Remote administration security group.....

We have single server that we are using for development, and have invited
some 3rd party developers to create some aspnet content on the server. They
have requested Terminal Services Login (remote desktop). WHAT is the minimal
security group or Best Practice for giving outside users such permission?

So they will be able to develop content easily and securely without
compromising the server itself?

Thanks,

v

Re: Remote administration security group.....

To be able to logon via Terminal Services, you can add them to the Remote
Operators group.

HOWEVER

You need to ask why they need interactive access to the server. To be able
to develop simple .NET applications, they'd (at most) need the ability to
upload files to your server. Interactive access implies that they wish to
view/edit settings or server configuration. In order to work out whether
they actually need this access, you need to find out from them why they want
this access in the first place.

Cheers
Ken

"CB" wrote in message
news:AE39F4B6-A61F-41BC-98B7-8B41500C7B28@microsoft.com...
> We have single server that we are using for development, and have invited
> some 3rd party developers to create some aspnet content on the server.
> They
> have requested Terminal Services Login (remote desktop). WHAT is the
> minimal
> security group or Best Practice for giving outside users such permission?
>
> So they will be able to develop content easily and securely without
> compromising the server itself?
>
> Thanks,
>
> v

Re: Remote administration security group.....

This actually leads to question 2:

Does anyone know how to restrict virtual directories of IIS FTP to only one
user?

When we make a VD with IIS for the FTP ANY user can then navigate to that
folder if they know the folder name. For example.

LocalUser
\Matt
\Tom

VirtualDirectory - \public_html

Although Matt and Tom are isolated from that folder down if we make a VD of
public_html if either of them know the folder name they can both access it.

IS there a way to prevent this without IP RESTRICTION? I tried removing the
USER group from the VD permissioons tab but the stopped the Website itself
from running.

Bottom line:
We need to give ftp access to off site developers to upload website files,
but we are running into problems with win2lk3's built in ftp server for
security and user isolation on the small scale. =(

Any ideas?

Thanks in advance.

"Ken Schaefer" wrote:

> To be able to logon via Terminal Services, you can add them to the Remote
> Operators group.
>
> HOWEVER
>
> You need to ask why they need interactive access to the server. To be able
> to develop simple .NET applications, they'd (at most) need the ability to
> upload files to your server. Interactive access implies that they wish to
> view/edit settings or server configuration. In order to work out whether
> they actually need this access, you need to find out from them why they want
> this access in the first place.
>
> Cheers
> Ken
>
> "CB" wrote in message
> news:AE39F4B6-A61F-41BC-98B7-8B41500C7B28@microsoft.com...
> > We have single server that we are using for development, and have invited
> > some 3rd party developers to create some aspnet content on the server.
> > They
> > have requested Terminal Services Login (remote desktop). WHAT is the
> > minimal
> > security group or Best Practice for giving outside users such permission?
> >
> > So they will be able to develop content easily and securely without
> > compromising the server itself?
> >
> > Thanks,
> >
> > v
>
>
>

Re: Remote administration security group.....

You need to use NTFS permissions to restrict this.

Change the NTFS permissions on the folders in question, so that Tom has
Read/Write/Delete/etc to his folder, and Matt has the same permissions to
his folder. Do not allow "Users" or "Everyone" access to both folders.

Cheers
Ken

"CB" wrote in message
news:0DAC3E60-56C7-4155-ACAF-D20EA154FCB5@microsoft.com...
> This actually leads to question 2:
>
> Does anyone know how to restrict virtual directories of IIS FTP to only
> one
> user?
>
> When we make a VD with IIS for the FTP ANY user can then navigate to that
> folder if they know the folder name. For example.
>
> LocalUser
> \Matt
> \Tom
>
> VirtualDirectory - \public_html
>
> Although Matt and Tom are isolated from that folder down if we make a VD
> of
> public_html if either of them know the folder name they can both access
> it.
>
> IS there a way to prevent this without IP RESTRICTION? I tried removing
> the
> USER group from the VD permissioons tab but the stopped the Website itself
> from running.
>
> Bottom line:
> We need to give ftp access to off site developers to upload website files,
> but we are running into problems with win2lk3's built in ftp server for
> security and user isolation on the small scale. =(
>
> Any ideas?
>
> Thanks in advance.
>
> "Ken Schaefer" wrote:
>
>> To be able to logon via Terminal Services, you can add them to the Remote
>> Operators group.
>>
>> HOWEVER
>>
>> You need to ask why they need interactive access to the server. To be
>> able
>> to develop simple .NET applications, they'd (at most) need the ability to
>> upload files to your server. Interactive access implies that they wish to
>> view/edit settings or server configuration. In order to work out whether
>> they actually need this access, you need to find out from them why they
>> want
>> this access in the first place.
>>
>> Cheers
>> Ken
>>
>> "CB" wrote in message
>> news:AE39F4B6-A61F-41BC-98B7-8B41500C7B28@microsoft.com...
>> > We have single server that we are using for development, and have
>> > invited
>> > some 3rd party developers to create some aspnet content on the server.
>> > They
>> > have requested Terminal Services Login (remote desktop). WHAT is the
>> > minimal
>> > security group or Best Practice for giving outside users such
>> > permission?
>> >
>> > So they will be able to develop content easily and securely without
>> > compromising the server itself?
>> >
>> > Thanks,
>> >
>> > v
>>
>>
>>