Re: Service-only users and hosting
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 06/24/04
- Next message: Roger Abell: "Re: Kerberos errors"
- Previous message: Roger Abell: "Re: User Rights in Mixed Domain"
- In reply to: Alistair Young: "Service-only users and hosting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 23 Jun 2004 22:53:00 -0700
I take
> unable to log on to any machines, access the internal network
> through our VPN, or access any network shares.
rather than
> such as Exchange IMAP, Outlook Web Access, and FTP
as the three indicated with "former two" and "the later"
If you want to control access to shares independently from
access to all "network logon" controlled accesses then you
will likely need to look at the share-level permissions of the
shares individually.
Whether denying network logon will prevent interaction
with a service actually depends on the design of the specific
service.
Log on a a batch process is used for things like scheduled
tasks, some COM instancing such as for the "IWAM_*"
account use by IIS, etc.. Log on as a service on the other
hand controls whether that account will be useful for the
service control manager, for use as the context in which
a service is started.
I am curious however, with the Deny logons you have
mentioned how is it that you are managing to support FTP ?
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Alistair Young" <avatar@arkane-systems.net> wrote in message news:ezUgi6VWEHA.2840@TK2MSFTNGP11.phx.gbl... > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On my Windows 2003 domain, I have some external users who require > only access to services - such as Exchange IMAP, Outlook Web Access, > and FTP. Specifically, I need them to be unable to log on to any > machines, access the internal network through our VPN, or access any > network shares. > > So far, I have the former two sorted out: all these users are > ultimately in the "No Console Access" group which has the "Deny logon > locally" and "Deny logon through Terminal Services" user rights (and > "Deny logon as a service", just in case), thus solving the first; and > the RRAS access policies take care of the second. > > (Out of curiosity, what *does* "Log on as a batch job" cover?) > > The third, on the other hand, I'm having a bit more trouble with. > (Except inasmuch as, thanks to the firewall in the way, no external > user can get an SMB packet into the internal network anyway, but I'd > like a little more than that.) I thought "Deny access to this > computer from the network" was the user right that would prevent > share, etc., access, which it does, but it also prevents the users > from logging on to the services into the bargain... > > Any pointers as to how to achieve the one without blocking the other > too? > > Thanks in advance, > > Alistair > > -----BEGIN PGP SIGNATURE----- > Version: PGP 8.0.3 > > iQA/AwUBQNnkjbKJdAU578lOEQIZFQCg+Lnlq/DDu9b8oz1XwrU7W36ikWYAn3E+ > RtbyilZw3zl/a1wzOYkwS3FM > =MbJE > -----END PGP SIGNATURE----- > >
- Next message: Roger Abell: "Re: Kerberos errors"
- Previous message: Roger Abell: "Re: User Rights in Mixed Domain"
- In reply to: Alistair Young: "Service-only users and hosting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
