Re: Network isolation: local logins ?
- From: RLM <redlob+usenet@xxxxxxxxx>
- Date: 20 Dec 2006 15:40:10 GMT
Thanks alot for your information. I will study the articles you
provided.
Regards,
***
Server and domain isolation using IPsec is based on the use of machine
credentials, and includes support for machine Kerberos acocunts, machine
x.509 certificates and pre-shared keys...
Regarding the local user accounts, in Windows XP and Windows 2003, if the
user's workstation is joined to the domain, the machine will download the
group policy with the IPsec settings and can then participate in the
secured/isolation network using its configured IPsec-based authentication
mechanism. The credentials of the user are not evaluated when determining
whether or not a machine has a valid credential for use in the isolated
network or domain, so technically the addition of Server/Domain isolation
would not need to change the local user logons if there is a need to
maintain them...
You do have the option to restrict access to only valid domain accounts by
manipulating "access this computer from the network" logon rights and
changing the Default setting of 'Everyone' to Domain Users and Domain
Computers... We use that option here at Microsoft on downlevel systems to
provide different levels of access control to highly restricted systems on
the Corporate network. There are other options here as well that I'll not
go into unless you need more options/information.
Microsoft has extended the Server and Domain Isolation environment in
Windows Vista and Windows Server Longhorn by integrating the WIndows
Firewall and IPsec and adding support for Authenticated IP. Authenticated
IP extends the core IKE functionality of machine authentication to also
include User and NAP Health Certificate authentication, so it is much easier
in Windows Vista to grant/deny access based on both machine and logged in
user credentials.
As far as Windows 98, there is no support for IPsec in platforms older than
Windows 2000 (and preferably using at least SP4)
Server and Domain Isolation page
http://www.microsoft.com/technet/network/sdiso/default.mspx
Authenticated IP article:
http://www.microsoft.com/technet/community/columns/cableguy/cg0806.mspx
Jason
"RLM" <redlob+usenet@xxxxxxxxx> wrote in message
news:slrneo2ha3.k3o.redlob+usenet@xxxxxxxxxxxxxxxx
I'm investigating the benefits of network/domain isolation. What I am
wondering is: we have some users that also login to their PC's locally.
Does this mean that the machine will be on the non-isolated network ?
How about W98 pc's, is there an option to put them in the isolated
network ?
Thanks !
--
--
.
- References:
- Network isolation: local logins ?
- From: RLM
- Re: Network isolation: local logins ?
- From: Jason Popp [MS]
- Network isolation: local logins ?
- Prev by Date: Re: Subnet Masks
- Next by Date: Re: DC/DNS/DFS/AD Problem???
- Previous by thread: Re: Network isolation: local logins ?
- Next by thread: Trust relationships
- Index(es):
Loading
