Need help locking down a server

[Chris Hall]

Greetings,

I'm looking into options to secure our mail server (Exchange 2003 on Windows
2003). We have an IT staff of 5 people, which includes our dept mgr, all of
which have access to the administrator password and whose accounts are
members of the Domain Admins group. What I propose to do is:

1. Change Admin password, allowing only one person access.
2. Disable Remote Desktop
3. Deny Logon Locally.

The only thing I can't seem to figure out is how to deny all users except
administrator.

If anyone has any suggestions, I'd appreciate it!

 

[Roger Abell [MVP]]

Hi Chris

You would probably be well-informed by checking into
http://www.microsoft.com/technet/security/guidance/default.mspx
particularly in the "by product" section the two guides you will
locate under Exchange Server and under Windows 2003 Server

While I agree, it is admirable to limit excess administrative
access, I am scratching my head at the net result of your 3
proposed actions.

One controls local logon by use of the User Rights settings
that govern the machine. One may list groups and/or accounts
in the grants of logon rights (or deny of same).

 

[Miha Pihler [MVP]]

Hi Chris,

Only IT staff that needs to administer domain controllers (physically) needs
to be member of Domain Administrators group. For everyone else it is enough
to be Administrator on the systems that they need to manage (e.g. Exchange
server). You can even limit this and delegate some other tasks (e.g. Backup
Administrators,...).

If your question is how to limit Domain Administrators from logging onto
Exchange server -- you can't. You simply can't limit someone who is Domain
Administrator. Even if you deny someone logon locally permissions, if the
person is Domain Administrator -- he/she can change that policy at any time
and allow themselves to logon to any server...

 

[Roger Abell [MVP]]

Hi Miha

While I agree with you, notice that you could go further.
Instead of

Only IT staff that needs to administer domain controllers (physically)
needs to be member of Domain Administrators group.

one can state
Only IT staff that needs to administer domain controllers (physically) need
to be member of the domain's Adminsitrators group, and only members of
the Domain Administrators group if they manage AD (or require broad,
default admin access on members for such as for scanning).

Sorry, it is a small pet peeve of mine seeing how the scope of power
of the domain's Administrators group is overlooked.
Roger

 

[Roger Abell [MVP]]

doh !!!

The only thing I can't seem to figure out is how to deny all users except
administrator.

just grant it only to administrator
if not granted it is not held and does not need to be denied

 

[Chris Hall]

Thanks all for the input. For now, we ended up setting some allow/deny local
logon and remote desktop access to our IT staff. We also have changed the
admin password. Not as complicated as I thought....

 

[Chris Hall]

Need more coffee;->

just grant it only to administrator
if not granted it is not held and does not need to be denied

 

[Roger Abell [MVP]]

Need more coffee;->

hurry pot is getting empty !