Server Security

[jamesch]

My question is, we have six remote locations, with a server at each location, and several servers at our main location. Long ago my boss setup each server with a user name with domain admin rights on each. We use no special policy for the servers. Recently we upgraded to Win2000 servers, and I change it to only log into the servers with only one user name with domain admin rights, so all of our servers in all of the locations use one user name. MY boss wants to change it so we have different names at each locations, but he only see the difference in the log in name, and not the rights given, I’m I correct, that it does not matter if the servers log in name is CHEVY with domain admin rights or FORD with domain admin rights, it’s the rights assign as DOMAIN ADMIN that count. Again we have NO special login or anything special with the servers. My boss is afraid that the one user name gives them the keys to the entire castle, but it’s the same with 10 user names with Domain Admin rights, IS this correct.

Also what is the best way to setup a server in a remote location that the secretary is the only one to have the need to login and restart the server? My thought is not to have the person log into the server but, have it set at the “Ctrl+Alt+Del” screen, and if the server needs to be restarted, one should be able to press the key combo and choose to restart or shut down, with out having to log in, or unlock the screen to restart. Physical security is really not a concern. We also can connect through Terminal services to administer the server, but at time something might happen to need someone at the screen??????????