresses that are not publically routable, and tightly controlled at the routers.

No, I absolutely do not trust administrative management to just a single ID and password.
pma111Author Commented:
Is RDP connection from workstation to server encrypted by default?
arnoldConnect With a Mentor Commented:
No, You have to enable remote desktop services.
You could enable it remotely using wmic.

non administrative users will be denied access by default unless they are members of the "Remote Desktop Users" group (local to the server or within the Domain).

You could use GPO to restrict who can connect to the server by defining a group (make sure when you set the GPO active on the server's OU that you include domain admins, local admins and the new group as the only ones who can connect via the RDP.
computer configuration
      windows settings
             security settings
                    user rights assignment
                             Allow log on through terminal services
                             Deny Log on through terminal services

You can either define who can connect or who can not connect.  note that if you use the deny rule, a user that is a member of several groups and one on the deny list, I think, will be denied RDP access.
make sure if you make changes to the allow, to include the default (administrators, remote desktop users) or they will be excluded.

pma111Author Commented:
arnold, when you say not, is this based on usernames/passwords. I was coming at this from the angle what if someone had compromised, say a domain admin password and wanted to use it to RDP onto the server, as opposed to which domain groups can RDP on which the right credentials
pma111Author Commented:
>>If I'm not at my desk, we use access thru a Citrix server.

Razmus, excuse my ignorance, but how is this more secure than other means?
pma111Author Commented:
>>No, I absolutely do not trust administrative management to just a single ID and password.

@Razmus, What I was getting at here was, (and I havent used RDP) but I assume you essentially interactively logon to tthe server using domain credentials, what I was saying is can you trust who is RDP'ing onto that server with say a domain admin set of credentials is actually an admin, or can you have a whitelist of say "admiin" IP who can RDP onto windows servers, and if anyone else tries, regardless of if they have domain username/password it blocks the connection?
pma111Author Commented:
By the way when we say "RDP", on my XP machine, I have mstsc.exe, is that what tool we are referring too, or something else? I am pretty sure I can use mstsc.exe to access any server if I have a domain admin pwd
if someone has compromised a domain  administrative account and has gained access to any system on the network, they can pretty much do anything they want without regard to what you've put in place.
I.e. an admin account is compromised and the access is gained to a windows XP workstation (remote or local) the "logged in admin" can install tools on the workstation i.e. adminpack, GPMC, support tools, resource kit, sysinternal tools etc. and in short order change what restrictions you placed.

You could assign different functions to different users by using the built-in group server operators to manage the servers, account operators to manage the AD, print operators, backup operators etc.
And then use these group to localize which groups can access which servers to do what job.
But this approach will waste an inordinate number of resources for no reason.
You could using adminpak allow account operators to manage the AD with a need for those users to have direct access to any server.
Many server configurations can be done without being on the server, but some can only be performed while on the server.

mstsc is the client (Terminal Services Client) RDP is the new name MS gave the tool I think after Windows Xp/Vista as it gives the user a Remote Desktop (Protocol) as well after additional security features were added and standardized for use outside the Windows platform. i.e. on linux, there is the tsclient application that lets a Graphical Linux system access to a windows RDP session.

This is a feature extended that was previously being provided by VNC to users who need to be able to access a system remotely.
pma111Author Commented:
Thanks. When you say you have to enable remote desktop services, are you saying on the windows server? and it isnt turned on by default, and until its turned on people cant RDP onto the server from their workstations?
That is correct, by default remote desktop/terminal services is disabled unless the server is configured as a terminal server (role), properties of my computer or computer in the windows 2008 and you need to select the advanced settings in the left pane, remote and activate the remote access option. This will enable Administration mode which would only allow two active session at any one time.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.