|
Posted by Steven L Umbach on August 27, 2006, 12:04 pm
Please log in for more thread options That of course is normally a great solution but in this case it sounds like
the file server is the domain controller which means ipsec could not be
implemented as an ipsec require policy on a DC will cause problems with the
domain member computers. Since it is may be a small network some else
mentioned that this worked for them. They configured the users account
properties in ADUC so that they were restricted to what computer they could
logon to and then they could not access domain resources from a non domain
computer assuming that the non domain computer did not have a name in the
list. That never occurred to me that it would work for network logon and I
tried it out and sure enough it worked giving some obscure message when I
tired to access a domain share. While it is not a foolproof security
solution it may help in smaller networks. Alas as you said none of this will
most likely stop a determined user from copying files anyhow from their
domain computer.
Steve
> Search on ms.com for the guidance papers on using
> IPsec for "doman isolation"
>
> You could apply techniques from them to all only domain
> members to have network traffic with the fileshare server.
>
> However, your users could/would just save copies to their
> workstations and copy to their non-domain laptops/devices
> from there (or email the docs out).
>
> Your attempt to accomplish this by setting permissions to
> administrators and domain computers did not work because
> the access is not being done by the domain computers but by
> the account logged into the domain comp, so the check is
> against that user account, not the computer account.
>
>> Single Windows Server 2003. All workstations are Windows XP SP2.
>>
>> I'm trying to restrict access to the shared files on the Server to
>> computers
>> that are members of the Domain and so far it isn't working out too well.
>>
>> Basically, we are allowing people to bring in laptop computers and
>> connect
>> to our network for Internet access and for access to certain printers but
>> do
>> not want to allow access to any shared files on the Server. We don't
>> want
>> any files copied to a laptop and leaving the premises. These computers
>> are
>> Workgroup computers; not Domain computers. I tried setting the
>> Permissions
>> for the shared files to only allow access by Administrators and Domain
>> Computers, but this cut off access by all computers even though the
>> computers I tested with were clearly members of the Domain Computers
>> group.
>>
>> Any idea what I'm missing here? Do the Permissions/Security settings
>> need
>> to be some combination of Domain Computers and Authenticated Users in
>> order
>> to accomplish this?
>>
>> Please help.
>>
>> Thanks.
>>
>> James
>
>
| 
XML Sitemap