Re: Giving contract developer access
"Hugh G. Johnson" <hughnotgnotjohnson@comcastnot.net> wrote in message
news:eUSl48J$IHA.4616@TK2MSFTNGP06.phx.gbl...
> I'm a small business owner which makes me the System Administrator of my
> web and database servers. In the past I've given contractors
> Administrative rights when they used the machines, but now I'm starting to
> use developers from other countries and they are logging in via the WAN.
>
> My question is there a way to give a contractor access to the machine to
> create SQL databases, websites, create directories, change file
> permissions, etc. without being an administrator, and even blocking access
> to files I don't want them to?
>
> I thought Power Users would be best, but I've been told thats a no-no.
Hmm...going off the top of my head, so could be off here but, here's some
theories you can try.
Create special user accounts and special groups. User your imagination and
be creative here.
Assign these accounts to one or more of the groups you created. Set the
Primary Group of each account to a group appropriate for that account. Then
remove them from the Domain Users Group.
At this point they should only have access to files/folders that are
specifically granted to their particular group and to things allowed for the
"Everyone" group. Permissions are typically inheirited downward from where
they start so grant them the ability to create, delete, etc at the "top"
Folder that they should be able to do this. This works for File Shares,
File System in general, for Web Servers and FTP Servers (IIS). Don't
confuse Share Permissions with NTFS Permissons,..you are working primarily
with NTFS Permissions to do this.
Make sure the Everyone Group does not have permission to things that you
don't want literally everyone to have permission to.
For SQL you have a choice,..SQL Server can use either normal Domain Accounts
(like what is above) or it can use its own internally created user accounts
that exist only with in the SQL Services and you can set what these accounts
are allowed to do and the scope of where they can do what they do. It can
also use both types of accounts at the same time. You may need a person who
is very good with SQL Server to help you with this (sorry, I'm not). So all
I can tell you is that SQL Servers authentication mechanism can be very
powerful and detailed when used correctly and can operate almost "on its
own" without the Windows Active Directory Domain. But *important*, do not
give them the password to the SA account,..the SA account in the SQL Sevices
has the power with in the SQL Service that Domain Administrator has for the
Domain. If you have already given them that then change the password after
you have gotten everything else in place and tested.
Remember that Vendors couldn't care squat about your LAN's security
(generally speaking), all they care about is making their product function
by any means nessessary to keep their own boss happy. What happens to your
LAN beyond the scope of their product is no concern to them (generally
speaking of course).
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html
Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx
Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------