Home Forums Discussions General Discussion Windows Security requirements for AC

We have a Domain Controller, a Terminal Server and an Application Server. We have 40+ workstations running Amazing Charts with the database on the Application Server.

In order to run Amazing Charts on the workstations I need to make each user a Windows Administrator on each computer.

On each computer's administrator group I added "Domain Users". That works but makes me very uncomfortable.

In order to allow users to use Amazing Charts on the terminal server I had to do the same thing.

I have two general questions: 1) will Amazing Charts eliminate this requirement in the future and 2) does anyone have a work-around that does not include opening up security like that?

My concern is that this arrangement has helped a recent virus attack to propogate through my network!

Any suggestions will be greatly appreciated!

I am confused about that statement; you have to have admin rights to install, but I have never experienced the OS requiring admin rights to run. Could you elaborate please?

Doc Clayton, if I understand you correctly I do not believe you need to have your users entered in as administrators. Instead, I suggest you make sure you add "Domain Users" to the security tab of the Amazing Charts folder share. Thus they will not be able to install software generally, but will be able to access Amazing Charts folder with RWX permissions.

It sounds like I need to clarify what is going on in the office:
- Amazing Charts is installed on every computer
- Amazing Charts uses the data base on the application server
- The permissions on the domain users are setup correctly on the amazing charts folder on the server
- Users are not part of the administrators group on the domain or part of the domain admin group on the domain
- on each physical computer there is a local Windows administrator group and this contains the group domain users

Amazing Charts works fine in this arrangement.

This setup allows users to install programs on their local computers. This includes viruses.

The terminal server (a Windows 2003 server) also has to be setup this way to enable users to log in from home and run Amazing Charts.

Seting up each computer to allow staff to install programs is a big security hole. I would like to close it up.

For example, users do not have to be part of the local computer's administrator group to run Office or other programs.

When I took the domain users out of the administrators group on a computer then Amazing Charts gave error messages and would not run. When I called the problem in Amazing Charts technical staff responded very quickly. The told me that users have to be part of the local administrators group for Amazing Charts to run in a Windows domain environment.

I don't believe that this correct. Rather, I think that your configuration needs to be adjusted so that domain users have permissions to the share, as well on the local machine.

Is there a reason that you don't have users log-on as domain user accounts?

[/quote=docclayton]Users are not part of the administrators group on the domain or part of the domain admin group on the domain[/quote]Isn't that the same thing?

This is why support should answer questions about the program and not about domains and SQL. When a user logs into a computer on a domain, he is authenticating against the server. Once the server recognizes the username and password from Active Directory, that computer is on the domain and can access everything on the server if it has the proper share and permission.

There is no reason at all to run the user as a local admin. There advantages to both but there is no advantage when it comes to permissions to the server.

While not allowing a user to be a local admin does make your computer more secure not only from installing and downloading but from Trojans and hackers not being able to do as much on the computer. But, you do sacrifice two important things. One is if you have your computers set up to lock when the screensaver comes on rather than the computer logging off, the user will not be able to get into his or her own computer. Also, I found when I had everyone a non admin, every time I needed to fix something, it was rather difficult. Sure, I could do "Run as" but even that was a pain. There are 3rd party programs for stopping the download of apps.

Also, if you really want to tighten things up, then don't make "domain users" in your local admin group. Just put in the individual user that needs to use that machine.

Are you taking the domain users out of the local admin group directly from the computer or on the server?

Indy: The users do login to the domain under their own roaming profile account.

Bert: In this particular case, the domain admin group is functionally the same as the administrators group. The domain admin has additional abilities such as changing schema settings, etc. Since we only have one domain it is a moot point.

I agree that managing the local computers without having each user as a local admin WAS a pain!

I removed or disabled all local login accounts on each machine except "administrator". Each user account on the domain only has permission to do the various activities required by their jobs. The AC main folder (and all sub folders) have the correct permission settings. Only the terminal server allows authenticated users to be local administrators.

I set the local administrators to be domain users because there are only a few computers were just one person uses it. The majority of computers are used by everyone.

I set the local admin manually on each machine when the machine is setup. It is not done from the server using group policy or any other method.

It appears that we are setup as secure as possible given our office requirements. We don't want to "lock everything down" but we do want to limit virus attacks and virus spreading.

Thanks to all for your review and suggestions!

So you should be able to log in and do fine.

When I first heard about roaming profiles and folder redirection, I thought it was the greatest thing since sliced bread. Then I started using it. Roaming profiles just because a huge issue.

If a user logs into the computer onto the domain whether as a local admin or not, they will still use their local profile or their profile on the server if you have roaming profiles enabled. If they log int that computer directly, they will have an entirely different profile and shouldn't be able to access AC as they are not on the domain. They would then be on a workgroup computer.