Ask Experts Questions for FREE Help !
Ask
    xmrchndize's Avatar
    xmrchndize Posts: 2, Reputation: 1
    New Member
     
    #1

    Jul 30, 2006, 03:20 PM
    Windows Server 2003 Share Access
    I am in the process of upgrading a peer to peer windows xp network environment to a windows server 2003 domain. My clients have windows xp pro with a third party program installed for point of sale and accounts receivable management. The program requires access to a network share folder housing the ms access database along with some other log files. The program also saves signature captures in the form of bitmaps to that share folder. My question is how do I allow the program access to the share folder but not the users. That is I do not want the users to have read/write permissions for the share... only the program.
    cajalat's Avatar
    cajalat Posts: 469, Reputation: 66
    Full Member
     
    #2

    Jul 30, 2006, 08:13 PM
    I'm not a 100% sure but in order for that to happen the program in question must have different credentials than the user and for that to happen it needs to run as a service independent of the user. Permissions would then need to be granted to the credentials of the application that's running as a service.

    I don't believe the user can start the application under different permissions without being able to run as that user which would sort of defeat the purpose.

    Casey
    StuMegu's Avatar
    StuMegu Posts: 576, Reputation: 64
    Senior Member
     
    #3

    Jul 31, 2006, 01:10 AM
    Is there no way to separate the two types of information e.g. put the bitmaps in a subfolder and deny access to user accounts that way. I think you may need to contact the program vendors to solve this problem!
    ScottGem's Avatar
    ScottGem Posts: 64,966, Reputation: 6056
    Computer Expert and Renaissance Man
     
    #4

    Jul 31, 2006, 07:35 AM
    Any folder holding an MS Access database has to allow Read/Write Access to all users. This is because that folder will hold an ldb file that contains record locking info.

    I agree with Stu that the program vendor needs to provide a solution to this. The suggestion about putting the bitmaps into a sub folder is a good one, but the program needs support that.
    xmrchndize's Avatar
    xmrchndize Posts: 2, Reputation: 1
    New Member
     
    #5

    Jul 31, 2006, 09:15 PM
    Thanks all the information is appreciated. You have to understand my environment I guess. You see I employee some high school and college kids that know just enough about computers to get themselve in trouble. My main concern is the database. I back up the database regularly but I would still like a little piece of mind. Thanks again
    cajalat's Avatar
    cajalat Posts: 469, Reputation: 66
    Full Member
     
    #6

    Jul 31, 2006, 11:48 PM
    I've given this some more thought and I think there is a way. The file permissions on the server do not distinguish between a user reading the file and a program reading the file. To the server the two are one and the same. However, from the source computer there is a difference. When an application launches and wants to connect to a network resource it has to make certain system calls. Those calls register with the OS as to who is initiating the request. i.e. the OS knows which application is attempting to access the database on the server.

    There is an application that you can install on the desktop that can restrict which applications can access what resources such as Kerio or Tiny Personal Firewall. Actually any personal firewall product should be able to do this. You can allow the application in question to access the database on a particular server in the domain while denying access to all other applications to that server. You can then lock the configuration of the personal firewall (this feature is available in Kerio and Tiny Personal Firewall) so that the college kids can't change the firewall permissions.

    The drawback is that the permissions are broad in that you can only restrict based on Source Application, Source/Destination IP, Source/Destination Ports but not destination file/directory. So in this case what you can do is have two servers one for the DB and one for everything else and lock access to the DB server to just the application in question. You'll need to fine tune the firewall rules of course a bit but I think this would be a crude workaround that will give you some peace of mind shy of engaging the vendor to redesign the application.

    Hope that helps.

    Casey
    ScottGem's Avatar
    ScottGem Posts: 64,966, Reputation: 6056
    Computer Expert and Renaissance Man
     
    #7

    Aug 1, 2006, 05:28 AM
    Quote Originally Posted by xmrchndize
    Thanks all the information is appreciated. You have to understand my enviroment I guess. You see I employee some high school and college kids that know just enough about computers to get themselve in trouble. My main concern is the database. I back up the database regularly but I would still like a lil piece of mind. Thanks again
    I've dealt with this issue before. This is as much, if not more, an HR issue as an IT issue. Everyone you hire NEEDS to be given a statement of allowable computer use. It needs to be stated that any non-allowable use of the computer system will result in immediate termination and possibly criminal prosecution. Employees, whether they be temporary or not need to understand that data such as POS and A/R are vital to the business and not for poking around in. You might be better off installing some monitoring software that shows who accessed certain folders and how.
    Northwind_Dagas's Avatar
    Northwind_Dagas Posts: 348, Reputation: 83
    Full Member
     
    #8

    Aug 1, 2006, 06:11 AM
    Quote Originally Posted by xmrchndize
    The program requires access to a network share folder housing the ms access database along with some other log files.
    Does the share have to be mapped? If not, how about using a hidden share?

    You said that some of the users know "just enough about computers to get themselve in trouble" so they would not likely find a hidden share.
    ScottGem's Avatar
    ScottGem Posts: 64,966, Reputation: 6056
    Computer Expert and Renaissance Man
     
    #9

    Aug 1, 2006, 06:49 AM
    Quote Originally Posted by Northwind_Dagas
    Does the share have to be mapped? If not, how about using a hidden share?

    You said that some of the users know "just enough about computers to get themselve in trouble" so they would not likely find a hidden share.
    Good point, but that probably depends on the program. Whether they coded UNC coding rather then mapped drives.
    Northwind_Dagas's Avatar
    Northwind_Dagas Posts: 348, Reputation: 83
    Full Member
     
    #10

    Aug 1, 2006, 06:57 AM
    Quote Originally Posted by ScottGem
    Good point, but that probably depends on the program. Whether they coded UNC coding rather then mapped drives.
    I realize that, thus my question "Does the share have to be mapped?"

Not your question? Ask your question View similar questions

 

Question Tools Search this Question
Search this Question:

Advanced Search

Add your answer here.


Check out some similar questions!

Information Store Crashes Server 2003 [ 4 Answers ]

I have a Microsoft Server 2003 machine that will, for no apparent reason, crash when it reaches the Information Store during a backup. Unfortunately it will not do it every time, only sometimes if it is left to backup overnight. The whole computer will just lock up. There are no error messages...

Win server 2003: unique problem [ 6 Answers ]

One morning, I cannot log on to the domain. All clients cannot logon. Netlogon is not working so I cannot use mapped drives. I cannot run tool like DCdiag. Event viewer - Event ID 13516 - FRS (File replication service) is no longer preventing the computer... from becoming a domain controller. ...

Setup Server 2003 to share internet connection [ 4 Answers ]

I just recently installed Windows Server 2003 and I'm trying to get another computer to connect to the internet through the server. The server is hooked up to a router currently and I have installed the 2nd NIC to hook up the other computer. What steps do I need to go through to start getting...

Setting up Windows Server 2003 [ 6 Answers ]

Okay I have a few questions. First is my Cable ISP gives me a Dynamic IP Address. But I would like to set up a home net work with Windows 2003 server. I would like to physically set it up this way. Modem to Router with DHCP turned off on the router, then router to server with DHCP, then...

Linux. 2003 Server & XP [ 2 Answers ]

Hey guys/gals. I have a question the issue I'm having is this. I want to have 3 OS's on 2 hard drives I currently have: XP Pro on my 80Gig - Master 2K3 Server & Linux on my 40Gig - Slave I want to know how I can setup a boot system that will let me chose which OS I desire, I have tried to...


View more questions Search