Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Disable remote access on windows SBS
New Posts  All Forums:Forum Nav:

Disable remote access on windows SBS

post #1 of 7
Thread Starter 
I have a client that I need to make sure that remote internet connections are not possible, and maybe change passwords.
The computers on the physical network still need to connect to the server.
How do you configure that?
Reason is an employee just got canned, and he wants to make sure she can't mess with his stuff.
    
CPUMotherboardGraphicsRAM
Core i7 920 C0 3.6 w/1.28 vcore ASUS P6X58D Premium 3 x GTX 275 12 gb Ballistix tracers 
Hard DriveOSMonitorKeyboard
750gb seagate Win7 pro 64bit 4 monitor(3 24 in., 1 17 in.) saitek eclipse II 
PowerCase
Corsair 850w Lian Li PC-G75B 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
Core i7 920 C0 3.6 w/1.28 vcore ASUS P6X58D Premium 3 x GTX 275 12 gb Ballistix tracers 
Hard DriveOSMonitorKeyboard
750gb seagate Win7 pro 64bit 4 monitor(3 24 in., 1 17 in.) saitek eclipse II 
PowerCase
Corsair 850w Lian Li PC-G75B 
  hide details  
Reply
post #2 of 7
What I would suggest is to change all passwords on accounts with administrative group permissions. And change passwords on accounts that have dial in access over vpn. Look in active directory users and groups console under all users.
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7 930 4Ghz Asus Rampage Extreme 3 MSI GTX 470 24Gb  
Hard DriveOptical DriveOSMonitor
Intel x-25m Lite-on Windows 7 Acer 22in 
KeyboardPowerCaseMouse
Logitech Corsair-750TX Cm-690 Advanced Logitech-g5 
  hide details  
Reply
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7 930 4Ghz Asus Rampage Extreme 3 MSI GTX 470 24Gb  
Hard DriveOptical DriveOSMonitor
Intel x-25m Lite-on Windows 7 Acer 22in 
KeyboardPowerCaseMouse
Logitech Corsair-750TX Cm-690 Advanced Logitech-g5 
  hide details  
Reply
post #3 of 7
Thread Starter 
Quote:
Originally Posted by 0ptic0n View Post
What I would suggest is to change all passwords on accounts with administrative group permissions. And change passwords on accounts that have dial in access over vpn. Look in active directory users and groups console under all users.
Thats kind of what I was thinking. Where do you find the list of active directory users? I'm a noob with sbs...
    
CPUMotherboardGraphicsRAM
Core i7 920 C0 3.6 w/1.28 vcore ASUS P6X58D Premium 3 x GTX 275 12 gb Ballistix tracers 
Hard DriveOSMonitorKeyboard
750gb seagate Win7 pro 64bit 4 monitor(3 24 in., 1 17 in.) saitek eclipse II 
PowerCase
Corsair 850w Lian Li PC-G75B 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
Core i7 920 C0 3.6 w/1.28 vcore ASUS P6X58D Premium 3 x GTX 275 12 gb Ballistix tracers 
Hard DriveOSMonitorKeyboard
750gb seagate Win7 pro 64bit 4 monitor(3 24 in., 1 17 in.) saitek eclipse II 
PowerCase
Corsair 850w Lian Li PC-G75B 
  hide details  
Reply
post #4 of 7
Under Administrative tools.
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7 930 4Ghz Asus Rampage Extreme 3 MSI GTX 470 24Gb  
Hard DriveOptical DriveOSMonitor
Intel x-25m Lite-on Windows 7 Acer 22in 
KeyboardPowerCaseMouse
Logitech Corsair-750TX Cm-690 Advanced Logitech-g5 
  hide details  
Reply
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7 930 4Ghz Asus Rampage Extreme 3 MSI GTX 470 24Gb  
Hard DriveOptical DriveOSMonitor
Intel x-25m Lite-on Windows 7 Acer 22in 
KeyboardPowerCaseMouse
Logitech Corsair-750TX Cm-690 Advanced Logitech-g5 
  hide details  
Reply
post #5 of 7
Quote:
Originally Posted by markt View Post
I have a client that I need to make sure that remote internet connections are not possible, and maybe change passwords.
The computers on the physical network still need to connect to the server.
How do you configure that?
Reason is an employee just got canned, and he wants to make sure she can't mess with his stuff.
Open Active Directory Users and Computers under Administrative Tools.

Located the user account in question.

Right-click user account and Reset Password. Usually, I open up Notepad as well, and just smash the keyboard a bunch of time to generate a random password, such as: UIODSTYHI&*q43y57843ywe6 8943tr5, and then copy and paste this into the Reset password box

Double-click user account, select the Member Of tab, take a screenshot of the groups the user is a member of, save screenshot somewhere, and then remove the user from all the groups except maybe the basic Primary Group listed below.

Finally, you should move the specified user account to another Organizational Unit (OU) within the Active Directory. I normally have an OU called Disabled Users or Former Employees.

After a certain amount of time, you would then disable the user account and either reject email addressed to her, or move her SMTP address to another user / manager.

If the user had access to any account with Administrator-level privileges, then you would need to reset those passwords as well, but doing so can muck with your server really badly if you don't do it properly, since there may be programs and or services that rely on the old credentials.

You should check the services (Start | Run | Services.msc), and check the "Log On As" column to see what services rely on which accounts.

