|
Can I create a new sql server user who can only view(read only) a specific view in my database. I don't want to allow this user to see/read/write anything else in database.
|
|
|
|
|
|
I am coming from the business side rather than from the IT side, but I have been asked to solve a business problem that I think is totally common nowadays, and I hope you can help me with some system admin solutions.
I need to know if my idea will work and it would be very helpful if you could point out some problems areas that I need to consider.
We are a large international organization with a Microsoft infrastructure and about 200 staff who travel frequently. They typically use laptops we provide, but also they want to use their own devices (Bring Your Own Device = BYOD) such as iPads, Macintosh laptops, smartphones, Android tablets, you name it.
What I would like to say to our staff is this:
"Your work computer will be a laptop that you can take home with you or take abroad on your travels.
When you receive this computer it will come with a set of standard software installed, including anti-virus software. Thereafter you have admin rights over this laptop, you are completely responsible for everything on this computer, including backups, just as if it were your personal property. When you leave our organization, you turn your computer in.
"You store your work on your own computer, so you are responsible for backups. If you finish something that should be shared with your colleagues, you upload it to our corporate intranet online, and you let people know it’s there.
"When you come to the office, you will be able to plug your laptop into a docking station with a large-screen monitor and a keyboard. You can log into our network on your office computer, but not on any personal device.
"If you want to access the Internet or printers with any device other than your office laptop you can do so wirelessly."
What do you experienced System Administrators think of this approach. I know our staff would love me for it because they have some big problems with the security of our network, because they can't BYOD, they can install personal software on their laptops, getting software updates is a big hassle with the IT department, etc.
Thanks in advance for your help!
- Thom
|
|
|
|
|
quinet wrote: I know our staff would love me for it
And I suspect your IT department and company lawyers would hate you. IT security is a very serious business and in any corporate organisation it is important to keep good control in order to protect your financial and intellectual property. If you open up your corporate network so people can hook their own systems into it whenever they like, then you are likely to face some serious issues. However many promises people make and however many rules you ask them to follow, the system will be abused.
My advice, don't do it.
Unrequited desire is character building. OriginalGriff
I'm sitting here giving you a standing ovation - Len Goodman
|
|
|
|
|
Richard MacCutchan wrote: And I suspect your IT department and company lawyers would hate you. IT security is a very serious business and in any corporate organisation it is important to keep good control in order to protect your financial and intellectual property. If you open up your corporate network so people can hook their own systems into it whenever they like, then you are likely to face some serious issues. However many promises people make and however many rules you ask them to follow, the system will be abused. My advice, don't do it.
Depends on the network setup. At the customer site I work at, the wireless and office network are 2 distinct and separate connections to the Internet. When connected to the wireless there is no connectivity to the servers available unless you connect in via the VPN or have a Domain connected laptop that uses Direct Access to connect in from anywhere.
If the Wireless and Wired network are all running off the same Internet connection and internal network, then like you say, runaway.
Michael Martin
Australia
"I controlled my laughter and simple said "No,I am very busy,so I can't write any code for you". The moment they heard this all the smiling face turned into a sad looking face and one of them farted. So I had to leave the place as soon as possible."
- Mr.Prakash One Fine Saturday. 24/04/2004
|
|
|
|
|
quinet wrote: "When you come to the office, you will be able to plug your laptop into a
docking station with a large-screen monitor and a keyboard. You can log into our
network on your office computer, but not on any personal device.
In addition to our desktops we employ this setup for our laptop users. This is becoming more common as the power and memory capabilities increasingly are cheaper.
quinet wrote: "Your work computer will be a laptop that you can take home with you or take
abroad on your travels. When you receive this computer it will come with a
set of standard software installed, including anti-virus software. Thereafter
you have admin rights over this laptop, you are completely responsible for
everything on this computer, including backups, just as if it were your personal
property. When you leave our organization, you turn your computer in.
Again this is a great idea, but I would advise using some form of encryption. Bitlocker works well, but it depends on what OS you're currently using. They're are other software based encryption programs to use w/leagcy OS'. This still can create an issue as the user almost never do backups or willingly run AV scans. As long as you're using Active Directory you could push out Forefront and do Bitlocker key recovery. They still download willy-nilly programs like RegReviver and what not, but this gives you a stance on giving them an ultimatim. Either you behave with it, or we'll just re-image it when you screw it up. This tends to stop a lot of the BS downloaders, but not all of them.
quinet wrote: "If you want to access the Internet or printers with any device other than your
office laptop you can do so wirelessly."
