Answered by:
What would be the best way to give administrators the ability to administer a server remotely through Terminal Services?

Question
-
hi guys
i started preparing for 70-290 exam,i faced with a question that dont understand from MCSA/MCSE Self-Paced Training Kit (Exam 70-290) book
-----------------
the question is:
What would be the best way to give administrators the ability to administer a
server remotely through Terminal Services?
correct answer:
Create a separate, lower-authorization user account for Administrators to use
daily, and place that account in the Remote Desktop For Administration
Group.
Description
The correct answer is c. It is a best practice to log on using an account with minimal creden-
tials, then to launch administrative tools with higher-level credentials using Run As.
-------------
should we create a user account for Administrators and place that account in the Remote Desktop Groups?
if so why would we do that if Administrators still can use remote desktop with administrator account?
so confused
and what about Description
sorry for this stupid answer
MCSA- Changed type Niall MerriganMVP Wednesday, August 3, 2011 7:44 AM It is one
- Changed type Niall MerriganMVP Wednesday, August 3, 2011 7:44 AM It is one
Tuesday, August 2, 2011 2:58 PM
Answers
-
Thanks for posting the other answer choices. My thoughts:
- Avoid "do nothing" answers. In general, real certification exams shy away from those types of answers. Practice exams, which generally have a lower quality question and answer set, often break the typical certification exam rules. In "real life" - you might choose to do nothing. In a test scenario, you'd really boil it down to the answer choice in your original post and the final answer choice listed above.
- Regarding your question - "why do this?" - I can think of a few scenarios (albeit contrived): with the lower-authorization account, the administrator may be able to perform some of his administrative duties (so in some circumstances, he can perform a task without having to elevate to his admin account). Or, in some scenarios, the administrator may only be checking a configuration or the status of a service or task (and not making any changes) - so by having him use the lower-authorization account, you minimize risk. In "real life" - the idea is to minimize the damage if an account is compromised. If an attacker compromises my standard/non-admin account, potential damage is limited while if an attacker compromises my Domain Admin account, he owns everything immediately (whereby with my non-domain account, it will take some extra time). By using the non-admin account wherever I can, I can reduce the likelihood of an account compromise.
Brian
- Edited by Brian Svidergol Tuesday, August 2, 2011 9:51 PM TYPO FIX
- Marked as answer by Niall MerriganMVP Wednesday, August 3, 2011 7:44 AM
Tuesday, August 2, 2011 9:28 PM -
I don't really like the question. But others might! This question would be better if it didn't focus on RDP sessions. Here are my thoughts:
- In general, it is a good practice to use the least privileged account to perform a task. In many environments, it is common to see administrators have a standard account (email, web surfing) and an administrative account (for performing configuration changes, etc.). Typically, in such environments, I see the administrators connecting to servers via RDP by using their administrative account. So while I see the value of part of the answer (create separate lower-authorization account for daily administrator use) - I don't see much value in using that account as the RDP account for initial connectivity.
- From a testing perspective, it would be helpful to see all of the answer choices. Sometimes, even though an answer doesn't sound perfect, it is the best answer choice available. So when preparing to take an exam, always focus on the best answer choice from the available answer choices.
Brian
- Marked as answer by Niall MerriganMVP Wednesday, August 3, 2011 7:44 AM
Tuesday, August 2, 2011 8:53 PM
All replies
-
I don't really like the question. But others might! This question would be better if it didn't focus on RDP sessions. Here are my thoughts:
- In general, it is a good practice to use the least privileged account to perform a task. In many environments, it is common to see administrators have a standard account (email, web surfing) and an administrative account (for performing configuration changes, etc.). Typically, in such environments, I see the administrators connecting to servers via RDP by using their administrative account. So while I see the value of part of the answer (create separate lower-authorization account for daily administrator use) - I don't see much value in using that account as the RDP account for initial connectivity.
- From a testing perspective, it would be helpful to see all of the answer choices. Sometimes, even though an answer doesn't sound perfect, it is the best answer choice available. So when preparing to take an exam, always focus on the best answer choice from the available answer choices.
Brian
- Marked as answer by Niall MerriganMVP Wednesday, August 3, 2011 7:44 AM
Tuesday, August 2, 2011 8:53 PM -
thanks for reply and yes you right .i forgot to write others answer ,here they are
- Don’t do anything; they already have access because they are administrators.
- Remove the Administrators from the permission list on the Terminal Server
connection, and put their administrator account in the Remote Desktop For
Administration Group.
i prefer choosing first answer because really i dont get it, why should we create another account for an expert like administrator to use RDP?
MCSATuesday, August 2, 2011 9:19 PM -
Thanks for posting the other answer choices. My thoughts:
- Avoid "do nothing" answers. In general, real certification exams shy away from those types of answers. Practice exams, which generally have a lower quality question and answer set, often break the typical certification exam rules. In "real life" - you might choose to do nothing. In a test scenario, you'd really boil it down to the answer choice in your original post and the final answer choice listed above.
- Regarding your question - "why do this?" - I can think of a few scenarios (albeit contrived): with the lower-authorization account, the administrator may be able to perform some of his administrative duties (so in some circumstances, he can perform a task without having to elevate to his admin account). Or, in some scenarios, the administrator may only be checking a configuration or the status of a service or task (and not making any changes) - so by having him use the lower-authorization account, you minimize risk. In "real life" - the idea is to minimize the damage if an account is compromised. If an attacker compromises my standard/non-admin account, potential damage is limited while if an attacker compromises my Domain Admin account, he owns everything immediately (whereby with my non-domain account, it will take some extra time). By using the non-admin account wherever I can, I can reduce the likelihood of an account compromise.
Brian
- Edited by Brian Svidergol Tuesday, August 2, 2011 9:51 PM TYPO FIX
- Marked as answer by Niall MerriganMVP Wednesday, August 3, 2011 7:44 AM
Tuesday, August 2, 2011 9:28 PM -
good answer
and i agree with you 100%, and i think i understood the whole subject.
Thanks for taking time
MCSATuesday, August 2, 2011 9:48 PM