Security for DNS/IIS

matt

Distinguished
Apr 2, 2004
321
0
18,780
Archived from groups: microsoft.public.win2000.security (More info?)

Hi,
I'm trying to setup so my web guys only have access to DNS and IIS on
the web servers and so they don't have to terminal service into the
machines (like they do now). It's not really that huge of a deal that
they can't see the event logs/etc, I basically just want to get them off
having to terminal service in. My Question: What do I need to do to
allow them to be able to MMC into IIS and DNS as well?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

MMC via the network works over file and print sharing, so you would need to have them
vpn into the server to access MMC. You don't want to open holes in a firewall to do
file and print sharing. However the downside is that file and print sharing needs to
be enabled on the computer - at least on an internal adapter as you really don't want
to do that on the external adapter if at all possible. You could still let them
remote in via TS as regular users and on the computer add them to the dns
administrators group. In Remote Administration Mode, by default only administrators
can remote in but you can change that by adding a user/group to permissions for the
RDP. You could also restrict what they access via local Group Policy [gpedit.msc]
though local Group Policy applies to all users that logon locally [which TS logon is
considered] including administrators. --- Steve


"Matt" <spammers@are.bad.com> wrote in message news:ccma4t1862@enews3.newsguy.com...
> Hi,
> I'm trying to setup so my web guys only have access to DNS and IIS on
> the web servers and so they don't have to terminal service into the
> machines (like they do now). It's not really that huge of a deal that
> they can't see the event logs/etc, I basically just want to get them off
> having to terminal service in. My Question: What do I need to do to
> allow them to be able to MMC into IIS and DNS as well?
 

matt

Distinguished
Apr 2, 2004
321
0
18,780
Archived from groups: microsoft.public.win2000.security (More info?)

Good idea.. however having a slight issue...

IIS - When I try to connect to one of the webservers I get:
Error connecting to: xxxx.xxxxx.net
Access is denied.

Strange... I'm logged in as Administrator to the domain yet it didn't
work, NOR did it ask me for a username/password, guess it's telepathic
and knows I shouldn't be on? :)


Any ideas?



Steven L Umbach wrote:

> MMC via the network works over file and print sharing, so you would need to have them
> vpn into the server to access MMC. You don't want to open holes in a firewall to do
> file and print sharing. However the downside is that file and print sharing needs to
> be enabled on the computer - at least on an internal adapter as you really don't want
> to do that on the external adapter if at all possible. You could still let them
> remote in via TS as regular users and on the computer add them to the dns
> administrators group. In Remote Administration Mode, by default only administrators
> can remote in but you can change that by adding a user/group to permissions for the
> RDP. You could also restrict what they access via local Group Policy [gpedit.msc]
> though local Group Policy applies to all users that logon locally [which TS logon is
> considered] including administrators. --- Steve
>
>
> "Matt" <spammers@are.bad.com> wrote in message news:ccma4t1862@enews3.newsguy.com...
>
>>Hi,
>>I'm trying to setup so my web guys only have access to DNS and IIS on
>>the web servers and so they don't have to terminal service into the
>>machines (like they do now). It's not really that huge of a deal that
>>they can't see the event logs/etc, I basically just want to get them off
>>having to terminal service in. My Question: What do I need to do to
>>allow them to be able to MMC into IIS and DNS as well?
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Exactly how did you try to connect to it?? Local lan, over a vpn, through remote
TS?? --- Steve


"Matt" <spammers@are.bad.com> wrote in message news:ccmrrf01sa9@enews4.newsguy.com...
> Good idea.. however having a slight issue...
>
> IIS - When I try to connect to one of the webservers I get:
> Error connecting to: xxxx.xxxxx.net
> Access is denied.
>
> Strange... I'm logged in as Administrator to the domain yet it didn't
> work, NOR did it ask me for a username/password, guess it's telepathic
> and knows I shouldn't be on? :)
>
>
> Any ideas?
>
>
>
> Steven L Umbach wrote:
>
> > MMC via the network works over file and print sharing, so you would need to have
them
> > vpn into the server to access MMC. You don't want to open holes in a firewall to
do
> > file and print sharing. However the downside is that file and print sharing needs
to
> > be enabled on the computer - at least on an internal adapter as you really don't
want
> > to do that on the external adapter if at all possible. You could still let them
> > remote in via TS as regular users and on the computer add them to the dns
> > administrators group. In Remote Administration Mode, by default only
administrators
> > can remote in but you can change that by adding a user/group to permissions for
the
> > RDP. You could also restrict what they access via local Group Policy
[gpedit.msc]
> > though local Group Policy applies to all users that logon locally [which TS logon
is
> > considered] including administrators. --- Steve
> >
> >
> > "Matt" <spammers@are.bad.com> wrote in message
news:ccma4t1862@enews3.newsguy.com...
> >
> >>Hi,
> >>I'm trying to setup so my web guys only have access to DNS and IIS on
> >>the web servers and so they don't have to terminal service into the
> >>machines (like they do now). It's not really that huge of a deal that
> >>they can't see the event logs/etc, I basically just want to get them off
> >>having to terminal service in. My Question: What do I need to do to
> >>allow them to be able to MMC into IIS and DNS as well?
> >
> >
> >
 

matt

Distinguished
Apr 2, 2004
321
0
18,780
Archived from groups: microsoft.public.win2000.security (More info?)

