Re: IP filtering using DNS lookup

From: Michael T Rowe (michaeltrowe_at_hotmail.com)
Date: 02/24/05 

Date: Thu, 24 Feb 2005 19:22:09 GMT

Thanks, Tony. Point taken - I am using user accounts for authentication. I
just wanted to restrict access even farther using IP filtering.

Now that I think about it, since I'll be hosting a public-access web server,
I won't be able to use IP filtering for all services. But I want to lock
down access to other services like Terminal Services, Remote Web
Workplace, etc. In addition to user accounts, what's the best way to
further restrict access to these services?

Thanks.

"Tony Su" <TonySu@discussions.microsoft.com> wrote in message
news:000FA5CD-848C-465D-9563-B54F970F201F@microsoft.com...
> "With software anything is possible."
> But, there isn't a simple, ready-made way to do this.
>
> Besides, it'd be ridiculously poor security, supject to almost any kind of
> spoofing attack and reliant on unreliable, changing services to configure
> properly.
>
> The simple and best way is to <not> use IP addresses for authentication.
>
> Of course, User Accounts is the most obvious and simple way to
> authenticate
> remote Users, particularly if the User might be using different machines
> and/or changing IP addresses.
>
> Also, you can authenticate machines by other ways besides IP addresses...
> eg. installed machine certificates, USB key or Smartcard machine
> certificates, CPU ID, MAC address(which is also spoofable), etc.
>
> Tony
>
>
>
> "Michael T Rowe" wrote:
>
>> I would like to implement IP filtering for external connections to SBS
>> 2003,
>> but the clients who would be connecting over the Internet don't have
>> static
>> IP addresses. Is there a way (using ISA server or an external firewall)
>> to
>> change the permitted IP addresses using a DNS lookup from a dynamic DNS
>> service?
>>
>> I'm envirioning a way to specify a domain address (mymachine.dyndns.org)
>> instead of an actual IP address or a service that runs on the SBS server
>> that polls the dynamic DNS service and updates the list of permitted IP
>> addresses accordingly.
>>
>> Thanks.
>>
>>
>>

Relevant Pages

  • Re: winforms authentication
    ... Your own backend for storing user credentials. ... Domain Windows user accounts. ... still have some local accounts, and it will authenticate against them, ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: IP filtering using DNS lookup
    ... ISA will apply application level filtering, ... If you're architecting a more advanced security solution, ... pursueing a common objective (like different authentication methods, ... In addition to user accounts, ...
    (microsoft.public.windows.server.sbs)
  • Re: User authentication
    ... distinguish that from "blocking". ... Filtering is the deny action taken based on ... particular "strings" in the HTTP Headers in the HTTP Protocol). ... Any example of this disadvantage of not having user accounts? ...
    (microsoft.public.isa.configuration)
  • Re: LDAP and Single Sign On
    ... LDAP is a directory access protocol, why use it to authenticate. ... storing your user accounts and you are using Windows and unix clients, ...
    (microsoft.public.win2000.security)
  • Re: Access rule/Authentication problem in ISA 2004
    ... Firewall client can only authenticate winsock programs. ... cause it does not authenticate based on user accounts. ... I think it will be really a disappointment that in ISA 2004 you can not give ... A access rule that allows all outbound traffic based on user accounts ...
    (microsoft.public.isa)