We do this as well and it works very well, as it exists on an external network. This can present some issues too if you're in a building close to other businesses or the public I guess. We're fortunate to be "out-of-town", but I think this would still be an answer for the BYOD'ers.
Something worth reading, albeit it's invincible!
|
|
|
|
|
I just tried using Remote Desktop Connection today, accessing important apps on my desktop from my laptop, and it works great. But that was between rooms, using my home workgroup and the desktop computer name as the target, connecting over the wireless LAN. Now I want to go to the next level, and do the same over the Internet. The MS instruction fall a little short of covering that configuration. Here's my setup:
Internet -> cable modem/router -> Cisco/Linksys E4200 wireless router -> Wired connection to desktop, wireless to laptop.
The only routable IP address in the lot is the WAN address on the E4200, which is bridged from the cable modem. It's dynamic, and that could be a problem, but it wouldn't be too difficult to write a service on my website to allow me to look up the current IP address anytime I'm travelling. It hasn't changed in a couple of years, so that's not an immediate concern. What is a concern is that I don't know how to configure the laptop to connect to the home IP address, nor what ports and services I need to enable on the router to move RDC traffic from the router to the desktop, and back to the laptop in my hotel 300 miles away.
Can someone point me to the information I need to accomplish this?
Will Rogers never met me.
|
|
|
|
|
Services like dyndns.org allow you to get your IP address from a name, thus you can do a ping your-computer-name.dyndns.org .
To get from the internet into your private home network, you must configure port forwarding on the router.
|
|
|
|
|
Thanks... I found a website with instructions. There wasn't a whole lot of info from MS about which ports and protocols to enable, but the site gives a few clues.
Will Rogers never met me.
|
|
|
|
|
Roger Wright wrote: Thanks... I found a website with instructions. There wasn't a whole lot of info from MS about which ports and protocols to enable, but the site gives a few clues.
Roger, port 3389 is what you want for RDP but I would not want to open that up on my router and expose my network to the internet.
I'd seriously look at getting a little, low power, low heat output box, put a Linux Distro on it and SSH to the Linux Box (reasonably locked down) and SSH Tunnel through it to the Windows Boxen, Routers, Website stuff like your USB HDD.
I reckon you could easily work it out, but I could happily help you through, even give you a call on a landlne (if you have one) cause I can call you Yanks for free except for mobiles.
Michael Martin
Australia
"I controlled my laughter and simple said "No,I am very busy,so I can't write any code for you". The moment they heard this all the smiling face turned into a sad looking face and one of them farted. So I had to leave the place as soon as possible."
- Mr.Prakash One Fine Saturday. 24/04/2004
|
|
|
|
|
Michael Martin wrote: Roger, port 3389 is what you want for RDP but I would not want to open that up on my router and expose my network to the internet.
My 5 to point this out.
|
|
|
|
|
Yesterday I would probably have pointed out that RDP is one of the safest protocols around. And that it probably isn't a safety problem to consider.
But today I think I'll pass.[^]
|
|
|
|
|
Quite right, Michael, but I just had to try it. I don't have the time to set up a Linux box, but I might one day.
A reasonably safe option is to set up a VPN connection to use when travelling, and Win7 supposedly supports that. But following the step-by-step instructions presented in Help simply doesn't work. I have no clue why, since Microsoft won't tell you what needs doing, but insists on providing a friendly, if retarded, "wizard" to do everything wrong for you.
Will Rogers never met me.
|
|
|
|
|
Roger Wright wrote: I don't have the time to set up a Linux box, but I might one day
If your willing to use CentOS (Red Hat Enterprise Linux with the copyright stuff pulled out, but built from the same source) I can send you a Word document on how to set it up exactly as I have. The joy of SSH is it is completely encrypted end to end.
Roger Wright wrote: A reasonably safe option is to set up a VPN connection to use when travelling,
and Win7 supposedly supports that. But following the step-by-step instructions
presented in Help simply doesn't work. I have no clue why, since Microsoft won't
tell you what needs doing, but insists on providing a friendly, if retarded,
"wizard" to do everything wrong for you.
The VPN Connection is easy to setup on Windows 7 (has been since XP) but do you have the VPN to connect to? Does your Router have a VPN built into it and is it activated? Otherwise you will need one running on your Windows 2008 R2 box and I'm not sure if one is built in or if it needs to be 3rd party.
Michael Martin
Australia
"I controlled my laughter and simple said "No,I am very busy,so I can't write any code for you". The moment they heard this all the smiling face turned into a sad looking face and one of them farted. So I had to leave the place as soon as possible."
