Re: Server or Service Accounts complete lockdown?
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Mon, 13 Feb 2006 22:02:22 -0700
I go by the maxim that if you cannot trust (the will or the skill of)
someone
then they should never be given elevated privileges. This speaks mostly
to your saying you would grant and then remove access when rollout is
needed. That (rollout) is after all likely what caused the current
situation,
and, it is quite simple to provision for future access while temporarily
granted empowerment.
One should not use the same account for services as for user access.
The devs should have had their own accounts. Hindsight, right?
Individual accounts also assists in discovering the "who done it".
As it is you need to inventory where the accounts are in use in order
to take back control over access safely.
You might want to define accounts for their purposes while you are at
it with each being minimally empowered for its purpose. Separating
into individual accounts helps remove the side-effect issues encountered
when needing to change on use, but having to consider impacts to others.
You should be able to manage a staging where the devs submit the
deltas to existing or the new in total, and this is brought up side by side
to the live for acceptance testing. Depending on whether the pre-rollout
live test targets the real or copies of (preferred) the database, then at
cut over there is likely only an edit in the global.asa and/or web.config
file for db change and then a change in the IIS manager (or publish onto
the live) for content cut over.
If the access to the SQL databases by the IIS application is not done
with a Windows integrated account you might want to ask why, what
prevents this. With use of SQL Server accounts the devs might (depends
on network filtering) be able to directly access/alter/impact the live
database
from their dev machines; whereas if it is with Windows integrated then the
web application's account governs, and that is in your control with password
(potentially/ideally) unknown to the devs (give them credential for a copy
of
the database. etc.
The main task facing you at the moment it becoming certain of all places
the account you want to regain control over is utilized, and to map a plan
for what replacement accounts you want moving forward.
The pages at microsoft.com/technet/security have some guides and checklists
for both IIS and SQL
--
Roger Abell
Microsoft MVP (Windows Server : Security)
"GaryB" <GaryB@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1471D8CD-09F2-43C3-A32C-37E6C59AC920@xxxxxxxxxxxxxxxx
Hi,
I have a problem which I am hoiping an expert here could assist me with..
We
have a Win2003 AD server and 5 Win2000 member servers performing various
duties on the LAN. On the Win2000 servers I have an account which allows
the
SQL developers to log on locally & remotely to perform tasks but need to
rescind this now due to some data deletions from SQL & file overwrites in
IIS. The developers have dev servers to work from but I think there may
have
been a mix up & they copied the dev directory to live casuing downtime to
the
website.
Is there a best practice for me, as I know if I simply change the account
password, services will not run such as SQL2000, Veritas backup exec
server
and their backup agents to name a few. I basically want these W2000
servers
locked down for anyone except the IT Director & myself as we cannot afford
to
have data deleted from both drives & SQL! If they need access for website
rollouts etc we can quickly give them access & remove just as quick when
they
have finished.
Any advice would be much appreciated.
G
.
- Prev by Date: Re: Do I need to "take ownership" of the folders and files?
- Next by Date: Re: Remove all permissions from folder
- Previous by thread: Re: Microsoft AntiSpyware blocking Norton
- Next by thread: Re: Server or Service Accounts complete lockdown?
- Index(es):
Relevant Pages
|
Loading
