Security for DNS/IIS

[Matt]

Hi,
I'm trying to setup so my web guys only have access to DNS and IIS on
the web servers and so they don't have to terminal service into the
machines (like they do now). It's not really that huge of a deal that
they can't see the event logs/etc, I basically just want to get them off
having to terminal service in. My Question: What do I need to do to
allow them to be able to MMC into IIS and DNS as well?

 

[Steven L Umbach]

MMC via the network works over file and print sharing, so you would need to have them
vpn into the server to access MMC. You don't want to open holes in a firewall to do
file and print sharing. However the downside is that file and print sharing needs to
be enabled on the computer - at least on an internal adapter as you really don't want
to do that on the external adapter if at all possible. You could still let them
remote in via TS as regular users and on the computer add them to the dns
administrators group. In Remote Administration Mode, by default only administrators
can remote in but you can change that by adding a user/group to permissions for the
RDP. You could also restrict what they access via local Group Policy [gpedit.msc]
though local Group Policy applies to all users that logon locally [which TS logon is
considered] including administrators. --- Steve

 

[Matt]

Good idea.. however having a slight issue...

IIS - When I try to connect to one of the webservers I get:
Error connecting to: xxxx.xxxxx.net
Access is denied.

Strange... I'm logged in as Administrator to the domain yet it didn't
work, NOR did it ask me for a username/password, guess it's telepathic
and knows I shouldn't be on?


Any ideas?

MMC via the network works over file and print sharing, so you would need to have them
vpn into the server to access MMC. You don't want to open holes in a firewall to do
file and print sharing. However the downside is that file and print sharing needs to
be enabled on the computer - at least on an internal adapter as you really don't want
to do that on the external adapter if at all possible. You could still let them
remote in via TS as regular users and on the computer add them to the dns
administrators group. In Remote Administration Mode, by default only administrators
can remote in but you can change that by adding a user/group to permissions for the
RDP. You could also restrict what they access via local Group Policy [gpedit.msc]
though local Group Policy applies to all users that logon locally [which TS logon is
considered] including administrators. --- Steve

Hi,
I'm trying to setup so my web guys only have access to DNS and IIS on
the web servers and so they don't have to terminal service into the
machines (like they do now). It's not really that huge of a deal that
they can't see the event logs/etc, I basically just want to get them off
having to terminal service in. My Question: What do I need to do to
allow them to be able to MMC into IIS and DNS as well?

 

[Steven L Umbach]

Exactly how did you try to connect to it?? Local lan, over a vpn, through remote
TS?? --- Steve

Good idea.. however having a slight issue...

IIS - When I try to connect to one of the webservers I get:
Error connecting to: xxxx.xxxxx.net
Access is denied.

Strange... I'm logged in as Administrator to the domain yet it didn't
work, NOR did it ask me for a username/password, guess it's telepathic
and knows I shouldn't be on?


Any ideas?

MMC via the network works over file and print sharing, so you would need to have them
vpn into the server to access MMC. You don't want to open holes in a firewall to do
file and print sharing. However the downside is that file and print sharing needs to
be enabled on the computer - at least on an internal adapter as you really don't want
to do that on the external adapter if at all possible. You could still let them
remote in via TS as regular users and on the computer add them to the dns
administrators group. In Remote Administration Mode, by default only administrators
can remote in but you can change that by adding a user/group to permissions for the
RDP. You could also restrict what they access via local Group Policy [gpedit.msc]
though local Group Policy applies to all users that logon locally [which TS logon is
considered] including administrators. --- Steve

Hi,
I'm trying to setup so my web guys only have access to DNS and IIS on
the web servers and so they don't have to terminal service into the
machines (like they do now). It's not really that huge of a deal that
they can't see the event logs/etc, I basically just want to get them off
having to terminal service in. My Question: What do I need to do to
allow them to be able to MMC into IIS and DNS as well?

 

[Matt]

I'm on the same subnet as it, it is not behind a firewall, so it would
be equivallent to a local LAN.

Exactly how did you try to connect to it?? Local lan, over a vpn, through remote
TS?? --- Steve

Good idea.. however having a slight issue...

