Re: Account Permissions

From: Mike Coppins (mike@legolas.com)
Date: 04/29/02

• Previous message: Ingersoll, Jared: "RE: Account Permissions"
• In reply to: Bill Mote: "Account Permissions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 29 Apr 2002 21:47:34 +0100
To: focus-ms@securityfocus.com
From: Mike Coppins <mike@legolas.com>

At 29/04/2002 18:31, Bill Mote wrote:
>Background: We have our equipment hosted remotely in a data center.
>
>Question: What is the minimum account privileges/permissions/policies I can
>give to allow a data center technician to login and reboot my Windows 2000
>server? If possible I'd even restrict them to 'reboot' vs. 'shutdown', but
>that'd be gravy.
>
>The current alternative is to have the data center technician hard power the
>box. That works but it sure isn't graceful =)

Set him up with a user that has an explicit right to shut down the machine
(nt4: user manager > user rights, win2k: local security policy, user rights);

Set taskmgr.exe and explorer.exe permissions to either explicit deny for
that user or equivalent permissions.

Also, in user rights again, exclude the user from 'log on via network'.

It's a bit of a sticky-plaster solution, but it's quick to set up. The
user then just logs in, hits ctrl+alt+del, and selects shut down/restart
the machine. They don't have a shell, and they can't start any programs
because task manager is unavailable.

If anyone knows a better way, I'd like to know :)

-- 
Mike Coppins
mike@legolas.com
http://www.legolas.com/
Seeking new employment: http://www.legolas.com/mikes/cv.html

---

• Previous message: Ingersoll, Jared: "RE: Account Permissions"
• In reply to: Bill Mote: "Account Permissions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)