Re: Preventing users from c onnecting to shares NOT on the domain..
From: Javier J (no.mail_at_please.no)
Date: 01/19/05
- Next message: dave stockdale: "Virus Protection on two pc's - How?"
- Previous message: Doug Sherman [MVP]: "Re: Administrative share"
- In reply to: Miha Pihler [MVP]: "Re: Preventing users from connecting to shares NOT on the domain.."
- Next in thread: Miha Pihler [MVP]: "Re: Preventing users from c onnecting to shares NOT on the domain.."
- Reply: Miha Pihler [MVP]: "Re: Preventing users from c onnecting to shares NOT on the domain.."
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 19 Jan 2005 21:45:56 +0100
Hi!!!
I'll give you a little more detail about what I am looking trying to do:
- The domain is a Windows 2000 Domain, with W2000 Pro Client computers
and some WXP Pro. There is no "signing" of digital traffic going on.
There is a number (abotut 50) client PCs that have to be specially
hardened. Those are all located on the same OU, so if any changes can be
done at the OU leve, that'd be a bonus. From the (admitedly slight) idea
I have about it, Kerberos settings are domain-wide, but domain-wide
changes are out of the question at the moment.
I can make almost any change to the Computers in the OU, but the Domain
is out of my reach (at least, at the moment)
I've done some testing using the GPOs that MS provides with the "Group
Policy Common Scenarios" docs and acompanying supporting information.
I'm using a "mix-and-match" version of the AppStation Scenario for the
computers on the OU.
The computers in the OU _should_ be able to access any of the servers on
the Domain (ie., it's not possible to make a choice that limits them to
a single server), but that might be possible to change.
From looking into the GPO settings on the sample OUs, I've seen
settings about "digital sign" and "encrypt" communications, so I was
wondering if there is some combination of settings that requires that
all SMB traffic be two-way signed. From my understanding of the matter,
that'd mean both computers are members of the same domain...
Thanks a lot for the promtp response...
Miha Pihler [MVP] wrote:
> Hi Javier,
>
> If you want to prevent your computers from talking to computers that are not
> part of your domain, create an IPSec policy that would require
> authentication where you would use Kerberos as authenticating protocol.
> Computers that are not members of domain will not be able to authenticate
> and your clients will not want to talk to them.
>
> Your clients would need to be Windows 2000 or newer Microsoft operating
> system.
>
> Step-by-Step Guide to Internet Protocol Security (IPSec)
> http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
>
> Assigning IPSec policy
> http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsecpolassign.mspx
>
- Next message: dave stockdale: "Virus Protection on two pc's - How?"
- Previous message: Doug Sherman [MVP]: "Re: Administrative share"
- In reply to: Miha Pihler [MVP]: "Re: Preventing users from connecting to shares NOT on the domain.."
- Next in thread: Miha Pihler [MVP]: "Re: Preventing users from c onnecting to shares NOT on the domain.."
- Reply: Miha Pihler [MVP]: "Re: Preventing users from c onnecting to shares NOT on the domain.."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