IIS - When I try to connect to one of the webservers I get:
Error connecting to: xxxx.xxxxx.net
Access is denied.

Strange... I'm logged in as Administrator to the domain yet it didn't
work, NOR did it ask me for a username/password, guess it's telepathic
and knows I shouldn't be on?


Any ideas?



Steven L Umbach wrote:

MMC via the network works over file and print sharing, so you would need to have

them

vpn into the server to access MMC. You don't want to open holes in a firewall to

do

file and print sharing. However the downside is that file and print sharing needs

to

be enabled on the computer - at least on an internal adapter as you really don't

want

to do that on the external adapter if at all possible. You could still let them
remote in via TS as regular users and on the computer add them to the dns
administrators group. In Remote Administration Mode, by default only

administrators

can remote in but you can change that by adding a user/group to permissions for

the

RDP. You could also restrict what they access via local Group Policy

[gpedit.msc]

though local Group Policy applies to all users that logon locally [which TS logon

is

considered] including administrators. --- Steve


"Matt" <[email protected]> wrote in message

Hi,
I'm trying to setup so my web guys only have access to DNS and IIS on
the web servers and so they don't have to terminal service into the
machines (like they do now). It's not really that huge of a deal that
they can't see the event logs/etc, I basically just want to get them off
having to terminal service in. My Question: What do I need to do to
allow them to be able to MMC into IIS and DNS as well?

 

[Steven L Umbach]

So you tried to use Computer Management - other computer and it said access denied
while trying to connect to the lan interface. I would check to make sure that the
domain admins group is still in the local administrators group on that server and
that file and print sharing is enabled on the internal lan interface. If auditing of
logon events is enabled on that server, I would look in the security log to see what
the reason is for the logon failure. An ipsec policy with a require policy on either
end could deny access if ipsec negotiation failed. --- Steve

I'm on the same subnet as it, it is not behind a firewall, so it would
be equivallent to a local LAN.

Exactly how did you try to connect to it?? Local lan, over a vpn, through remote
TS?? --- Steve

Good idea.. however having a slight issue...

IIS - When I try to connect to one of the webservers I get:
Error connecting to: xxxx.xxxxx.net
Access is denied.

Strange... I'm logged in as Administrator to the domain yet it didn't
work, NOR did it ask me for a username/password, guess it's telepathic
and knows I shouldn't be on?


Any ideas?



Steven L Umbach wrote:


MMC via the network works over file and print sharing, so you would need to have
them

vpn into the server to access MMC. You don't want to open holes in a firewall to
do

file and print sharing. However the downside is that file and print sharing

needs

to

be enabled on the computer - at least on an internal adapter as you really don't
want

to do that on the external adapter if at all possible. You could still let them
remote in via TS as regular users and on the computer add them to the dns
administrators group. In Remote Administration Mode, by default only
administrators

can remote in but you can change that by adding a user/group to permissions for
the

RDP. You could also restrict what they access via local Group Policy
[gpedit.msc]

though local Group Policy applies to all users that logon locally [which TS

logon

is

considered] including administrators. --- Steve



Hi,
I'm trying to setup so my web guys only have access to DNS and IIS on
the web servers and so they don't have to terminal service into the
machines (like they do now). It's not really that huge of a deal that
they can't see the event logs/etc, I basically just want to get them off
having to terminal service in. My Question: What do I need to do to
allow them to be able to MMC into IIS and DNS as well?

 

[Matt]

Steve,
Nothing is being logged on the connecting or the connected to computer.
They are both set to log success/failures.
Domain admins group is part of the local admin group =\
File and print sharing is enabled.
no ipsec here.

So you tried to use Computer Management - other computer and it said access denied
while trying to connect to the lan interface. I would check to make sure that the
domain admins group is still in the local administrators group on that server and
that file and print sharing is enabled on the internal lan interface. If auditing of
logon events is enabled on that server, I would look in the security log to see what
the reason is for the logon failure. An ipsec policy with a require policy on either
end could deny access if ipsec negotiation failed. --- Steve

I'm on the same subnet as it, it is not behind a firewall, so it would
be equivallent to a local LAN.

