We are running Small Business Server 2003 Premium and we have Exchange and
our companyweb intranet site up and running.  However, we have an accountant
who will be updating our QuickBooks company files periodically, so I need to
give her secure access to our network.

What is the most secure way of allowing a remote partner access to a single
file on my network?

Thanks in advance,

Mervin Williams

Mervin Williams wrote:
You can use IPSEC for best security on your server.

My question is what is the best complete approach to setting up secure
access to a file for a remote partner?

Mervin Williams

Show quoteHide quote

A "single" file... hmmm that's a bit harder.

As a CPA I use something called Quickbooks remote access based on
Webex.. I send an email asking for remote access, the client approves
it... a file transfer location is set up and only files dropped into
that location are allowed to be transfered to me.  When the transaction
closes, so does the remote access.

It's only unique to that sesson.

IPsec .. get real... great on paper.. not down to the masses for us
SBSers.. I'm sorry but it's not.

Mervin Williams wrote:

Show quoteHide quote

Hi Mervin

The most secure way is going to depend on many factors! The most secure is
to Fedex her a CD for her to return but this is not operationally
satisfactory. How is QB setup? Multiuser sharing Data on Server? Terminal
Server on Member Server with Enterprise version? Some more details are
important. QB is inheritantly not safe anyway without special security
precautions since they requie Administrative Priviliges on the WS. I would
suggest that you setup a special user account for her and limit her login to
server and one WS. The server is required for RWW to work but will not
actually allow her to login to server. Then have her use RWW to login with
Https to that WS.

Show quoteHide quote

You mention that I should create a limited account for her with access only
to the server and one workstation.  Specifically:

    1. What groups should her account belong?
    2. What permissions should her account have?
    3. Have do I configure her login to only access the server and one
workstation?

Thanks,

Mervin Williams

Show quoteHide quote

we have a similar scenario

1. Create a GROUP just for the Account person i.e. ACCOUNTQB
2. Create the accountants user account with only membership to ACCOUNTQB
    Make sure you give her remote access rights in the account profile and
under
    Routing and Remote Access Policy
3. create a share to that file directory i.e. QUICKBOOKS adding ACCOUNTQB
group full access rights

the accountant will need to create a drive map to the drive share or give
them a script to run
NET USE Z: \\computername\QUICKBOOKS /PERSISTENT:NO

couple of other things INTUIT now has an on-line version and an online
sharing version; and you don't trust your accountant enough!


Mark Masiak
devlinfisher*




Show quoteHide quote

Hi Mervin

Single file ? I assume you mean the quickbooks database file. To access this
she needs to run the program.

Either let her TS into the server locking everything down for that user
account you give her.

Or VPN, as Giuseppe says and IPSEC being more secure than PPTP. Need to
setup shared folder to Quickbooks that she connects to but more
configuration for you that would really need you to visit her to setup.

Fianlly could let her RWW to server then pop over to a workstation (needs
XP) then she can run it as if she was in office. This being the preferable
route. Again locking down pc so she can only use quickbooks. Consider
whether she is aollowed email account.

Show quoteHide quote

DO NOT 'let her TS into the server locking everything down', it's SBS 2003
and there are numerous reasons for not doing this.

like:
I'm gonna let some outside party TS to my root DC. YEAH RIGHT.
SBS2003 cannot be put into TS Application mode.
No DC can be properly secured to support TS App mode users.

I'd also not expect great performance with her opening the QB database
through a VPN. Might be OK if it's a small database.

Leaves RDP through RWW, to either an XP ws or a seperate TS.

Show quoteHide quote

In article <#AqFma0gFHA.2***@TK2MSFTNGP15.phx.gbl>, not@your.nellie
says...
No, it leaves RDP through a VPN (even PPTP) connection, and since RDP
uses 30kbps, that means there is plenty of capacity on a slow connection
with the overhead of a VPN.

The best method would be to have them VPN into the network, limit them
to ONE COMPUTER, they login to the computer using RDP, do their work on
it, then log out - no files left on their home computer to be filtched
if compromised.

PFFFFT, I'm going to let some accountant bring her PC into my IP subnet. A
PC I have no control over. A PC on which I don't even know if there is AV,
let alone up-to-date AV.

Well, OK, the OP has SBS2003 Premium, so if he has gone to ISA2004 he can
explore quarantine VPN (not something I've had time to do yet).