I'm on the same subnet as it, it is not behind a firewall, so it would
be equivallent to a local LAN.

Steven L Umbach wrote:
> Exactly how did you try to connect to it?? Local lan, over a vpn, through remote
> TS?? --- Steve
>
>
> "Matt" <spammers@are.bad.com> wrote in message news:ccmrrf01sa9@enews4.newsguy.com...
>
>>Good idea.. however having a slight issue...
>>
>>IIS - When I try to connect to one of the webservers I get:
>>Error connecting to: xxxx.xxxxx.net
>>Access is denied.
>>
>>Strange... I'm logged in as Administrator to the domain yet it didn't
>>work, NOR did it ask me for a username/password, guess it's telepathic
>>and knows I shouldn't be on? :)
>>
>>
>>Any ideas?
>>
>>
>>
>>Steven L Umbach wrote:
>>
>>
>>>MMC via the network works over file and print sharing, so you would need to have
>
> them
>
>>>vpn into the server to access MMC. You don't want to open holes in a firewall to
>
> do
>
>>>file and print sharing. However the downside is that file and print sharing needs
>
> to
>
>>>be enabled on the computer - at least on an internal adapter as you really don't
>
> want
>
>>>to do that on the external adapter if at all possible. You could still let them
>>>remote in via TS as regular users and on the computer add them to the dns
>>>administrators group. In Remote Administration Mode, by default only
>
> administrators
>
>>>can remote in but you can change that by adding a user/group to permissions for
>
> the
>
>>>RDP. You could also restrict what they access via local Group Policy
>
> [gpedit.msc]
>
>>>though local Group Policy applies to all users that logon locally [which TS logon
>
> is
>
>>>considered] including administrators. --- Steve
>>>
>>>
>>>"Matt" <spammers@are.bad.com> wrote in message
>
> news:ccma4t1862@enews3.newsguy.com...
>
>>>>Hi,
>>>>I'm trying to setup so my web guys only have access to DNS and IIS on
>>>>the web servers and so they don't have to terminal service into the
>>>>machines (like they do now). It's not really that huge of a deal that
>>>>they can't see the event logs/etc, I basically just want to get them off
>>>>having to terminal service in. My Question: What do I need to do to
>>>>allow them to be able to MMC into IIS and DNS as well?
>>>
>>>
>>>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

So you tried to use Computer Management - other computer and it said access denied
while trying to connect to the lan interface. I would check to make sure that the
domain admins group is still in the local administrators group on that server and
that file and print sharing is enabled on the internal lan interface. If auditing of
logon events is enabled on that server, I would look in the security log to see what
the reason is for the logon failure. An ipsec policy with a require policy on either
end could deny access if ipsec negotiation failed. --- Steve



"Matt" <spammers@are.bad.com> wrote in message news:ccu1hr014fc@enews1.newsguy.com...
> I'm on the same subnet as it, it is not behind a firewall, so it would
> be equivallent to a local LAN.
>
> Steven L Umbach wrote:
> > Exactly how did you try to connect to it?? Local lan, over a vpn, through remote
> > TS?? --- Steve
> >
> >
> > "Matt" <spammers@are.bad.com> wrote in message
news:ccmrrf01sa9@enews4.newsguy.com...
> >
> >>Good idea.. however having a slight issue...
> >>
> >>IIS - When I try to connect to one of the webservers I get:
> >>Error connecting to: xxxx.xxxxx.net
> >>Access is denied.
> >>
> >>Strange... I'm logged in as Administrator to the domain yet it didn't
> >>work, NOR did it ask me for a username/password, guess it's telepathic
> >>and knows I shouldn't be on? :)
> >>
> >>
> >>Any ideas?
> >>
> >>
> >>
> >>Steven L Umbach wrote:
> >>
> >>
> >>>MMC via the network works over file and print sharing, so you would need to have
> >
> > them
> >
> >>>vpn into the server to access MMC. You don't want to open holes in a firewall to
> >
> > do
> >
> >>>file and print sharing. However the downside is that file and print sharing
needs
> >
> > to
> >
> >>>be enabled on the computer - at least on an internal adapter as you really don't
> >
> > want
> >
> >>>to do that on the external adapter if at all possible. You could still let them
> >>>remote in via TS as regular users and on the computer add them to the dns
> >>>administrators group. In Remote Administration Mode, by default only
> >
> > administrators
> >
> >>>can remote in but you can change that by adding a user/group to permissions for
> >
> > the
> >
> >>>RDP. You could also restrict what they access via local Group Policy
> >
> > [gpedit.msc]
> >
> >>>though local Group Policy applies to all users that logon locally [which TS
logon
> >
> > is
> >
> >>>considered] including administrators. --- Steve
> >>>
> >>>
> >>>"Matt" <spammers@are.bad.com> wrote in message
> >
> > news:ccma4t1862@enews3.newsguy.com...
> >
> >>>>Hi,
> >>>>I'm trying to setup so my web guys only have access to DNS and IIS on
> >>>>the web servers and so they don't have to terminal service into the
> >>>>machines (like they do now). It's not really that huge of a deal that
> >>>>they can't see the event logs/etc, I basically just want to get them off
> >>>>having to terminal service in. My Question: What do I need to do to
> >>>>allow them to be able to MMC into IIS and DNS as well?
> >>>
> >>>
> >>>
> >
> >
 

