benc007
asked on
* Windows Server 2012 Permissions Help *
How do I set up Windows Server 2012 to give a user remote access to log on to server to do the following:
- install and configure certain programs
- access to certain folders
- set up websites
- set up new VMs
But do NOT allow the user to:
- set up FTP sites
- download files from the server
- access FTP sites so he can't upload files from the server to somewhere else
- access browsers so he can't upload files from the server to somewhere else
- install and configure certain programs
- access to certain folders
- set up websites
- set up new VMs
But do NOT allow the user to:
- set up FTP sites
- download files from the server
- access FTP sites so he can't upload files from the server to somewhere else
- access browsers so he can't upload files from the server to somewhere else
wow, you hire a consultant.
you may be able to get part of the way there and better responses if you break up the question into multiple posts. sorry I couldn't be of any help but wanted to offer some advice.
you may be able to get part of the way there and better responses if you break up the question into multiple posts. sorry I couldn't be of any help but wanted to offer some advice.
ASKER
The goal is to give a consultant remote access to the server, to configure the server, and set up websites, but don't allow him to download files from the server.
Very difficult (impossible) if the person has access to the folders.
ASKER
How can the remote user be set up so he can configure the server and set up websites, but he doesn't have access to certain folders?
You can you Windows Server security to prevent access to folders. But then the person won't be able to do much configuring.
ultimately it would take a lot of work and attention to detail but i think you can get close with these general directions.
1. create a group which i will further reference as Consultant, either locally or in active directory if it is a domain. and add the consultants user account.
2. add the Consultant group to remote desktop users to allow remote access
3. provide separate root folders for things you want to delegate to the consultant. for example,
e:\websites. e:\VMs. and give the Consultant group
4. delegate access in IIS by right clicking the root after opening the IIS console
5. change permissions on other sensitive folders to deny Consultants group from having access, if necessary.
with this model you still wont be giving access to install programs but you can use third party tools to delegate access if needed without grant any kind of admin access. the point is nto not make the Consultant group part of the local administrators group.
1. create a group which i will further reference as Consultant, either locally or in active directory if it is a domain. and add the consultants user account.
2. add the Consultant group to remote desktop users to allow remote access
3. provide separate root folders for things you want to delegate to the consultant. for example,
e:\websites. e:\VMs. and give the Consultant group
4. delegate access in IIS by right clicking the root after opening the IIS console
5. change permissions on other sensitive folders to deny Consultants group from having access, if necessary.
with this model you still wont be giving access to install programs but you can use third party tools to delegate access if needed without grant any kind of admin access. the point is nto not make the Consultant group part of the local administrators group.
o and more importantly deny mapping drives, printing, clipboard for the remote desktop connection. you can then further restrict by firewall rules to prevent outbound connections so they cant send out files via ssh, ftp, ssl, etc, to another server they own.
ASKER
I want the user to:
1) set up a SSL certificate and a website(s) to use SSL
2) set up VMs within Windows Server 2012
If I create a Consultant group and give these users remote access and give this user access to folders (eg. e:\website) how can I prevent them from downloading files from the server and prevent them from uploading files to an outside website or server?
With remote access by default, can the user download files?
1) set up a SSL certificate and a website(s) to use SSL
2) set up VMs within Windows Server 2012
If I create a Consultant group and give these users remote access and give this user access to folders (eg. e:\website) how can I prevent them from downloading files from the server and prevent them from uploading files to an outside website or server?
With remote access by default, can the user download files?
If you use "standard" hardware remote access, then the view remote is the same as the view local in terms of permissions - no difference.
If by remote access you meant Remote Desktop/Terminal Services then yes, by default the user can get files in 2 ways.
1. map their local local drive through the RDP connection
2. use software while on the server to send files out, via ftp, ssh, etc to one of their own servers on the internet.
As I mentioned to take care of problem 1 you can use group policy to disable mapping of files. To take care of problem 2 is a little more complex because you have to create firewall rules that will prevent outbound connections. This will also mean forcing outbound SSL connections to be disabled. This will not block people connecting inbound via SSL to your website, but only restrict outbound SSL.
1. map their local local drive through the RDP connection
2. use software while on the server to send files out, via ftp, ssh, etc to one of their own servers on the internet.
As I mentioned to take care of problem 1 you can use group policy to disable mapping of files. To take care of problem 2 is a little more complex because you have to create firewall rules that will prevent outbound connections. This will also mean forcing outbound SSL connections to be disabled. This will not block people connecting inbound via SSL to your website, but only restrict outbound SSL.
ASKER
I was planning to use Remote Desktop / Terminal Services. How would I create firewall rules to prevent outbound connections?
Would I be able to disable outbound connections if I used TeamViewer instead of Remote Desktop / Terminal Services?
Would I be able to disable outbound connections if I used TeamViewer instead of Remote Desktop / Terminal Services?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am not sure if I should rely on the Windows firewall.
What is a reasonably priced software firewall that you suggest for Windows Server 2012?
What is a reasonably priced software firewall that you suggest for Windows Server 2012?
This kind of question would be best asked as a separate post in a category related to firewalls, although my personal thought is that the windows firewall is a great out of the box and free solution to help enforce your rules here.
If any of us experts have already assisted with the original topic it is recommeded that you accept answers to close this topic.
If any of us experts have already assisted with the original topic it is recommeded that you accept answers to close this topic.
ASKER
I appreciate your help! Thank you.
access to certain folders But do NOT allow the user to download files from the server
If the user has Read access (and not modify) they can still copy to the local machine.