How to allow secure remote access

We are running Small Business Server 2003 Premium and we have Exchange and
our companyweb intranet site up and running. However, we have an accountant
who will be updating our QuickBooks company files periodically, so I need to
give her secure access to our network.

What is the most secure way of allowing a remote partner access to a single
file on my network?

Thanks in advance,

Mervin Williams

Mervin Williams wrote:
> We are running Small Business Server 2003 Premium and we have
> Exchange and our companyweb intranet site up and running. However,
> we have an accountant who will be updating our QuickBooks company
> files periodically, so I need to give her secure access to our
> network.
> What is the most secure way of allowing a remote partner access to a
> single file on my network?
>
> Thanks in advance,
>
> Mervin Williams

You can use IPSEC for best security on your server.
--
---
Giuseppe Nacci
Microsoft Certified System Engineer
Security Manager

--------------------------------------------------------------------
CONFIDENTIALITY NOTICE
This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please contact us by
replying to (E-Mail Removed)
Thank you
--------------------------------------------------------------------

My question is what is the best complete approach to setting up secure
access to a file for a remote partner?

Mervin Williams

"Giuseppe Nacci" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Mervin Williams wrote:
>> We are running Small Business Server 2003 Premium and we have
>> Exchange and our companyweb intranet site up and running. However,
>> we have an accountant who will be updating our QuickBooks company
>> files periodically, so I need to give her secure access to our
>> network.
>> What is the most secure way of allowing a remote partner access to a
>> single file on my network?
>>
>> Thanks in advance,
>>
>> Mervin Williams
>
> You can use IPSEC for best security on your server.
> --
> ---
> Giuseppe Nacci
> Microsoft Certified System Engineer
> Security Manager
>
> --------------------------------------------------------------------
> CONFIDENTIALITY NOTICE
> This message and its attachments are addressed solely to the persons
> above and may contain confidential information. If you have received
> the message in error, be informed that any use of the content hereof
> is prohibited. Please return it immediately to the sender and delete
> the message. Should you have any questions, please contact us by
> replying to (E-Mail Removed)
> Thank you
> --------------------------------------------------------------------
>
>
>

Hi Mervin

The most secure way is going to depend on many factors! The most secure is
to Fedex her a CD for her to return but this is not operationally
satisfactory. How is QB setup? Multiuser sharing Data on Server? Terminal
Server on Member Server with Enterprise version? Some more details are
important. QB is inheritantly not safe anyway without special security
precautions since they requie Administrative Priviliges on the WS. I would
suggest that you setup a special user account for her and limit her login to
server and one WS. The server is required for RWW to work but will not
actually allow her to login to server. Then have her use RWW to login with
Https to that WS.

--
Frank McCallister SBS MVP
COMPUMAC
"Mervin Williams" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> We are running Small Business Server 2003 Premium and we have Exchange and
> our companyweb intranet site up and running. However, we have an
> accountant who will be updating our QuickBooks company files periodically,
> so I need to give her secure access to our network.
>
> What is the most secure way of allowing a remote partner access to a
> single file on my network?
>
> Thanks in advance,
>
> Mervin Williams
>

Hi Mervin

Single file ? I assume you mean the quickbooks database file. To access this
she needs to run the program.

Either let her TS into the server locking everything down for that user
account you give her.

Or VPN, as Giuseppe says and IPSEC being more secure than PPTP. Need to
setup shared folder to Quickbooks that she connects to but more
configuration for you that would really need you to visit her to setup.

Fianlly could let her RWW to server then pop over to a workstation (needs
XP) then she can run it as if she was in office. This being the preferable
route. Again locking down pc so she can only use quickbooks. Consider
whether she is aollowed email account.

--
Thinking of upgrading .. COOL... http://www.sbsmigration.com

www.smallbizserver.net (2000 and 2003)

microsoft.public.backoffice.smallbiz2000 (2000 NG)

microsoft.public.windows.server.sbs (2003 NG)

http://groups.google.com/groups?hl=e...e.smallbiz2000

http://groups.google.com/groups?hl=e...ows.server.sbs

http://www.sbslinks.com/


"Mervin Williams" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> We are running Small Business Server 2003 Premium and we have Exchange and
> our companyweb intranet site up and running. However, we have an
> accountant who will be updating our QuickBooks company files periodically,
> so I need to give her secure access to our network.
>
> What is the most secure way of allowing a remote partner access to a
> single file on my network?
>
> Thanks in advance,
>
> Mervin Williams
>

You mention that I should create a limited account for her with access only
to the server and one workstation. Specifically:

1. What groups should her account belong?
2. What permissions should her account have?
3. Have do I configure her login to only access the server and one
workstation?

