Click here to get back home

Granting domain accounts access to a workgroup resource
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Granting domain accounts access to a workgroup resource Thomas Olsen 09-08-2006
Posted by Thomas Olsen on September 8, 2006, 12:13 am
Please log in for more thread options
 Hi all

I am in the process of installing an FTP server in our organization (Gene6
FTP server running on Windows Server 2003). The server is located in DMZ. I
would like internal domain users to be able to access it through windows
file sharing and external users to use FTP client.
So I thought for security reasons to not add this server to our internal
domain.

My problem then is that I am to able to add users from our domain to a
security group on the FTP server.

Is this not possible by design, or am I doing something wrong here?

Appreciate some feedback.

Thanks.

/Thomas



Posted by Steven L Umbach on September 8, 2006, 12:30 am
Please log in for more thread options
 You could only be able to add domain users if the computer was a member of
the domain or a trusted domain. I would double check that the computer is
indeed a stand alone computer if you can add domain users/groups. A stand
alone computer can only grant access to local users/groups that could have
the same credentials as domain users and allow access to share assuming
ipsec or such is not denying access.

Steve


> Hi all
>
> I am in the process of installing an FTP server in our organization (Gene6
> FTP server running on Windows Server 2003). The server is located in DMZ.
> I would like internal domain users to be able to access it through windows
> file sharing and external users to use FTP client.
> So I thought for security reasons to not add this server to our internal
> domain.
>
> My problem then is that I am to able to add users from our domain to a
> security group on the FTP server.
>
> Is this not possible by design, or am I doing something wrong here?
>
> Appreciate some feedback.
>
> Thanks.
>
> /Thomas
>



Posted by Thomas Olsen on September 8, 2006, 6:44 am
Please log in for more thread options
Thanks for your reply Steven

The computer is indeed a standalone machine and I am not able to grant
domain users any access to the server. I just wanted to get some feedback if
it should be possible to grant them access or not.

But I will stick to having everyone using FTP to access the data on the
server.

Thanks again.

/Thomas O

> You could only be able to add domain users if the computer was a member of
> the domain or a trusted domain. I would double check that the computer is
> indeed a stand alone computer if you can add domain users/groups. A stand
> alone computer can only grant access to local users/groups that could have
> the same credentials as domain users and allow access to share assuming
> ipsec or such is not denying access.
>
> Steve
>
>
>> Hi all
>>
>> I am in the process of installing an FTP server in our organization
>> (Gene6 FTP server running on Windows Server 2003). The server is located
>> in DMZ. I would like internal domain users to be able to access it
>> through windows file sharing and external users to use FTP client.
>> So I thought for security reasons to not add this server to our internal
>> domain.
>>
>> My problem then is that I am to able to add users from our domain to a
>> security group on the FTP server.
>>
>> Is this not possible by design, or am I doing something wrong here?
>>
>> Appreciate some feedback.
>>
>> Thanks.
>>
>> /Thomas
>>
>
>



Posted by Roger Abell [MVP] on September 8, 2006, 9:56 am
Please log in for more thread options
> Thanks for your reply Steven
>
> The computer is indeed a standalone machine and I am not able to grant
> domain users any access to the server. I just wanted to get some feedback
> if it should be possible to grant them access or not.
>
> But I will stick to having everyone using FTP to access the data on the
> server.
>

That sounds like an appropriate plan given that you have elected to have
a non-anonymous access FTP service. One way some do all internal domain
accounts is to have the DMZ have its own domain, that trusts the internal.
A trusting domain can then use the accounts of the trusted for such as
access
to the FTP server. This way, if the DMZ machines get compromised then the
intruders have access to information about the internal domain, perhaps
ability
to trap account credential info, but they have limited immediate access to
the
internals domain as the machines then own are not in that domain.
The best way to have a barrier however is to have no inherent relationship
between the internal and what is in the DMZ. That does however have its
const (new account management, operational access for backup, monitoring,
etc..)


