Re: Prevent Domain Logon or Access

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Herb Martin (news_at_LearnQuick.com)
Date: 06/20/04 

Date: Sat, 19 Jun 2004 19:12:49 -0500

"Zane" <zane@mail.com> wrote in message
news:#c1ffQlVEHA.2828@TK2MSFTNGP10.phx.gbl...
> Do you guys have any advise or recommended "tricks" to prevent anyone from
> using network/domain resources UNLESS they authenticate with a DOMAIN
based
> client machine? Basically, I do not want anyone accessing domain
resources
> into our network with HOME laptops (not part of domain).
>
> Preferred way is NOT to use PKI. I know PKI could accomplish this, I was
> thinking more of using login scripts for someway of accomplishing this.
> Since NON-domain based machines can not execute login scripts.

Well, that was going to be my suggestion.

You could probably still do it with IPSec, by using just the
Kerberos authentication mechanisms which isn't really based
on PKI -- but you might have had that in mind when you said
"no PKI".

No requirement for encryption is necessary if you just make
all of your servers REQUIRE "signed packets" and use Kerberos
(or even Preshared secret) to authenticate and set all clients
to RESPOND (or even Require for internal IP address ranges.)

You will need to exclude outside IPs from the IPSec policy for
clients if you wish them to visit the Internet or 'travel well.'

You might look into SMB signing to see if there is some
trick that can disallow NON-authenticated machines.
(I don't know of one but I would look there.)

You could try some scheme with secure hubs/routers where
the machines must authenticate with PEAP, 802.1x or some
such. (You will probably end up back at PKI, but WinXP
and Win2003 support user or machine based authentication
for such connections.)

If you think, or hear, of something better please post it. 

-- 
Herb Martin
>
> Any ideas?  Thanks.
>
>

Relevant Pages

  • Re: Prevent Domain Logon or Access
    ... > using network/domain resources UNLESS they authenticate with a DOMAIN ... I know PKI could accomplish this, ... > Since NON-domain based machines can not execute login scripts. ... clients if you wish them to visit the Internet or 'travel well.' ...
    (microsoft.public.windows.server.active_directory)
  • XP can authenticate but some 2000 cant?
    ... We have a perplexing problem where all of our XP clients and most of ... subnet as the problem 2000 machines have no trouble (same user on both ... Everyone gets prompted for user/pass which we authenticate ... Server log: ...
    (microsoft.public.inetserver.iis.security)
  • Re: HotFix didnt work for me
    ... How do I HIDE that SP from all of my 2003 clients? ... The Machines that don't work are running Access 2003 SP3. ... I tried so many criteria ... Conditional Formatting is not always ...
    (microsoft.public.access.reports)
  • Re: "Do not have access to logon to this session"
    ... different machines and ended up with the same results. ... EventLog on these clients? ... Windows XP, Windows 2000, and Windows NT ... home to Remote Desktop on their Windows XP Pro SP2 machines here ...
    (microsoft.public.windows.terminal_services)
  • Re: ? super-auto for drive-thru espresso business ?
    ... United States because the clients actually listen to the training ... The only machines with a reliable track record in the sub 8k ... Super fit a very specific demographic customer, ... Super autos require ...
    (alt.coffee)