Re: Restrict Access to Domain Servers from Workgroup Computers

From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
Date: Sun, 25 Feb 2007 09:27:49 -0700

"Trevor Hillary" <trevh@xxxxxxxxxxxxxxxx> wrote in message
news:%23no72XPVHHA.5068@xxxxxxxxxxxxxxxxxxxxxxx

Is it possible to restrict the access to resources on domain servers from
workstation computers even if the the user has a valid User ID and
password? It looks as though the use of IPSec is a possibility but the
customer would like to selecively allow non domain workstations access to
resources possibly using certificates. Note that this is based on the
client workstation not related to who is logged in.

No, that is not a directly supportable scenario.
When you mention use of IPsec you identify the one current way
to do what you are after. Since you say anyone on the the allowed
machines you would need to
1. have the shares on a server where it is OK for all access to be
disallowed to machines not allowed to access the shares (i.e.
IPsec will control all access to the sharing machine, not just
access to the shares)
2a. have Guest access enabled on the sharing machine (so that all
accounts on the allowed machines have transparent access)
or
2b. have NTFS permissions on the shares that allow all domain
accounts (and then everyone will have to provide credentials
when connecting from an allowed machine)
3. have ability to identify the allowed machines for IPsec (just
doing this based on IPs is not very strong and unworkable if
client machines use DHCP).
Alternatives are certs or preshared key.

It is item 1 that usually makes this unworkable as a solution, since
it basically dedicates the server to this purpose.

.

References:
- Restrict Access to Domain Servers from Workgroup Computers
  - From: Trevor Hillary

Prev by Date: Re: Permissions don't seem to work in W2K Server
Next by Date: Re: GPOs for software distribution
Previous by thread: Restrict Access to Domain Servers from Workgroup Computers
Next by thread: Permissions don't seem to work in W2K Server
Index(es):
- Date
- Thread

Relevant Pages

Re: workgroup is not accessable; the network is not present or not
... already started except the workstation. ... all have shares for the entire network. ... >> machines except one sees all the other shares. ...
(microsoft.public.win2000.networking)
Re: Should I install Certificate Authority to solve these problems ?
... You can use IPsec with or without certs from your PKI. ... negotiations to your AD machines or those trusting the ... > In the item 1 below, the tool in use is a HP server management tool (type ... >>> Management is pushing to get Certificate Authority ...
(microsoft.public.win2000.security)
Re: RH to Debian migration
... > Workstation, so they setup one RHN account, added all 10 machines and then ... I don't know about the Enterprise Workstation license, ... On your DHCP server configure it to ...
(Debian-User)
Re: Client machine problems after join of SMB2003 domain
... the usual process for joining a workstation to the domain is: ... disjoined the client machines from Domain1 and joined them to Domain2. ... I tried to install an update to Nero 7 and got 66 ... tried to isntall as local admin and when that failed as ...
(microsoft.public.windows.server.sbs)
RH to Debian migration
... I have recently taken over as the admin of a small lab at school. ... over the lab setup. ... Workstation, so they setup one RHN account, added all 10 machines and then ...
(Debian-User)