>> You could only be able to add domain users if the computer was a member
>> of the domain or a trusted domain. I would double check that the computer
>> is indeed a stand alone computer if you can add domain users/groups. A
>> stand alone computer can only grant access to local users/groups that
>> could have the same credentials as domain users and allow access to share
>> assuming ipsec or such is not denying access.
>>
>> Steve
>>
>>
>>> Hi all
>>>
>>> I am in the process of installing an FTP server in our organization
>>> (Gene6 FTP server running on Windows Server 2003). The server is located
>>> in DMZ. I would like internal domain users to be able to access it
>>> through windows file sharing and external users to use FTP client.
>>> So I thought for security reasons to not add this server to our internal
>>> domain.
>>>
>>> My problem then is that I am to able to add users from our domain to a
>>> security group on the FTP server.
>>>
>>> Is this not possible by design, or am I doing something wrong here?
>>>
>>> Appreciate some feedback.
>>>
>>> Thanks.
>>>
>>> /Thomas
>>>
>>
>>
>
>



Posted by Steven L Umbach on September 8, 2006, 1:11 pm
Please log in for more thread options
No you can not give "domain" accounts access by finding them and adding them
in the ACLs for a stand alone computer. Like I said you can create local
user accounts that have the same credentials as the domain users though that
is a lot of work for more then a few dozen users. Otherwise consider Roger's
suggestions. If need be as a last resort after making a risk management
decision you could leave the computer in the domain making sure that it is
properly hardened and monitored. If you do that however under no
circumstances logon to it locally or otherwise with any domain level
administrator account to manage [and configure user rights to enforce that
with the understanding that other administrators can modify those user
rights] it but instead use a local administrator account or regular domain
account that is in the local administrators group of that server only and
also make sure it has a unique password for the built in administrator
account and disable it so that is only available in Safe Mode. The risk
being that keyboard monitoring software could capture credentials and
malicious scripts could take advantage of such logons to escalate privileges
in the domain. Then also make sure that the firewall or ipsec policy only
allow it to access domain computers with the ports/protocols needed.

Steve


> Thanks for your reply Steven
>
> The computer is indeed a standalone machine and I am not able to grant
> domain users any access to the server. I just wanted to get some feedback
> if it should be possible to grant them access or not.
>
> But I will stick to having everyone using FTP to access the data on the
> server.
>
> Thanks again.
>
> /Thomas O
>
>> You could only be able to add domain users if the computer was a member
>> of the domain or a trusted domain. I would double check that the computer
>> is indeed a stand alone computer if you can add domain users/groups. A
>> stand alone computer can only grant access to local users/groups that
>> could have the same credentials as domain users and allow access to share
>> assuming ipsec or such is not denying access.
>>
>> Steve
>>
>>
>>> Hi all
>>>
>>> I am in the process of installing an FTP server in our organization
>>> (Gene6 FTP server running on Windows Server 2003). The server is located
>>> in DMZ. I would like internal domain users to be able to access it
>>> through windows file sharing and external users to use FTP client.
>>> So I thought for security reasons to not add this server to our internal
>>> domain.
>>>
>>> My problem then is that I am to able to add users from our domain to a
>>> security group on the FTP server.
>>>
>>> Is this not possible by design, or am I doing something wrong here?
>>>
>>> Appreciate some feedback.
>>>
>>> Thanks.
>>>
>>> /Thomas
>>>
>>
>>
>
>



Similar ThreadsPosted
Granting access based on user location August 12, 2005, 10:36 am
Local Accounts vs Domain Accounts April 14, 2006, 3:48 pm
What is the difference between logging into an AD Domain versus connecting to network resource? January 26, 2006, 4:32 pm
Domain authenticating non-domain accounts February 22, 2008, 9:14 am
Domain user accounts migration August 1, 2005, 1:16 pm
Disabled Domain Computer Accounts September 20, 2006, 4:09 pm
IEEE 802.1x authentication for domain user accounts only May 21, 2007, 2:30 pm
[Win2003Server] Lost local accounts on domain controler October 17, 2005, 9:39 am
Granting Users Ownership Permissions September 10, 2006, 12:04 pm
Granting Rights to Processes in Task Manager May 3, 2006, 8:15 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap