|
Posted by Steven L Umbach on June 2, 2005, 2:25 pm
Please log in for more thread options If the account that the user is logged onto on the non domain computer has
the same logon name password as a user account in the domain then that user
can gain access to the share. If you have auditing of logon events enabled
for that server you will see a type 3 logon events recorded at the time that
computer user was able to access the share. If you want to restrict access
to only from domain computers you would have to enable an ipsec require
policy for that computer with the exception that domain controllers can not
use ipsec AH/ESP for communications with domain computers but otherwise it
would work because ipsec negotiation policy requires by default kerberos
authentication for computer accounts before the ipsec policy can be
sed. --- Steve
> Simplified Scenario of our configuration:
>
> We have a W2K3 DC which hosts a share (share permissions:
> Authenticated Users = Read Access;
> NTFS permission :Administrators = Full Control)
>
> We have a PC (not part of the domain, but in its own workgroup). This PC
> can
> open the share on the server when logged in as a local administrator and
> see
> the contents.
>
> Firstly, shouldn't the fact that no users (apart from Administrators)
> prevent the local user on this PC from being able to open the share?
> Or are the permissions combined?
>
> Secondly, shouldn't Authenticated Users only allow users who are logged on
> to the domain to access the resource?
>
> I'm sure this is quite a simple query for many of you.
> Many thanks in advance.
>
>
>
| 
XML Sitemap