Exactly how did you try to connect to it?? Local lan, over a vpn, through remote
TS?? --- Steve


"Matt" <[email protected]> wrote in message

Good idea.. however having a slight issue...

IIS - When I try to connect to one of the webservers I get:
Error connecting to: xxxx.xxxxx.net
Access is denied.

Strange... I'm logged in as Administrator to the domain yet it didn't
work, NOR did it ask me for a username/password, guess it's telepathic
and knows I shouldn't be on?


Any ideas?



Steven L Umbach wrote:



MMC via the network works over file and print sharing, so you would need to have

them


vpn into the server to access MMC. You don't want to open holes in a firewall to

do


file and print sharing. However the downside is that file and print sharing

needs

to


be enabled on the computer - at least on an internal adapter as you really don't

want


to do that on the external adapter if at all possible. You could still let them
remote in via TS as regular users and on the computer add them to the dns
administrators group. In Remote Administration Mode, by default only

administrators


can remote in but you can change that by adding a user/group to permissions for

the


RDP. You could also restrict what they access via local Group Policy

[gpedit.msc]


though local Group Policy applies to all users that logon locally [which TS

logon

is


considered] including administrators. --- Steve





Hi,
I'm trying to setup so my web guys only have access to DNS and IIS on
the web servers and so they don't have to terminal service into the
machines (like they do now). It's not really that huge of a deal that
they can't see the event logs/etc, I basically just want to get them off
having to terminal service in. My Question: What do I need to do to
allow them to be able to MMC into IIS and DNS as well?

 

[Steven L Umbach]

Are the ports open on the internal adapter that you need to connect to? If nothing
was logged, it sounds as if the target computer never got the request. You can try
port scanning that adapter or using Ethereal to see what is happening to your
connection request as in if is getting any response from the remote computer or not
and if there is a response, sometimes digging into the details of the packet response
can help. Try connecting via the internal lan IP address instead of computer
name. --- Steve

Steve,
Nothing is being logged on the connecting or the connected to computer.
They are both set to log success/failures.
Domain admins group is part of the local admin group =\
File and print sharing is enabled.
no ipsec here.

So you tried to use Computer Management - other computer and it said access denied
while trying to connect to the lan interface. I would check to make sure that the
domain admins group is still in the local administrators group on that server and
that file and print sharing is enabled on the internal lan interface. If auditing of
logon events is enabled on that server, I would look in the security log to see what
the reason is for the logon failure. An ipsec policy with a require policy on either
end could deny access if ipsec negotiation failed. --- Steve

I'm on the same subnet as it, it is not behind a firewall, so it would
be equivallent to a local LAN.

Steven L Umbach wrote:

Exactly how did you try to connect to it?? Local lan, over a vpn, through remote
TS?? --- Steve



Good idea.. however having a slight issue...

IIS - When I try to connect to one of the webservers I get:
Error connecting to: xxxx.xxxxx.net
Access is denied.

Strange... I'm logged in as Administrator to the domain yet it didn't
work, NOR did it ask me for a username/password, guess it's telepathic
and knows I shouldn't be on?


Any ideas?



Steven L Umbach wrote:



MMC via the network works over file and print sharing, so you would need to have

them


vpn into the server to access MMC. You don't want to open holes in a firewall to

do


file and print sharing. However the downside is that file and print sharing
needs

to


be enabled on the computer - at least on an internal adapter as you really don't

want


to do that on the external adapter if at all possible. You could still let them
remote in via TS as regular users and on the computer add them to the dns
administrators group. In Remote Administration Mode, by default only

administrators


can remote in but you can change that by adding a user/group to permissions for

the


RDP. You could also restrict what they access via local Group Policy

[gpedit.msc]


though local Group Policy applies to all users that logon locally [which TS
logon

is


considered] including administrators. --- Steve





Hi,
I'm trying to setup so my web guys only have access to DNS and IIS on
the web servers and so they don't have to terminal service into the
machines (like they do now). It's not really that huge of a deal that
they can't see the event logs/etc, I basically just want to get them off
having to terminal service in. My Question: What do I need to do to
allow them to be able to MMC into IIS and DNS as well?