Service-only users and hosting

Discussion in 'Server Security' started by Alistair Young, Jun 23, 2004.

    Hash: SHA1

    On my Windows 2003 domain, I have some external users who require
    only access to services - such as Exchange IMAP, Outlook Web Access,
    and FTP. Specifically, I need them to be unable to log on to any
    machines, access the internal network through our VPN, or access any
    network shares.

    So far, I have the former two sorted out: all these users are
    ultimately in the "No Console Access" group which has the "Deny logon
    locally" and "Deny logon through Terminal Services" user rights (and
    "Deny logon as a service", just in case), thus solving the first; and
    the RRAS access policies take care of the second.

    (Out of curiosity, what *does* "Log on as a batch job" cover?)

    The third, on the other hand, I'm having a bit more trouble with.
    (Except inasmuch as, thanks to the firewall in the way, no external
    user can get an SMB packet into the internal network anyway, but I'd
    like a little more than that.) I thought "Deny access to this
    computer from the network" was the user right that would prevent
    share, etc., access, which it does, but it also prevents the users
    from logging on to the services into the bargain...

    Any pointers as to how to achieve the one without blocking the other

    Thanks in advance,


    Version: PGP 8.0.3

    -----END PGP SIGNATURE-----
    Alistair Young, Jun 23, 2004
    1. Advertisements

  2. Alistair Young

    Roger Abell Guest

    I take
    as the three indicated with "former two" and "the later"

    If you want to control access to shares independently from
    access to all "network logon" controlled accesses then you
    will likely need to look at the share-level permissions of the
    shares individually.
    Whether denying network logon will prevent interaction
    with a service actually depends on the design of the specific

    Log on a a batch process is used for things like scheduled
    tasks, some COM instancing such as for the "IWAM_*"
    account use by IIS, etc.. Log on as a service on the other
    hand controls whether that account will be useful for the
    service control manager, for use as the context in which
    a service is started.

    I am curious however, with the Deny logons you have
    mentioned how is it that you are managing to support FTP ?
    Roger Abell, Jun 24, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.