0

I have a Windows 2008 server running a Rails App, owned by one of our Hardware engineers. Now one of our marketing guys created another rails app and my boss wants me to put it on that same server. They will both be admins with RDP access to the server to maintain their apps. The hardware engineer is very concerned about his app being messed with, which lives at C:\sites. What are my options to protect the hardware admin user from the marketing admin user (and vice versa)?

If it matters at all, the server is virtualized in ESXi 5.1 free version, so adding resources is very simple.

  • 2
    Do they both need to have administrator access to maintain their application? Why not reduce their permissions and set NTFS permissions accordingly? – DKNUCKLES Aug 02 '13 at 15:53
  • Maybe enable shadow copies as a "hey who changed my files" undo. This way you can restore older files if needed assuming some available drive space. File Audit logging will help too by keeping track of what is being changed, but it is pretty labor intensive. Locking the users down is a better solution. If they need admin access, maybe a third person should take care of those installs instead. – MikeAWood Aug 02 '13 at 18:16

2 Answers2

9

If you need to restrict these users' access on this system, they cannot be administrators.

Nothing that you've listed (RDP access, control over their applications) requires them to be full-blown administrators of the system. Assign just the permissions needed.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • They may not need to be admins for any of that, but at any given time they may need to install software (ruby gems, third party apps), or configure services as their applications scale. I was hoping to backup the server in case of a catastrophe, and let them administrate it themselves. You may be right that I should administrate the server, and let them be power users or something else. –  Aug 02 '13 at 17:31
1

This is a crazy way of doing things.

They should each have their own folder into which their app is deployed and be using RVM and Bundler to isolate their ruby versions and gems.

If you do that, they shouldn't even need administrative access.

MikeyB
  • 39,291
  • 10
  • 105
  • 189