Re: Password Protected Screen Saver and Administrative Password

From: Thor (Hammer of God) (thor_at_hammerofgod.com)
Date: 02/10/05

  • Next message: net shark: "RE: SAM encripted with syskey" 
    To: <tom.milliner@verizon.net>
Date: Thu, 10 Feb 2005 09:46:01 -0800

    Services do not require a user to log on... They run in their own process
    space, with whatever credentials you specify. If your 3rd party monitoring
    solution is part of IIS, then I would be surprised if it required you to log
    on. If it does, that tells me that the monitoring portion is just a program
    that runs in user mode (thus the log on requirement.) You may have an
    option to start the monitoring program as a service though, in which case no
    log on would be required. This would be the ideal situation for you--
    particularly for a process that is designed to monitor systems. If you lost
    power, or the system were logged off, you would lose your monitoring. A
    service-based solution would obviate the need for user interaction to logon.

    If you must log on for this solution to work, think in the same way we have
    regarding the vendor-support solution. Log on as a normal user, and
    configure the monitoring software to run under that user account rather than
    the domain administrator.

    hth

    T

    ----- Original Message -----
    From: Tom Milliner
    To: 'Thor (Hammer of God)'
    Cc: focus-ms@securityfocus.com
    Sent: Wednesday, February 09, 2005 1:12 PM
    Subject: RE: Password Protected Screen Saver and Administrative Password

    Thank you. Your specific clarification and advice has been
    educational. I would like to ask you this (in relation to the
    text I put into italic below):
    When a server boots up, are all its services
    normally available to users whether I logon
    or not? I have always logged on as domain
    administrator and let the password protected
    screen-saver kick in after about 15 minutes.
    At least one of my servers (IIS running some
    kind of third party vendor monitoring software)
    does require me to logon in order for everything
    to start. Do you think I could logout and that
    all the IIS services would still be running in
    the background?
    I work by myself, and other than the community
    college classes and reading, I am on my own
    for ideas. Hence, some of the suggestions are
    "new" to me.
    Thanks in advance for your response.

    Tom Milliner, CPA, MCSE
    Director of Network Services
    MetroTex Assc of Realtors
    8201 N. Stemmons Frwy
    Dallas, TX 75247
    www.dfwrealtors.com
    mail to: tomm@dfwrealtors.com
    (214) 540-2741

    -----Original Message-----
    From: Thor (Hammer of God) [mailto:thor@hammerofgod.com]
    Sent: Wednesday, February 09, 2005 2:38 PM
    To: tom.milliner@verizon.net; focus-ms@securityfocus.com
    Subject: Re: Password Protected Screen Saver and Administrative Password

    In line:

    ----- Original Message -----
    From: "Tom Milliner" <tom.milliner@verizon.net>
    To: "'Thor (Hammer of God)'" <thor@hammerofgod.com>;
    <focus-ms@securityfocus.com>
    Sent: Wednesday, February 09, 2005 12:03 PM
    Subject: RE: Password Protected Screen Saver and Administrative Password

    >>From a simplicity standpoint, it would help if there was
    > a separate and distinct screen-saver password available.
    > For instance, let's say the screen-saver is locked, but the
    > administrator is away and simply needs a consultant to
    > perform a task on the server. I'd want to give the
    > consultant a non-administrator password for that type of
    > task.

    Ain't gonna happen in the same interactive session, as it shouldn't from a
    security standpoint. The closest functionality is RunAs, which you should
    use if possible. Ideally, you would not have admin accounts logged onto the
    console in the first place on any of the other servers: you would log in and
    out as needed. Password protected screen savers are not a good replacement
    for the logon process as things like password lockout are not implemented
    there, but that's another story.

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: net shark: "RE: SAM encripted with syskey"

    Relevant Pages

    • RE: RWW login notification
      ... monitoring component to smooth every thing. ... Select Windows Small Business Server 2003 and then click ... select Microsoft SQL Server Desktop Engine ... This newsgroup only focuses on SBS technical issues. ...
      (microsoft.public.windows.server.sbs)
    • RE: SBS Monitoring Install : KB555432
      ... "The Wizard encountered an error while configuring the monitoring features. ... Run Small Business Server Setup re-install the server tools component and ... Usually we first need to reset the Monitoring Component. ...
      (microsoft.public.backoffice.smallbiz)
    • Re: SBS 2003 Usage Report
      ... Rerun the Setup Monitoring Reports and Alerts Wizard ... | Usage Report] with Terence Liu ... | Downloading and Installing Windows Small Business Server 2003 Service ...
      (microsoft.public.windows.server.sbs)
    • RE: Monitoring and Reporting not working
      ... I understand that Monitoring and reporting ... Specify "Windows SharePoint Services" as the Extension name. ... Program Files\Common Files\Microsoft Shared\web server ... please try to reinstall monitoring component ...
      (microsoft.public.windows.server.sbs)
    • RE: Http 400 Error With Update Services, Monitoring & Reporting
      ... Reporting issue. ... you get error when you run the CEICW on SBS. ... How to configure Internet access in Windows Small Business Server 2003 ... Monitoring and Reporting is working fine. ...
      (microsoft.public.windows.server.sbs)