Re: windows 2000 security
- From: "Jmnts" <Jmnts@xxxxxxxxxxx>
- Date: Sat, 15 Apr 2006 17:26:49 +0100
1st I'd like to say that for Administration purposes you should have a
Domain, and you should consider ISA server in your domain.
http://www.microsoft.com/windowsserver2003/evaluation/whyupgrade/top10best.mspx
http://www.microsoft.com/isaserver/default.mspx
Now the problem:
Presently we have a workgroup enviornment with 25 systems on win2k
proff and win xp proff.A Linux firewall is setup for interent access
with Iptables and nating.
Hence all theusers have internet access.Some policy changes are needed
and I want do a setup with the following groups and the security
features needed are as below.
Groups
Research
Development
Support
Mktg
Finance
1)No group should be able to access the resources of each other, except the
users in its respective group.
-You can configure this locally in every machine (Keep in mind that every Xp
machine accepts 10 connections maximum at the time).
Machines in a workgroup envoirment only knows his local SAM. Which means
that in order to give restricted access to resources you can't give everyone
access, and you must only give access to certain users or groups that exist
in the local machine. Which means that you must provide to the users that
User account and respective Pw. (Not to functional, in a domain environment
the Dc process all this). You have a option in windows xp that permits you
to save credentials in future access to that shared resource.
To troubleshoot maximum connections achived check:
http://support.microsoft.com/kb/328459/
2) Internet access only for support and mktg.
-Ok make the appropriate configuration.
3) Other groups to have mail access only ,but no internet access(How should
i go about this ,was thinking of installing Mdaemon mail server)
-I believe that you could make this type of restriction using your existent
FW, denying based IP Address vs Ports allowed.
You can also use Local Gpo to do this. The trick is to fullish the O.S, to
achieve that you configure a wrong proxy server ex: http:"localproxy.com" on
the internet properties in the local computers, then deny changes to the
proxy configuration textbox..
a - Config the wrong proxy: User Config / Win Settings / Internet Explorer
Maintenance / Connection / Proxy Settings
b - Make the Proxy config per machine rather per user: Computer Config /
Admin Templates /Win Components / I.E /Make proxy settings per machine.
c - Do not allow changes: User Config / Admin Templates / Win components /
Internet Explorer / Disable changing proxy settings.
(Of course if the users a local Admins... Then they can change all that.)
4)Each group will probably have its own file server
-I still don't get why you don't have a Dc.
5)A person from one group may have permission to access resources og other
groups. Already discussed.
6)VPN access (client access) to connect to vpn server.
-No problem. (If you have Windows RRas Server you should consider L2TP/IPSec
(more secure, don't use pre-shared key authentication), needs CA, computer
certificate, once again you must have a local User and Password)
For more Information:
Virtual Private Networking with Windows Server 2003: Deploying Remote Access
VPNs
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndeplr.mspx
Step-by-Step Guide for Setting Up VPN-based Remote Access in a Test Lab
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/rmotevpn.mspx
Basic L2TP/IPSec Troubleshooting in Windows XP
http://support.microsoft.com/?kbid=314831
7)CAn igo in for a firewall based router which will have also have a VPn
module at the internet gateway.
I had thought of 2 solutions ,one pertaining to creating a single windows
2000/2003 domain enviornment and second using Vlan.I m not sure which one
will work,hence kindly go thru and let me know if any other method is
avialble to achieve the following.
If i go in for a vlan enviornment ,and use a single Layer 3 switching device
,is it possible for me to access a particular group if required.
If i go in for an Ad enviornment on fifferent subnets ,will i be able to
access resources of other subnet if needed. or If i just create a vlan in a
workgroup enviornment ,is it ok.
As long as both sides can reach each oher the only problem that you'll have
is resources authentication. Should consider an Ad environment with, even if
you can't Afford ISA server, you can take advantage of RADIUS authentication
as long as your FW/Nat device supports RADIUS.
--
Best Regards
Systems Administrator
MCSA + Exchange
.
- References:
- windows 2000 security
- From: s_hcl
- windows 2000 security
- Prev by Date: Re: windows 2000 security
- Next by Date: Re: Ruuning Domain Conroller in Virtual Environment
- Previous by thread: Re: windows 2000 security
- Next by thread: Re: Ruuning Domain Conroller in Virtual Environment
- Index(es):
Relevant Pages
|
