|
Posted by Roger Abell on July 6, 2005, 7:59 pm
Please log in for more thread options > Hi Steven,
>
> First of all, thank you for your reply.
> I am already using IPSec with Kerberos authentification on my Domain
network
>
> What I was looking for is to oblige Domain Users to be logged into the
> domain trough a computer-like session.
> What I'm trying to say is that you can login into the shared resources
using
> Kerberos even from a Workgroup machine, just by opening a Windows Explorer
> and typing \server\share, and you get a prompt asking to put in your
> username and password to enter the resource; at this point you simply type
> Username: domain\user , Password: mypass and YOU ARE IN!! :)
> Confirm?
>
> What I need to do is to block this, by obliging the Domain User to have
his
> machine joined in the Domain and also stricly obliged to be logged into
the
> Domain using the Computer profile; not just by opening a Windows Explorer
and
> \ing to explore the servers and resources.
>
> Do you know if this can be done?
This is exactly the solution that is/was being outlined.
If the serving machine requires via IPsec that any machine with which
it will speak is a member of the domain, then you have effected your
desired result.
1. IPsec - only domain member mahines
2. share/ntfs - only desired domain user accounts
1+2 only desired domain accounts when logged into domain member
> Hope to have been much more clear this time, and really hope that exists a
> way to have this done...
>
> My very thanks
> -Leonardo
>
>
> "Steven L Umbach" wrote:
>
> > First off I would enable a strict computer use policy that prohibits
that
> > users plug laptops into your network. In addition to your concerns such
a
> > computer could be infected with a worm or allow a backdoor into your
> > network. Make sure the users understand the policy, sign it, have their
own
> > copy and understand the consequences and then strictly enforce the
policy.
> >
> > Having said that you possibly could use ipsec to protect your servers.
Any
> > domain computer with a require ipsec policy will not allow
communications
> > with a computer that can not authenticate via kerberos [default
> > authentication method] which would be any computer outside of your
> > domain/forest. Ipsec policies take quite a bit of planning and testing
and
> > domain controllers require special consideration with exempting them for
> > traffic that involves authentication and Active Directory with domain
> > computers. The links below will explain more and the ipsec white paper
on
> > domain isolation [last link] would be something you may want to strongly
> > consider. --- Steve
> >
> >
http://www.microsoft.com/windowsserver2003/technologies/networking/ipsec/default.mspx
> >
http://www.microsoft.com/downloads/details.aspx?FamilyId=15E5FC29-B52C-41A4-9EE5-D95916FFE53E&displaylang=en
> >
http://www.microsoft.com/seminar/shared/asp/view.asp?url=/Seminar/en/20030424vcon48/manifest.xml
> >
> > > Hello,
> > >
> > > I need to secure the information contained in my storage servers from
> > > external intruders.
> > > I have a W2k3 Domain, in native mode.
> > > My domain users can logon only on the computer allowed
> > >
> > > My problem is that, if one of the employees comes at work with his
laptop
> > > in
> > > a bag and joins the network as workgroup (since he cant login with his
> > > user
> > > into the domain from a computer with different MAC) and starts to
access
> > > the
> > > enterprise shares using his domain username and password, the
situation
> > > becomes critical. Enterprise data must not leave the Enterprise.
> > >
> > > I thought that settings the ACL permission to 'Authenticated Users'
will
> > > force the users to login into the domain before they can access the
> > > shares.
> > > But I was and am wrong; whoever accesses the network and knows the
> > > credentials can see and copy the company information.
> > >
> > > Do any of you know if there is a way to force the users to be logged
into
> > > the domain before they are allowed to access a domain share?
> > >
> > >
> > > Please if all this did not sound clear or enuff explainatory for you
to
> > > understand let me know, I'll try to find some better words to explain
my
> > > problem.
> > >
> > >
> > > My very thanks,
> > > -Leonardo
> >
> >
> >
| 
XML Sitemap