Keeping the Windows Server logged on

After powering on and logging on the Windows Server, many administrators just keep it logged on. If we need to access the server desktop, we need to type the logged on user's password anyway.

An auditor comments that it must be logged off.

Is it necessary to keep logging on, why and why not?

 

All proper server software will run as a service. It therefore does not need a user logged on to start or use the software. Software running as a service is made available independently of the user GUI.

Unfortunately, there are a number of software applications that pretend they are server applications but do not run as a service and have to be run from within a user GUI. These we will call Noddy applications.

If you are a very lucky IT manager, you will be able to run your servers without any Noddy software. In this case there is no reason to have anyone logged on to the server. As running a logged on user both makes it easier for someone to tamper with the server, and uses system resources, it is advisable to run the server with no one logged on. You log on to change something on the server or monitor/check something and then log off. (I won't mention the people who let a user use the network server as their desktop PC beyond stating that it is a particularly foolish thing to do and I'll assume the people reading this aren't so foolish).

If you are a reasonably lucky IT manager, there may be a couple of Noddy applications you need to run, but you'll be able to apply a hack to them (for example the NT resource kit INSTSRV) so that they will run as a service. As they run as a service, again no need to log on.

Unfortunately, many Noddy applications won't work when hacked to run as a service. In this case you have to have a user logged on. However, this doesn't have to be a user connected directly to the server. With Server 2003, you can run a terminal user session and have the Noddy applications running in that session. That means you can manage the Noddy applications remotely via that terminal session, and it shouldn't get in the way of other users accessing the server to carry out maintenance tasks.

Therefore, if you can avoid Noddy applications, you don't need to log on to the physical server terminal and shouldn't except when carrying out maintenance tasks. Even with Noddy application, there are ways of avoiding having a user logged on.

 

Hi Ivan Reg

Reg I like it when you talk like that!

And I don't mean the British accent!

Excellent explanation Reggie!

Also Ivan, no offence if you already knew this! But create another Admin account I usually use Supervisor and never use the Built in Administrator account except in an emergency.

Any other account and profile can be deleted the profile removed etc then rebuilt. But get real damage to the original Admistrator account and it ususally can not be repaired! This advice is not just for Server but any NT based stand alone client or Server!

If you ever see any account (admin or user) that has an added extension that was not there before then the profile was blown.

Example: Bob now becomes Bob.server (the .server part can be anything usually the ComputerName) then that profile has been damaged and windows has tried to the best of it's ability to repair it so the user can still operate.

If that happens to the real Administrator account it may still work but there "could" be missing data or other issues!

So try not to have the real Administrator up where it can be caught by a power failure or malware or Virus. Use it only long enough to fix issues like the above

Mike

 

Hi Mike,

thanks for your info. Correct me if I got it wrong. The built-in administrator account will be "suppressed" before Windows Server 2008 but not deleted, and it should be totally "removed" in WS 2008, after installation, that I hearsay.

Besides, I just wanna see if I can improve the relationship between an Auditing Director (no IS audit background) and the sys admin mgr.

 

If you don't want to delete the Administrator account you can always disable it for a while until you are happy that it is safe to delete.

By the way, all praise for my postings are gratefully received. However, you may regret encouraging my ramblings, as I do enjoy prevaricating about the bush (in the word of many wise words: Wallace).