RE: IP filtering using DNS lookup

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Tony Su (TonySu_at_discussions.microsoft.com)
Date: 02/24/05

• Next message: Karakas, Gyula [vamsoft]: "Re: Remove Attachments like Ex2k3 does, in Ex2k"
• Previous message: Charles Yang [MSFT]: "RE: Services won't start"
• In reply to: Michael T Rowe: "IP filtering using DNS lookup"
• Next in thread: Michael T Rowe: "Re: IP filtering using DNS lookup"
• Reply: Michael T Rowe: "Re: IP filtering using DNS lookup"
• Messages sorted by: [ date ] [ thread ]

---

Date: Wed, 23 Feb 2005 23:05:03 -0800

"With software anything is possible."
But, there isn't a simple, ready-made way to do this.

Besides, it'd be ridiculously poor security, supject to almost any kind of
spoofing attack and reliant on unreliable, changing services to configure
properly.

The simple and best way is to <not> use IP addresses for authentication.

Of course, User Accounts is the most obvious and simple way to authenticate
remote Users, particularly if the User might be using different machines
and/or changing IP addresses.

Also, you can authenticate machines by other ways besides IP addresses...
eg. installed machine certificates, USB key or Smartcard machine
certificates, CPU ID, MAC address(which is also spoofable), etc.

Tony

"Michael T Rowe" wrote:

> I would like to implement IP filtering for external connections to SBS 2003,
> but the clients who would be connecting over the Internet don't have static
> IP addresses. Is there a way (using ISA server or an external firewall) to
> change the permitted IP addresses using a DNS lookup from a dynamic DNS
> service?
>
> I'm envirioning a way to specify a domain address (mymachine.dyndns.org)
> instead of an actual IP address or a service that runs on the SBS server
> that polls the dynamic DNS service and updates the list of permitted IP
> addresses accordingly.
>
> Thanks.
>
>
>

---

• Next message: Karakas, Gyula [vamsoft]: "Re: Remove Attachments like Ex2k3 does, in Ex2k"
• Previous message: Charles Yang [MSFT]: "RE: Services won't start"
• In reply to: Michael T Rowe: "IP filtering using DNS lookup"
• Next in thread: Michael T Rowe: "Re: IP filtering using DNS lookup"
• Reply: Michael T Rowe: "Re: IP filtering using DNS lookup"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: Active directory authentication ... >trying to complete a client logon to an Active Directory ... >to join machines to the domain from behind ISA Server. ... >> Can I authenticate thru ISA Server? ... (microsoft.public.isa) Re: Active directory authentication ... enough private IP addresses an I must use public addresses". ... to join machines to the domain from behind ISA Server. ... > Can I authenticate thru ISA Server? ... (microsoft.public.isa) Re: Prevent Domain Logon or Access ... > using network/domain resources UNLESS they authenticate with a DOMAIN ... I know PKI could accomplish this, ... > Since NON-domain based machines can not execute login scripts. ... clients if you wish them to visit the Internet or 'travel well.' ... (microsoft.public.win2000.active_directory) Re: Prevent Domain Logon or Access ... > using network/domain resources UNLESS they authenticate with a DOMAIN ... I know PKI could accomplish this, ... > Since NON-domain based machines can not execute login scripts. ... clients if you wish them to visit the Internet or 'travel well.' ... (microsoft.public.windows.server.active_directory) Re: NT AUTHORITYANONYMOUS LOGON ... > Logon Process: NtLmSsp ... Windows machines have to connect anonymously to servers to enumerate shares ... account - machines as well as users have accounts in NTLM and AD domains. ... have to authenticate before doing anything. ... (microsoft.public.exchange2000.admin)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.sbs  > 2005-02