Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Sharepoint administrators - RDP access required?

Posted on 2014-01-06
5
1,115 Views
Last Modified: 2014-01-09
We have just installed a SharePoint 2013 environment. To my understanding all of the sites are working with direct connection but not when using the load balance.

Our SharePoint administrator is requesting full rdp access to the servers so they he can publish the sites.

I don't have an understanding of SharePoint so I don't know if this is true. I thought that all administration could be performed using the SharePoint Central Administration web page?

Do SP admins require RDP access to the servers?
Is IIS administration required, or can it be done using the SCA web front end?

I don't like providing RDP access to web developers, or anyone for that matter, just because they ask for it. Especially for critical systems like this one.
0
Comment
Question by:lltc78
  • 2
  • 2
5 Comments
 
LVL 29

Assisted Solution

by:QPR
QPR earned 150 total points
ID: 39760746
Admins can use central admin and remote powershell to carry out most/all? admin functions but as an admin I couldn't be without my RDP to the box!
Access to logs, event viewers, counters just off the top off my head is all part of a sharepoint admin role. Lots of things can be achieved with shares/tools but not everything I would say.
Besides that, there are things a sharepoint admin cannot do (via central admin) unless they (or an account they use) are a member of the local admin windows group on the sharepoint server that hosts central admin.

Web Developers on the other hand (and I wear both hats so am not biased) may not require this level of access though.
They should be able to get by with a network shares and the tools of their trade.
0
 
LVL 17

Expert Comment

by:Walter Curtis
ID: 39761196
What QPR says is %100 correct. The SharePoint admin is severely handicapped without access to the Central Admin server, especially during the installation and set up / configuration phase of the deployment. Domain Admin is of course not necessary, however local admin privileges on the server would be appropriate, thereby granting him remote access.

Keep in mind, the farm account and the initial installation service account must be local admin on the boxes during the installation phase, so your SharePoint admin could circumvent your restrictions and RDP with one of those accounts.

Keep him honest and grant him the access he needs to get the job done right.

Just my two cents worth...
0
 

Author Comment

by:lltc78
ID: 39764084
Thanks guys.

However, the way I read that is that it's a more convenient access method and not a requirement?
Logs, event viewer and counters can be checked remotely, and easily so that's not even an inconvenience in my opinion.

As a Windows administrator, I usually check those types of things remotely even though I have RDP access.

These admins have access to the SP farm administrative account, and all other SP service accounts, which is a local admin so does that mean they can do ALL the tasks via central admin with these accounts rather than RDP?

If IIS administration is required for SharePoint (?), then I don't mind allowing RDP for this administrative task. But from my own research I haven't been able to identify where IIS admin comes into it after installation. Excuse my ignorance if that is not the case, hence my posting on here.

Also, I'm not certain of their powershell abilities, so are there tasks that can't be done using Central Admin but can be done using another GUI within Windows rather than using remote powershell? If so, that's another reason for allowing RDP.

Also, I'm not referring to initial installation. That has been completed already. I'm referring to administration.

Due to the high visibility of this environment, and security requirements for the business I wanted to make sure that this is a necessity rather than nice to have just because they want to have it.
0
 
LVL 17

Accepted Solution

by:
Walter Curtis earned 150 total points
ID: 39764184
Points well made, and I agree RDP should not be necessary, but it is a good luxury to have. It is possible to connect to all components; IIS, SQL Server Management Studio, Central Administration, Remote PowerShell, Network connection to the 15 hive and so on and so forth. So RDP is not required at all so it is difficult to make a good case for it.

However, the SharePoint admin is in a position that must really be trusted. If data security is a concern, keep in mind that from Central Admin a full backup of all of your confidential data can be made and restored in a different farm overriding all security (except maybe file level security or encryption.) The same applies when access to the content databases is possible. A farm admin can make themselves a site admin of any site in the farm, again gaining access to ALL data. As mentioned, the service accounts have access to the servers at the local admin level, so any malicious activity can be carried out in those contexts by the admin even though he might not have have RDP access. The point is, nothing is truly safe and not allowing RDP access does not really improve security any but it does decrease the efficiency of the SharePoint admin. The caveat here is that the SharePoint admin should have true administration experience and not just be a developer that installed SharePoint. In other words, would this person be able to administer AD, SQL or Exchange just as well as SharePoint. If not, then maybe hold back on the RDP access.

There is one part of your original post that raised a red flag. Your admin said' "Our SharePoint administrator is requesting full rdp access to the servers so they he can publish the sites."

Not sure what that means especially in conjunction with RDP access, so keep that in mind.

Hope that helps,
0
 

Author Comment

by:lltc78
ID: 39769451
Thanks SneekCo for the thorough response. That's exactly the justification I wanted.

The red flag you noted is what made me ask this question in the first place.
I appreciate your explanation above.

Cheers
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question