matt

Distinguished
Apr 2, 2004
321
0
18,780
Archived from groups: microsoft.public.win2000.security (More info?)

Steve,
Nothing is being logged on the connecting or the connected to computer.
They are both set to log success/failures.
Domain admins group is part of the local admin group =\
File and print sharing is enabled.
no ipsec here.


Steven L Umbach wrote:

> So you tried to use Computer Management - other computer and it said access denied
> while trying to connect to the lan interface. I would check to make sure that the
> domain admins group is still in the local administrators group on that server and
> that file and print sharing is enabled on the internal lan interface. If auditing of
> logon events is enabled on that server, I would look in the security log to see what
> the reason is for the logon failure. An ipsec policy with a require policy on either
> end could deny access if ipsec negotiation failed. --- Steve
>
>
>
> "Matt" <spammers@are.bad.com> wrote in message news:ccu1hr014fc@enews1.newsguy.com...
>
>>I'm on the same subnet as it, it is not behind a firewall, so it would
>>be equivallent to a local LAN.
>>
>>Steven L Umbach wrote:
>>
>>>Exactly how did you try to connect to it?? Local lan, over a vpn, through remote
>>>TS?? --- Steve
>>>
>>>
>>>"Matt" <spammers@are.bad.com> wrote in message
>
> news:ccmrrf01sa9@enews4.newsguy.com...
>
>>>>Good idea.. however having a slight issue...
>>>>
>>>>IIS - When I try to connect to one of the webservers I get:
>>>>Error connecting to: xxxx.xxxxx.net
>>>>Access is denied.
>>>>
>>>>Strange... I'm logged in as Administrator to the domain yet it didn't
>>>>work, NOR did it ask me for a username/password, guess it's telepathic
>>>>and knows I shouldn't be on? :)
>>>>
>>>>
>>>>Any ideas?
>>>>
>>>>
>>>>
>>>>Steven L Umbach wrote:
>>>>
>>>>
>>>>
>>>>>MMC via the network works over file and print sharing, so you would need to have
>>>
>>>them
>>>
>>>
>>>>>vpn into the server to access MMC. You don't want to open holes in a firewall to
>>>
>>>do
>>>
>>>
>>>>>file and print sharing. However the downside is that file and print sharing
>
> needs
>
>>>to
>>>
>>>
>>>>>be enabled on the computer - at least on an internal adapter as you really don't
>>>
>>>want
>>>
>>>
>>>>>to do that on the external adapter if at all possible. You could still let them
>>>>>remote in via TS as regular users and on the computer add them to the dns
>>>>>administrators group. In Remote Administration Mode, by default only
>>>
>>>administrators
>>>
>>>
>>>>>can remote in but you can change that by adding a user/group to permissions for
>>>
>>>the
>>>
>>>
>>>>>RDP. You could also restrict what they access via local Group Policy
>>>
>>>[gpedit.msc]
>>>
>>>
>>>>>though local Group Policy applies to all users that logon locally [which TS
>
> logon
>
>>>is
>>>
>>>
>>>>>considered] including administrators. --- Steve
>>>>>
>>>>>
>>>>>"Matt" <spammers@are.bad.com> wrote in message
>>>
>>>news:ccma4t1862@enews3.newsguy.com...
>>>
>>>
>>>>>>Hi,
>>>>>>I'm trying to setup so my web guys only have access to DNS and IIS on
>>>>>>the web servers and so they don't have to terminal service into the
>>>>>>machines (like they do now). It's not really that huge of a deal that
>>>>>>they can't see the event logs/etc, I basically just want to get them off
>>>>>>having to terminal service in. My Question: What do I need to do to
>>>>>>allow them to be able to MMC into IIS and DNS as well?
>>>>>
>>>>>
>>>>>
>>>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Are the ports open on the internal adapter that you need to connect to? If nothing
was logged, it sounds as if the target computer never got the request. You can try
port scanning that adapter or using Ethereal to see what is happening to your
connection request as in if is getting any response from the remote computer or not
and if there is a response, sometimes digging into the details of the packet response
can help. Try connecting via the internal lan IP address instead of computer
name. --- Steve


