Read only account

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I want to provide my users access from home to an XP pro system via XP remote
service for the propuse of viewing our company's databases which is hosted on
a server and viewed via an application (client) on the XP system.
Question: Is it possible to create a user account that is a "Read Only"
account? I reviewed security policies and group policies but can't find the
items to enable this function. Even though we will be using strong
passwording, I do not want to allow outside users to create, change, print or
export anything (read only). [I am planning to restrict application access to
only those allowed]
Any suggentions?
 
I'm afraid it's not that easy. You see, there can be only one connection at a
time to a XP machine using remote desktop. Sure you could use some other kind
of software and have more than one concurrent connection. The biggest problem
is the user privileges. You can strip the user from permissions to
access/modify files and folders, set several options in Group Policy Editor,
but it's the application that might me problematic. The application is run
under some user account. It might need privileges of the administrator to run
correctly and wouldn't work right if it was opened and run by the user. Well
on the other hand you could use RunAs and run this particular app under
administrator account. f course you don't want users to know the
administrative password so you would have to write a logon script that would
run after user logs on, opens the app with administrative privileges but
everything else would be run under his account. Well finally, it might just
work. If you would like to check one tool that was designed to help runas
where it lacks try EPAL >> http://www.microsoft.com/cze/technet/tipy/004.mspx
(the site is in czech, but you should find a link below to the actual program)
 
You can restrict a user account so that is only has read/list/execute
permissions to a folder and using Group Policy [computer
configuration/administrative templates/Windows components/terminal
services/client&server data redirection] to restrict redirection of
clipboard/drives/printer but that will not totally prevent the user from
copying information as for instance the user could try doing screen shots,
printing the screen, or even photographing their display if that would be a
concern. If you can provide access through a VPN server using l2tp at least
you could prevent attackers from accessing your computer unless they get
physical access to a legitimate remote computer because l2tp requires that
the computers authenticate via certificates before the user can attempt to
authenticate to the VPN server. I would also disable the ability of users
to save their password for their TS client connection via Group Policy. ---
Steve
 
Back
Top