- Mr.Prakash One Fine Saturday. 24/04/2004
|
|
|
|
|
According to the "documentation" provided by Win7 Help, a separate server shouldn't be required. One little wizard configures the host machine, the other does the remote. My router doesn't have a VPN server in it, but I've enabled VPN passthrough to let the little buggers through. On making the connection, the authentication works - at least it completes without announcing any errors - then it proceeds to invoke a couple of miniport drivers, then just times out. The most informative I've been able to get from it is that the host didn't respond. Very curious...
I do have an old PC that I could use for Linux, so if you'd like to send along your instructions I'll give them a look. Thanks, Michael!
Will Rogers never met me.
|
|
|
|
|
I'll pull it out, clean it up and send it across in the next couple of days.
Michael Martin
Australia
"I controlled my laughter and simple said "No,I am very busy,so I can't write any code for you". The moment they heard this all the smiling face turned into a sad looking face and one of them farted. So I had to leave the place as soon as possible."
- Mr.Prakash One Fine Saturday. 24/04/2004
|
|
|
|
|
Roger Wright wrote: I have no clue why, since Microsoft won't tell you what needs doing, but insists on providing a friendly, if retarded, "wizard" to do everything wrong for you.
this is the funniest thing I have read today. This is the real way to complain about something!
If it moves, compile it
|
|
|
|
|
Michael Martin wrote: I'd seriously look at getting a little, low power, low heat output box, put a Linux Distro on it and SSH to the Linux Box (reasonably locked down) and SSH Tunnel through it to the Windows Boxen, Routers, Website stuff like your USB HDD.
Sounds like fodder for a good article!
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Richard Andrew x64 wrote: Sounds like fodder for a good article!
About 3 years ago I mentioned on here that I would do exactly that, including SAMBA for file sharing and such, still haven't pulled the finger out.
Michael Martin
Australia
"I controlled my laughter and simple said "No,I am very busy,so I can't write any code for you". The moment they heard this all the smiling face turned into a sad looking face and one of them farted. So I had to leave the place as soon as possible."
- Mr.Prakash One Fine Saturday. 24/04/2004
|
|
|
|
|
You could do what others have suggested or just get a subscription to https://logmein.com/[^]
From WIKI (logmein is blocked at my company)
LogMeIn remote access products use a proprietary remote desktop protocol that is transmitted via SSL. An SSL certificate is created for each remote desktop and is used to cryptographically secure communications between the remote desktop and the accessing computer.[4]
Users access remote desktops using either the LogMeIn Ignition stand-alone application or a web portal. The web portal requires either an ActiveX plugin for Internet Explorer, or an extension for Firefox (the LogMeIn plug-in for Firefox), or an extension for Safari (the LogMeIn plug-in for Safari), failing that it falls back to requiring Java in order to run a Java program,[5] and failing that it falls back to "a screen-shot-based HTML remote control".[6] The web portal also provides status information for the remote computers and, optionally, remote computer management functions.
The service connects the remote desktop and the local computer using SSL over TCP or UDP and utilizing NAT traversal techniques to achieve peer-to-peer connectivity when available.[4][7][8]
Common sense is admitting there is cause and effect and that you can exert some control over what you understand.
|
|
|
|
|
I'm not sure where this goes, but this is the closest forum I could find to what I wanted/meant.
I have been having lots of issues with my xp box at the office. We've tried many things, including a new nic. It seems to do everything slower than it's older counter parts.
Next thing we are going to try is a registry cleanup. I don't know any good ones. Suggestions? Any free one's would be good, mostly since we are not sure it will even work.
If it moves, compile it
|
|
|
|
|
Start with CCleaner[^] it was free and seems to do okay.
|
|
|
|
|
Easy enough to install and use. It'll take a me a couple days with some of our normal processes to test, but stuff seems to be a bit snappier already.
I was surprised at how many issues I had in my registry. I know nothing of ms registry
If it moves, compile it
|
|
|
|
|
Well, it seemed to work for some things. Including boot/startup time, browser speed, and programs opening.
However, that was not my problem
It's whenever I do things like spreadsheet processing, vb6 modules, etc. These exact programs work with the same data and all situations , faster on the other computers with smaller specs. This one is just slow for some reason, and I can't figure out why.
If it moves, compile it
|
|
|
|
|
Thus the "Start with".
I am not an expert, but thought the tip might help.
|
|
|
|
|