"Matt" <spammers@are.bad.com> wrote in message news:ccuhkl0jqd@enews3.newsguy.com...
> Steve,
> Nothing is being logged on the connecting or the connected to computer.
> They are both set to log success/failures.
> Domain admins group is part of the local admin group =\
> File and print sharing is enabled.
> no ipsec here.
>
>
> Steven L Umbach wrote:
>
> > So you tried to use Computer Management - other computer and it said access
denied
> > while trying to connect to the lan interface. I would check to make sure that the
> > domain admins group is still in the local administrators group on that server and
> > that file and print sharing is enabled on the internal lan interface. If auditing
of
> > logon events is enabled on that server, I would look in the security log to see
what
> > the reason is for the logon failure. An ipsec policy with a require policy on
either
> > end could deny access if ipsec negotiation failed. --- Steve
> >
> >
> >
> > "Matt" <spammers@are.bad.com> wrote in message
news:ccu1hr014fc@enews1.newsguy.com...
> >
> >>I'm on the same subnet as it, it is not behind a firewall, so it would
> >>be equivallent to a local LAN.
> >>
> >>Steven L Umbach wrote:
> >>
> >>>Exactly how did you try to connect to it?? Local lan, over a vpn, through
remote
> >>>TS?? --- Steve
> >>>
> >>>
> >>>"Matt" <spammers@are.bad.com> wrote in message
> >
> > news:ccmrrf01sa9@enews4.newsguy.com...
> >
> >>>>Good idea.. however having a slight issue...
> >>>>
> >>>>IIS - When I try to connect to one of the webservers I get:
> >>>>Error connecting to: xxxx.xxxxx.net
> >>>>Access is denied.
> >>>>
> >>>>Strange... I'm logged in as Administrator to the domain yet it didn't
> >>>>work, NOR did it ask me for a username/password, guess it's telepathic
> >>>>and knows I shouldn't be on? :)
> >>>>
> >>>>
> >>>>Any ideas?
> >>>>
> >>>>
> >>>>
> >>>>Steven L Umbach wrote:
> >>>>
> >>>>
> >>>>
> >>>>>MMC via the network works over file and print sharing, so you would need to
have
> >>>
> >>>them
> >>>
> >>>
> >>>>>vpn into the server to access MMC. You don't want to open holes in a firewall
to
> >>>
> >>>do
> >>>
> >>>
> >>>>>file and print sharing. However the downside is that file and print sharing
> >
> > needs
> >
> >>>to
> >>>
> >>>
> >>>>>be enabled on the computer - at least on an internal adapter as you really
don't
> >>>
> >>>want
> >>>
> >>>
> >>>>>to do that on the external adapter if at all possible. You could still let
them
> >>>>>remote in via TS as regular users and on the computer add them to the dns
> >>>>>administrators group. In Remote Administration Mode, by default only
> >>>
> >>>administrators
> >>>
> >>>
> >>>>>can remote in but you can change that by adding a user/group to permissions
for
> >>>
> >>>the
> >>>
> >>>
> >>>>>RDP. You could also restrict what they access via local Group Policy
> >>>
> >>>[gpedit.msc]
> >>>
> >>>
> >>>>>though local Group Policy applies to all users that logon locally [which TS
> >
> > logon
> >
> >>>is
> >>>
> >>>
> >>>>>considered] including administrators. --- Steve
> >>>>>
> >>>>>
> >>>>>"Matt" <spammers@are.bad.com> wrote in message
> >>>
> >>>news:ccma4t1862@enews3.newsguy.com...
> >>>
> >>>
> >>>>>>Hi,
> >>>>>>I'm trying to setup so my web guys only have access to DNS and IIS on
> >>>>>>the web servers and so they don't have to terminal service into the
> >>>>>>machines (like they do now). It's not really that huge of a deal that
> >>>>>>they can't see the event logs/etc, I basically just want to get them off
> >>>>>>having to terminal service in. My Question: What do I need to do to
> >>>>>>allow them to be able to MMC into IIS and DNS as well?
> >>>>>
> >>>>>
> >>>>>
> >>>
> >
> >