Guest Hugh G. Johnson Posted August 12, 2008 Posted August 12, 2008 I'm a small business owner which makes me the System Administrator of my web and database servers. In the past I've given contractors Administrative rights when they used the machines, but now I'm starting to use developers from other countries and they are logging in via the WAN. My question is there a way to give a contractor access to the machine to create SQL databases, websites, create directories, change file permissions, etc. without being an administrator, and even blocking access to files I don't want them to? I thought Power Users would be best, but I've been told thats a no-no. Sincerely, Hugh
Guest Phillip Windell Posted August 12, 2008 Posted August 12, 2008 Re: Giving contract developer access "Hugh G. Johnson" <hughnotgnotjohnson@comcastnot.net> wrote in message news:eUSl48J$IHA.4616@TK2MSFTNGP06.phx.gbl... > I'm a small business owner which makes me the System Administrator of my > web and database servers. In the past I've given contractors > Administrative rights when they used the machines, but now I'm starting to > use developers from other countries and they are logging in via the WAN. > > My question is there a way to give a contractor access to the machine to > create SQL databases, websites, create directories, change file > permissions, etc. without being an administrator, and even blocking access > to files I don't want them to? > > I thought Power Users would be best, but I've been told thats a no-no. Hmm...going off the top of my head, so could be off here but, here's some theories you can try. Create special user accounts and special groups. User your imagination and be creative here. Assign these accounts to one or more of the groups you created. Set the Primary Group of each account to a group appropriate for that account. Then remove them from the Domain Users Group. At this point they should only have access to files/folders that are specifically granted to their particular group and to things allowed for the "Everyone" group. Permissions are typically inheirited downward from where they start so grant them the ability to create, delete, etc at the "top" Folder that they should be able to do this. This works for File Shares, File System in general, for Web Servers and FTP Servers (IIS). Don't confuse Share Permissions with NTFS Permissons,..you are working primarily with NTFS Permissions to do this. Make sure the Everyone Group does not have permission to things that you don't want literally everyone to have permission to. For SQL you have a choice,..SQL Server can use either normal Domain Accounts (like what is above) or it can use its own internally created user accounts that exist only with in the SQL Services and you can set what these accounts are allowed to do and the scope of where they can do what they do. It can also use both types of accounts at the same time. You may need a person who is very good with SQL Server to help you with this (sorry, I'm not). So all I can tell you is that SQL Servers authentication mechanism can be very powerful and detailed when used correctly and can operate almost "on its own" without the Windows Active Directory Domain. But *important*, do not give them the password to the SA account,..the SA account in the SQL Sevices has the power with in the SQL Service that Domain Administrator has for the Domain. If you have already given them that then change the password after you have gotten everything else in place and tested. Remember that Vendors couldn't care squat about your LAN's security (generally speaking), all they care about is making their product function by any means nessessary to keep their own boss happy. What happens to your LAN beyond the scope of their product is no concern to them (generally speaking of course). -- Phillip Windell http://www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- Technet Library ISA2004 http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx ISA2006 http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx Understanding the ISA 2004 Access Rule Processing http://www.isaserver.org/articles/ISA2004_AccessRules.html Troubleshooting Client Authentication on Access Rules in ISA Server 2004 http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc Microsoft Internet Security & Acceleration Server: Partners http://www.microsoft.com/isaserver/partners/default.mspx Microsoft ISA Server Partners: Partner Hardware Solutions http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx -----------------------------------------------------
Guest Phillip Windell Posted August 12, 2008 Posted August 12, 2008 Re: Giving contract developer access "Phillip Windell" <philwindell@hotmail.com> wrote in message news:e8cmxwK$IHA.5004@TK2MSFTNGP05.phx.gbl... > Make sure the Everyone Group does not have permission to things that you > don't want literally everyone to have permission to. Some things need the Everyone group,...so don't get too carried away with the idea. -- Phillip Windell http://www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. -----------------------------------------------------
Guest Hugh G. Johnson Posted August 12, 2008 Posted August 12, 2008 Re: Giving contract developer access Phillip, Thank you. This is really helpful. Hugh "Phillip Windell" <philwindell@hotmail.com> wrote in message news:%23iWyvvL$IHA.4124@TK2MSFTNGP05.phx.gbl... > > "Phillip Windell" <philwindell@hotmail.com> wrote in message > news:e8cmxwK$IHA.5004@TK2MSFTNGP05.phx.gbl... >> Make sure the Everyone Group does not have permission to things that you >> don't want literally everyone to have permission to. > > Some things need the Everyone group,...so don't get too carried away with > the idea. > > -- > Phillip Windell > http://www.wandtv.com > > The views expressed, are my own and not those of my employer, or > Microsoft, > or anyone else associated with me, including my cats. > ----------------------------------------------------- > >
Recommended Posts