Re: Remote Server auto login
- From: jwgoerlich@xxxxxxxxx
- Date: 16 Apr 2007 02:51:56 -0700
Hello,
The rule of thumb is that auto logon is a very bad idea. The ideal
solution is modifying your programs such that they do not require the
desktop and can be started by scheduled tasks.
Of course, IT is hardly an ideal world. I have helped clients in
similar situations before. There are a few things you can do: decrease
the likelihood of someone gaining access to the console; decrease the
scope of what someone could do once there; password protect the
console; and monitor the system for anything suspicious.
First, automatic logon means your computer's security is only as good
as its physical security. Host your server at a data center with good
locks and doors, procedures for allowing only authorized access, and a
stable trustworthy staff. Do not tell the staff, if you can help it,
about the automatic logon. Deploy the server headless (e.g., without
the monitor, keyboard, and mouse.)
Second, use a limited account. The account that automatically logs on
should be a member of the Users group only, not Power Users or
Administrators. Make certain the account does not have read access to
C:\Windows\repair.Grant whatever permissions are necessary to run the
programs but no more.
You may want to RDP onto the console as this user (mstsc /v:computer /
console). This will allow you to see what is occurring on the console
desktop session. Thus, give the user permissions to use remote
desktop.
Third, lock the computer as quickly as possible. Your programs should
still run. Configure the screen saver to come on after 10 minutes (or
less) and to require a password. This shortens the time where, after a
reboot, your server will be vulnerable.
Forth, keep a close eye on the event logs. Unexpected shutdowns may
indicate that someone is power cycling the server in order to gain
access. Enable logging and watch for unexplained processes starting
under the console user's ID.
Hope that helps,
J Wolfgang Goerlich
On Apr 16, 3:32 am, "Mark Randall" <mar...@xxxxxxxxxxxxxx> wrote:
Hi,
I have a situation with a dedicated Windows 2003 server sitting in a data
center in the US, on it I have several programs running which are launched
on startup (login).
I was wondering what the security implications would be of rigging it to
auto-login on boot if the only access was through remote desktop.
--
- Mark Randallhttp://www.temporal-solutions.co.ukhttp://www.awportals.com
.
- Follow-Ups:
- Re: Remote Server auto login
- From: Mark Randall
- Re: Remote Server auto login
- References:
- Remote Server auto login
- From: Mark Randall
- Remote Server auto login
- Prev by Date: Remote Server auto login
- Next by Date: Re: Trying To Run SFC /SCANNOW
- Previous by thread: Remote Server auto login
- Next by thread: Re: Remote Server auto login
- Index(es):
Relevant Pages
|