Sure, limit the user ID, not only with 'logon to' only the specific RDP
session host but file privelages which only allow the QB database to be
accessed. But bring them in via RWW, and you might want to hack the RWW RDP
connection page to not allow 'connect my local drives', either Ray Fong or
Sean Daniel blogged the hack, shame, I don't think you can do it on a per
user basis.

The best method of giving anyone access to your SBS2003 network from outside
is a locked down seperate TS accessed _only_ through RWW.

Show quoteHide quote

In article <e5wV0u0gFHA.1***@TK2MSFTNGP09.phx.gbl>, not@your.nellie
says...
I think you missed part of my post - I said VPN and allow RDP only to
the IP of the machine she can access - this means that you only allow
3389 to the specific port, not anything else.

I don't know if ISA can allow a VPN and then lock them into a single
port/IP, but every firewall appliance we use can. You don't have to
worry about them at that point.

Actually, I would rather they use VNC through a VPN with a IP:port to
IP:port restriction, since VNC won't let them copy from their machine to
the remote machine.

We have a number of small shops that do the QB/Quicken thing remotely -
they VPN (simple PPTP) into the firewall, then they connect to the local
(not exposed to the internet) FTP service with a user/password, which
leaves them only able to access FTP to the IP of the FTP service and
then only to the folder that contains the QB file - they copy their QB
backup file there and the office manager restores it the next day (or as
needed). There is no chance of a accountants compromised computer
infecting the LAN since they don't have exposed ports (the firewall
prevents by only allowing FTP ports/mapping through the PPTP session).

In case you hadn't noticed, I'm overly aggressive about security - and
I've never had a network (client or personal) compromised, and I plan on
keeping it that way.

I just don't see the benefit of RWW when every XP computer has the
ability to PPTP or IPSec tunnel. Since we never use ISA, all of our
firewalls are setup to authenticate users at the firewall and then we
impose IP:PORT restrictions based on their need and the firewall access
does not give them domain access, only access to the specific internal
IP (or IP RANGE) they need and their firewall account/password is not
linked to the domain in any way - two different authentications needed.
The appliances also come with remote vpn connection software that we can
use to restrict the users connections from their remote machine and lock
them down even more.


Show quoteHide quote

SuperGumby [SBS MVP] wrote:
So how do you prevent it? While SBS does not generally allow
unprivileged users to login at the console, it is quite happy
to allow it over RWW. As I write, I am logged into an SBS on
an unprivileged account. I am limited by NTFS file and folder
permissions, but I've no doubt many people know how to elevate
privileges once logged into the server. I have confirmed that
this account is a normal user, and I definitely can't login
at the physical keyboard. The four accounts allowed to connect
in are all unprivileged, I don't allow the domain admin
accounts to connect from outside.

In article <OHfOlA0gFHA.2***@TK2MSFTNGP14.phx.gbl>,
mwilli***@innovasolutions.net says...
Create a VPN connection and then only permit remote desktop ports to
access the company network through the VPN - this means they can run RD
to one Workstation that's setup for QB and that they can't do anything
that anyone in the office can't do.

Another method would be to give them VPN access and provide them with IP
access to one system in order to copy files too, but that's more of a
risk if their home machine is compromised.

That CPA won't have a clue on how to do this.

Leythos wrote:

Show quoteHide quote

http://quickbooks.intuit.com/commerce/catalog/product.jhtml?view=overview_how&prodId=prod0000000000007975030

Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:

Show quoteHide quote

In article <uIofr#3gFHA.3***@TK2MSFTNGP09.phx.gbl>, sbrad***@pacbell.net
says...
Sure they do - we sent them clear instructions and FileZilla already
configured for them. It takes about 5 minutes to setup and get it
working - most times they don't even have to call for help.

Not without your filezilla.

You said it yourself.

Leythos wrote:

Show quoteHide quote

The most secure way (assuming we are using only tools native to Win2003)
would be to implement a VPN, use ACL's, Share Permissions, and NTFS
Permissions to ensure the CPA can only access the one file (which should be
a copy of your original file).

Show quoteHide quote

Administrator access problems
Sharepoint prompts for credentials
RPC Fails after applying SP1
Windows 2003 Server - SP4???
server 2003 sp1 is shutting down network cards
error with aspnet_isapi.dll
Wins server does not seem to listen on all ip addresses
Yet another licensing question
Appearance on Client Machines
Per Server or Per seat