Re: Server Security
From: Steven Umbach (n9zrou_at_nscomcast.com)
Date: 01/22/04
- Next message: Mom: "Content Advisor allows viewing of sites I set to never allow"
- Previous message: Steven Umbach: "Re: Applying security policy..."
- In reply to: Curtis: "Server Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 22 Jan 2004 07:14:54 GMT
In my opinion you want accountability for administrators and each administrator
should use his own account in the domain admins group when necessary to log onto
a server. "The" administrator account should not be used and given a very long
and hard to guess password that is kept in a safe place because it will be the
number one target to hackers either internal or external. Auditing of account
logon evens for success and failure should be enabled in the Domain Controller
Security policy and the security logs in Event Viewer monitored. Domain
administrators should always use there regular accounts that are not in the
domain admins group for non administrative activities and be careful that they
log onto only trusted computers with their domain administrators account [no
keyboard logger or camera watching, etc]. As far as the secretary, I think it
make sense to let him/her log onto the computer as a regular user and give them
the user right assignment in the appropriate security policy/security
settings/local policies/user rights assignments for shut down the system. Just
make sure that if there is sensitive information on that server, that regular
users do not have ntfs permissions to it. Secretaries have a level a
responsibility and trust already, and I doubt you have much to fear letting them
log onto the server when needed. --- Steve
"Curtis" <Curtis@oids.state.ok.us> wrote in message
news:14dc01c3e037$31a7a7c0$a301280a@phx.gbl...
> My question is, we have six remote locations, with a
> server at each location, and several servers at our main
> location. Long ago my boss setup each server with a user
> name with domain admin rights on each. We use no special
> policy for the servers. Recently we upgraded to Win2000
> servers, and I change it to only log into the servers
> with only one user name with domain admin rights, so all
> of our servers in all of the locations use one user name.
> MY boss wants to change it so we have different names at
> each locations, but he only see the difference in the log
> in name, and not the rights given, I'm I correct, that it
> does not matter if the servers log in name is CHEVY with
> domain admin rights or FORD with domain admin rights,
> it's the rights assign as DOMAIN ADMIN that count. Again
> we have NO special login or anything special with the
> servers. My boss is afraid that the one user name gives
> them the keys to the entire castle, but it's the same
> with 10 user names with Domain Admin rights, IS this
> correct.
>
> Also what is the best way to setup a server in a remote
> location that the secretary is the only one to have the
> need to login and restart the server? My thought is not
> to have the person log into the server but, have it set
> at the "Ctrl+Alt+Del" screen, and if the server needs to
> be restarted, one should be able to press the key combo
> and choose to restart or shut down, with out having to
> log in, or unlock the screen to restart. Physical
> security is really not a concern. We also can connect
> through Terminal services to administer the server, but
> at time something might happen to need someone at the
> screen??????????
>
- Next message: Mom: "Content Advisor allows viewing of sites I set to never allow"
- Previous message: Steven Umbach: "Re: Applying security policy..."
- In reply to: Curtis: "Server Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
