none
What would be the best way to give administrators the ability to administer a server remotely through Terminal Services? RRS feed

  • Question

  • hi guys
    i started preparing for 70-290 exam,i faced with a question that dont understand from MCSA/MCSE Self-Paced Training Kit (Exam 70-290) book

    -----------------
    the question is:

    What would be the best way to give administrators the ability to administer a
    server remotely through Terminal Services?

    correct answer:

    Create a separate, lower-authorization user account for Administrators to use
    daily, and place that account in the Remote Desktop For Administration
    Group.

    Description

    The correct answer is c. It is a best practice to log on using an account with minimal creden-
    tials, then to launch administrative tools with higher-level credentials using Run As.
    -------------
    should we create a user account for Administrators and place that account in the Remote Desktop Groups?
    if so why would we do that if Administrators still can use remote desktop with administrator account?
    so confused
    and what about Description

    sorry for this stupid answer
    MCSA
    Tuesday, August 2, 2011 2:58 PM

Answers

  • Thanks for posting the other answer choices.  My thoughts:

    • Avoid "do nothing" answers.  In general, real certification exams shy away from those types of answers.  Practice exams, which generally have a lower quality question and answer set, often break the typical certification exam rules.  In "real life" - you might choose to do nothing.  In a test scenario, you'd really boil it down to the answer choice in your original post and the final answer choice listed above.
    • Regarding your question - "why do this?" - I can think of a few scenarios (albeit contrived):  with the lower-authorization account, the administrator may be able to perform some of his administrative duties (so in some circumstances, he can perform a task without having to elevate to his admin account).  Or, in some scenarios, the administrator may only be checking a configuration or the status of a service or task (and not making any changes) - so by having him use the lower-authorization account, you minimize risk.  In "real life" - the idea is to minimize the damage if an account is compromised.  If an attacker compromises my standard/non-admin account, potential damage is limited while if an attacker compromises my Domain Admin account, he owns everything immediately (whereby with my non-domain account, it will take some extra time).  By using the non-admin account wherever I can, I can reduce the likelihood of an account compromise.

    Brian


    Tuesday, August 2, 2011 9:28 PM
  • I don't really like the question.  But others might!  This question would be better if it didn't focus on RDP sessions.  Here are my thoughts:

    • In general, it is a good practice to use the least privileged account to perform a task.  In many environments, it is common to see administrators have a standard account (email, web surfing) and an administrative account (for performing configuration changes, etc.).  Typically, in such environments, I see the administrators connecting to servers via RDP by using their administrative account.  So while I see the value of part of the answer (create separate lower-authorization account for daily administrator use) - I don't see much value in using that account as the RDP account for initial connectivity.
    • From a testing perspective, it would be helpful to see all of the answer choices.  Sometimes, even though an answer doesn't sound perfect, it is the best answer choice available.  So when preparing to take an exam, always focus on the best answer choice from the available answer choices.

    Brian

    Tuesday, August 2, 2011 8:53 PM

All replies

  • I don't really like the question.  But others might!  This question would be better if it didn't focus on RDP sessions.  Here are my thoughts:

    • In general, it is a good practice to use the least privileged account to perform a task.  In many environments, it is common to see administrators have a standard account (email, web surfing) and an administrative account (for performing configuration changes, etc.).  Typically, in such environments, I see the administrators connecting to servers via RDP by using their administrative account.  So while I see the value of part of the answer (create separate lower-authorization account for daily administrator use) - I don't see much value in using that account as the RDP account for initial connectivity.
    • From a testing perspective, it would be helpful to see all of the answer choices.  Sometimes, even though an answer doesn't sound perfect, it is the best answer choice available.  So when preparing to take an exam, always focus on the best answer choice from the available answer choices.

    Brian

    Tuesday, August 2, 2011 8:53 PM
  • thanks for reply and yes you right .i forgot to write others answer ,here they are

     

    •  Don’t do anything; they already have access because they are administrators.
    •  Remove the Administrators from the permission list on the Terminal Server
      connection, and put their administrator account in the Remote Desktop For
      Administration Group.

    i prefer choosing first answer because really i dont get it, why should we create another account for an expert like administrator to use RDP?

     


    MCSA
    Tuesday, August 2, 2011 9:19 PM
  • Thanks for posting the other answer choices.  My thoughts:

    • Avoid "do nothing" answers.  In general, real certification exams shy away from those types of answers.  Practice exams, which generally have a lower quality question and answer set, often break the typical certification exam rules.  In "real life" - you might choose to do nothing.  In a test scenario, you'd really boil it down to the answer choice in your original post and the final answer choice listed above.
    • Regarding your question - "why do this?" - I can think of a few scenarios (albeit contrived):  with the lower-authorization account, the administrator may be able to perform some of his administrative duties (so in some circumstances, he can perform a task without having to elevate to his admin account).  Or, in some scenarios, the administrator may only be checking a configuration or the status of a service or task (and not making any changes) - so by having him use the lower-authorization account, you minimize risk.  In "real life" - the idea is to minimize the damage if an account is compromised.  If an attacker compromises my standard/non-admin account, potential damage is limited while if an attacker compromises my Domain Admin account, he owns everything immediately (whereby with my non-domain account, it will take some extra time).  By using the non-admin account wherever I can, I can reduce the likelihood of an account compromise.

    Brian


    Tuesday, August 2, 2011 9:28 PM
  • good answer

    and i agree with you 100%, and  i think i understood the whole subject.

    Thanks for taking time


    MCSA
    Tuesday, August 2, 2011 9:48 PM