Verify that users have only the permissions that they need
Updated: July 22, 2009
Applies To: Windows SBS 2008, Windows Small Business Server 2011 Standard
You can help to secure the network by ensuring that users have only the permissions that they need to do their jobs and by limiting the use of accounts with network administrator rights and permissions.
Use the appropriate user roles for user accounts
Windows SBS 2008 comes with predefined user roles that are designed to give users only the level of access that they need. By reviewing the user role that is currently assigned to each user and by ensuring that users have only the minimum level of access that they need to perform their daily tasks, you can help reduce the chance that users will inadvertently delete important files or gain unintended access to an account with network administrator permissions.
Do not use network administrator accounts for daily work
Because user accounts that are based on the network administrator user role are very powerful, consider basing user accounts on the less powerful standard user role. By applying the network administrator user role when a user does not need the more powerful access privileges, you increase the chance that the user will inadvertently delete important files or gain unintended access to an account with network administrator permissions.
For instance, if a user on your network needs network administrator permissions for some tasks that they perform but does not need them for daily tasks, you can create two user accounts for the user. The first account is a typical user account for daily tasks, based on the standard user role. The second account is based on the network administrator role, which provides the user with unrestricted access to the domain. You should then instruct the user to use the account with administrator user permissions only to complete specified tasks.
Because the network administrator permissions allow a user to access the server for management tasks, having users adhere to the following procedures can help reduce unauthorized access to your network and the misuse of more powerful access privileges:
- Log on with your standard user account to perform daily tasks, not with a network administrator account.
- Do not leave a computer unattended while you are logged on using a network administrator account.
- Do not give others the password for a network administrator account.
- Do not leave a written record of the password for a network administrator account near the computer.
For information about user roles and how to assign or change user roles, see “Managing User Accounts in Windows Small Business Server 2008” at the Microsoft Web site (http://go.microsoft.com/FWLink/?LinkID=105808).
Assign Permissions to Shared Folders
When you limit users or groups of users access to shared folders on the server, you can help prevent an unauthorized user from accessing your company's data. By default, any shared folder that is created during Windows SBS 2008 installation is assigned permissions to help secure the shared folder. If you create additional shared folders on the server, ensure that the shared folders have only the permissions that are required by those who need to access the shared folders.