Re: Need help locking down a server
- From: "Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx>
- Date: Thu, 14 Dec 2006 21:36:50 +0100
Hi Chris,
Only IT staff that needs to administer domain controllers (physically) needs
to be member of Domain Administrators group. For everyone else it is enough
to be Administrator on the systems that they need to manage (e.g. Exchange
server). You can even limit this and delegate some other tasks (e.g. Backup
Administrators,...).
If your question is how to limit Domain Administrators from logging onto
Exchange server -- you can't. You simply can't limit someone who is Domain
Administrator. Even if you deny someone logon locally permissions, if the
person is Domain Administrator -- he/she can change that policy at any time
and allow themselves to logon to any server...
--
Mike
Microsoft MVP - Windows Security
"Chris Hall" <someone@xxxxxxxxxxxxx> wrote in message
news:e7gSEe5HHHA.3952@xxxxxxxxxxxxxxxxxxxxxxx
Greetings,
I'm looking into options to secure our mail server (Exchange 2003 on
Windows
2003). We have an IT staff of 5 people, which includes our dept mgr, all
of
which have access to the administrator password and whose accounts are
members of the Domain Admins group. What I propose to do is:
1. Change Admin password, allowing only one person access.
2. Disable Remote Desktop
3. Deny Logon Locally.
The only thing I can't seem to figure out is how to deny all users except
administrator.
If anyone has any suggestions, I'd appreciate it!
.
- Follow-Ups:
- Re: Need help locking down a server
- From: Roger Abell [MVP]
- Re: Need help locking down a server
- References:
- Need help locking down a server
- From: Chris Hall
- Need help locking down a server
- Prev by Date: Re: Need help locking down a server
- Next by Date: Re: password login to windows 2000 domain with active directory
- Previous by thread: Re: Need help locking down a server
- Next by thread: Re: Need help locking down a server
- Index(es):
Relevant Pages
|
|