Generally, you should not be giving out the domain administrator account or any other administrator account to any user to use. You should modify the user's AD account with the appropriate group memberships.

Which version of SBS are you running, btw?
ESXi Host 1
(15 items)
 
  
CPUMotherboardGraphicsRAM
(2x) Intel Xeon E5520 Dell OnBoard Matrox G200 24GB DDR3 12x2GB UDIMMS (18 slots total) 
Hard DriveHard DriveHard DriveHard Drive
PERC6-RAID50 Intel 730 480GB Intel 320 300GB Synology DS414 iSCSI SAN 
OSMonitorKeyboardPower
VMWare vSphere5 Enterprise Plus Dell iDRAC6 Remote Management [KVM-Over-IP] Dell iDRAC6 KVM Dell Hot-Swap Redundant 1100W 
CaseMouse
Dell PowerEdge T710 Stock Dell iDRAC6 KVM 
  hide details  
Reply
ESXi Host 1
(15 items)
 
  
CPUMotherboardGraphicsRAM
(2x) Intel Xeon E5520 Dell OnBoard Matrox G200 24GB DDR3 12x2GB UDIMMS (18 slots total) 
Hard DriveHard DriveHard DriveHard Drive
PERC6-RAID50 Intel 730 480GB Intel 320 300GB Synology DS414 iSCSI SAN 
OSMonitorKeyboardPower
VMWare vSphere5 Enterprise Plus Dell iDRAC6 Remote Management [KVM-Over-IP] Dell iDRAC6 KVM Dell Hot-Swap Redundant 1100W 
CaseMouse
Dell PowerEdge T710 Stock Dell iDRAC6 KVM 
  hide details  
Reply
post #6 of 7
Thread Starter 
Quote:
Originally Posted by comguards View Post
open active directory users and computers under administrative tools.

Located the user account in question.

Right-click user account and reset password. Usually, i open up notepad as well, and just smash the keyboard a bunch of time to generate a random password, such as: uiodstyhi&*q43y57843ywe6 8943tr5, and then copy and paste this into the reset password box

double-click user account, select the member of tab, take a screenshot of the groups the user is a member of, save screenshot somewhere, and then remove the user from all the groups except maybe the basic primary group listed below.

Finally, you should move the specified user account to another organizational unit (ou) within the active directory. I normally have an ou called disabled users or former employees.

After a certain amount of time, you would then disable the user account and either reject email addressed to her, or move her smtp address to another user / manager.

If the user had access to any account with administrator-level privileges, then you would need to reset those passwords as well, but doing so can muck with your server really badly if you don't do it properly, since there may be programs and or services that rely on the old credentials.

You should check the services (start | run | services.msc), and check the "log on as" column to see what services rely on which accounts.

Generally, you should not be giving out the domain administrator account or any other administrator account to any user to use. You should modify the user's ad account with the appropriate group memberships.

which version of sbs are you running, btw?
2008
    
CPUMotherboardGraphicsRAM
Core i7 920 C0 3.6 w/1.28 vcore ASUS P6X58D Premium 3 x GTX 275 12 gb Ballistix tracers 
Hard DriveOSMonitorKeyboard
750gb seagate Win7 pro 64bit 4 monitor(3 24 in., 1 17 in.) saitek eclipse II 
PowerCase
Corsair 850w Lian Li PC-G75B 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
Core i7 920 C0 3.6 w/1.28 vcore ASUS P6X58D Premium 3 x GTX 275 12 gb Ballistix tracers 
Hard DriveOSMonitorKeyboard
750gb seagate Win7 pro 64bit 4 monitor(3 24 in., 1 17 in.) saitek eclipse II 
PowerCase
Corsair 850w Lian Li PC-G75B 
  hide details  
Reply
post #7 of 7
Quote:
Originally Posted by markt View Post
2008
Same instructions still apply for a 2008 Domain... the only thing that I have to personally look up, is what additional steps need to be done when the user account is actually disabled in AD...
ESXi Host 1
(15 items)
 
  
CPUMotherboardGraphicsRAM
(2x) Intel Xeon E5520 Dell OnBoard Matrox G200 24GB DDR3 12x2GB UDIMMS (18 slots total) 
Hard DriveHard DriveHard DriveHard Drive
PERC6-RAID50 Intel 730 480GB Intel 320 300GB Synology DS414 iSCSI SAN 
OSMonitorKeyboardPower
VMWare vSphere5 Enterprise Plus Dell iDRAC6 Remote Management [KVM-Over-IP] Dell iDRAC6 KVM Dell Hot-Swap Redundant 1100W 
CaseMouse
Dell PowerEdge T710 Stock Dell iDRAC6 KVM 
  hide details  
Reply
ESXi Host 1
(15 items)
 
  
CPUMotherboardGraphicsRAM
(2x) Intel Xeon E5520 Dell OnBoard Matrox G200 24GB DDR3 12x2GB UDIMMS (18 slots total) 
Hard DriveHard DriveHard DriveHard Drive
PERC6-RAID50 Intel 730 480GB Intel 320 300GB Synology DS414 iSCSI SAN 
OSMonitorKeyboardPower
VMWare vSphere5 Enterprise Plus Dell iDRAC6 Remote Management [KVM-Over-IP] Dell iDRAC6 KVM Dell Hot-Swap Redundant 1100W 
CaseMouse
Dell PowerEdge T710 Stock Dell iDRAC6 KVM 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Disable remote access on windows SBS