Services do not require a user to log on... They run in their own process
space, with whatever credentials you specify. If your 3rd party monitoring
solution is part of IIS, then I would be surprised if it required you to log
on. If it does, that tells me that the monitoring portion is just a program
that runs in user mode (thus the log on requirement.) You may have an
option to start the monitoring program as a service though, in which case no
log on would be required. This would be the ideal situation for you--
particularly for a process that is designed to monitor systems. If you lost
power, or the system were logged off, you would lose your monitoring. A
service-based solution would obviate the need for user interaction to logon.
If you must log on for this solution to work, think in the same way we have
regarding the vendor-support solution. Log on as a normal user, and
configure the monitoring software to run under that user account rather than
the domain administrator.
hth
T
----- Original Message -----
From: Tom Milliner
To: 'Thor (Hammer of God)'
Cc: focus-ms@securityfocus.com
Sent: Wednesday, February 09, 2005 1:12 PM
Subject: RE: Password Protected Screen Saver and Administrative Password
Thank you. Your specific clarification and advice has been
educational. I would like to ask you this (in relation to the
text I put into italic below):
When a server boots up, are all its services
normally available to users whether I logon
or not? I have always logged on as domain
administrator and let the password protected
screen-saver kick in after about 15 minutes.
At least one of my servers (IIS running some
kind of third party vendor monitoring software)
does require me to logon in order for everything
to start. Do you think I could logout and that
all the IIS services would still be running in
the background?
I work by myself, and other than the community
college classes and reading, I am on my own
for ideas. Hence, some of the suggestions are
"new" to me.
Thanks in advance for your response.
Tom Milliner, CPA, MCSE
Director of Network Services
MetroTex Assc of Realtors
8201 N. Stemmons Frwy
Dallas, TX 75247
www.dfwrealtors.com
mail to: tomm@dfwrealtors.com
(214) 540-2741
-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@hammerofgod.com]
Sent: Wednesday, February 09, 2005 2:38 PM
To: tom.milliner@verizon.net; focus-ms@securityfocus.com
Subject: Re: Password Protected Screen Saver and Administrative Password
In line:
----- Original Message -----
From: "Tom Milliner" <tom.milliner@verizon.net>
To: "'Thor (Hammer of God)'" <thor@hammerofgod.com>;
<focus-ms@securityfocus.com>
Sent: Wednesday, February 09, 2005 12:03 PM
Subject: RE: Password Protected Screen Saver and Administrative Password
From a simplicity standpoint, it would help if there was
a separate and distinct screen-saver password available.
For instance, let's say the screen-saver is locked, but the
administrator is away and simply needs a consultant to
perform a task on the server. I'd want to give the
consultant a non-administrator password for that type of
task.
Ain't gonna happen in the same interactive session, as it shouldn't from a
security standpoint. The closest functionality is RunAs, which you should
use if possible. Ideally, you would not have admin accounts logged onto the
console in the first place on any of the other servers: you would log in and
out as needed. Password protected screen savers are not a good replacement
for the logon process as things like password lockout are not implemented
there, but that's another story.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