Thanks,

Mervin Williams

"Frank McCallister SBS MVP" <anonymous> wrote in message
news:O1%(E-Mail Removed)...
> Hi Mervin
>
> The most secure way is going to depend on many factors! The most secure is
> to Fedex her a CD for her to return but this is not operationally
> satisfactory. How is QB setup? Multiuser sharing Data on Server? Terminal
> Server on Member Server with Enterprise version? Some more details are
> important. QB is inheritantly not safe anyway without special security
> precautions since they requie Administrative Priviliges on the WS. I would
> suggest that you setup a special user account for her and limit her login
> to server and one WS. The server is required for RWW to work but will not
> actually allow her to login to server. Then have her use RWW to login with
> Https to that WS.
>
> --
> Frank McCallister SBS MVP
> COMPUMAC
> "Mervin Williams" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> We are running Small Business Server 2003 Premium and we have Exchange
>> and our companyweb intranet site up and running. However, we have an
>> accountant who will be updating our QuickBooks company files
>> periodically, so I need to give her secure access to our network.
>>
>> What is the most secure way of allowing a remote partner access to a
>> single file on my network?
>>
>> Thanks in advance,
>>
>> Mervin Williams
>>
>
>

DO NOT 'let her TS into the server locking everything down', it's SBS 2003
and there are numerous reasons for not doing this.

like:
I'm gonna let some outside party TS to my root DC. YEAH RIGHT.
SBS2003 cannot be put into TS Application mode.
No DC can be properly secured to support TS App mode users.

I'd also not expect great performance with her opening the QB database
through a VPN. Might be OK if it's a small database.

Leaves RDP through RWW, to either an XP ws or a seperate TS.

"Bill Swan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Mervin
>
> Single file ? I assume you mean the quickbooks database file. To access
> this she needs to run the program.
>
> Either let her TS into the server locking everything down for that user
> account you give her.
>
> Or VPN, as Giuseppe says and IPSEC being more secure than PPTP. Need to
> setup shared folder to Quickbooks that she connects to but more
> configuration for you that would really need you to visit her to setup.
>
> Fianlly could let her RWW to server then pop over to a workstation (needs
> XP) then she can run it as if she was in office. This being the preferable
> route. Again locking down pc so she can only use quickbooks. Consider
> whether she is aollowed email account.
>
> --
> Thinking of upgrading .. COOL... http://www.sbsmigration.com
>
> www.smallbizserver.net (2000 and 2003)
>
> microsoft.public.backoffice.smallbiz2000 (2000 NG)
>
> microsoft.public.windows.server.sbs (2003 NG)
>
> http://groups.google.com/groups?hl=e...e.smallbiz2000
>
> http://groups.google.com/groups?hl=e...ows.server.sbs
>
> http://www.sbslinks.com/
>
>
> "Mervin Williams" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> We are running Small Business Server 2003 Premium and we have Exchange
>> and our companyweb intranet site up and running. However, we have an
>> accountant who will be updating our QuickBooks company files
>> periodically, so I need to give her secure access to our network.
>>
>> What is the most secure way of allowing a remote partner access to a
>> single file on my network?
>>
>> Thanks in advance,
>>
>> Mervin Williams
>>
>
>

In article <(E-Mail Removed)>,
(E-Mail Removed) says...
> We are running Small Business Server 2003 Premium and we have Exchange and
> our companyweb intranet site up and running. However, we have an accountant
> who will be updating our QuickBooks company files periodically, so I need to
> give her secure access to our network.
>
> What is the most secure way of allowing a remote partner access to a single
> file on my network?
>
> Thanks in advance,

Create a VPN connection and then only permit remote desktop ports to
access the company network through the VPN - this means they can run RD
to one Workstation that's setup for QB and that they can't do anything
that anyone in the office can't do.

Another method would be to give them VPN access and provide them with IP
access to one system in order to copy files too, but that's more of a
risk if their home machine is compromised.

--
--
(E-Mail Removed)
remove 999 in order to email me

In article <#(E-Mail Removed)>, (E-Mail Removed)ie
says...
>
> Leaves RDP through RWW, to either an XP ws or a seperate TS.

No, it leaves RDP through a VPN (even PPTP) connection, and since RDP
uses 30kbps, that means there is plenty of capacity on a slow connection
with the overhead of a VPN.

The best method would be to have them VPN into the network, limit them
to ONE COMPUTER, they login to the computer using RDP, do their work on
it, then log out - no files left on their home computer to be filtched
if compromised.

--
--
(E-Mail Removed)
remove 999 in order to email me

PFFFFT, I'm going to let some accountant bring her PC into my IP subnet. A
PC I have no control over. A PC on which I don't even know if there is AV,
let alone up-to-date AV.

Well, OK, the OP has SBS2003 Premium, so if he has gone to ISA2004 he can
explore quarantine VPN (not something I've had time to do yet).

Sure, limit the user ID, not only with 'logon to' only the specific RDP
session host but file privelages which only allow the QB database to be
accessed. But bring them in via RWW, and you might want to hack the RWW RDP
connection page to not allow 'connect my local drives', either Ray Fong or
Sean Daniel blogged the hack, shame, I don't think you can do it on a per
user basis.

The best method of giving anyone access to your SBS2003 network from outside
is a locked down seperate TS accessed _only_ through RWW.

"Leythos" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In article <#(E-Mail Removed)>, (E-Mail Removed)ie
> says...
>>
>> Leaves RDP through RWW, to either an XP ws or a seperate TS.
>
> No, it leaves RDP through a VPN (even PPTP) connection, and since RDP
> uses 30kbps, that means there is plenty of capacity on a slow connection
> with the overhead of a VPN.
>
> The best method would be to have them VPN into the network, limit them
> to ONE COMPUTER, they login to the computer using RDP, do their work on
> it, then log out - no files left on their home computer to be filtched
> if compromised.
>
> --
> --
> (E-Mail Removed)
> remove 999 in order to email me