Click here to get back home

How to restrict file access to Domain Computers Only
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
How to restrict file access to Domain Computers Only none 08-27-2006
Get Chitika Premium
Posted by Steven L Umbach on August 27, 2006, 3:28 pm
Please log in for more thread options
 I hope that helps out and be sure to test it but my initial test indicated
that if the user is logged onto a computer not in the list as I described
they will not be able to access domain shares. Also keep in mind that just
because users can not see USB drives might not mean that they can not be
accessed by the command line though I assume you have disabled command line
access including to command.com which could create a Software Restriction
Policy for or disable 16 bit apps assuming none are needed in your network
via Group Policy computer configuration/administrative templates/Windows
components/application compatibility - prevent access to 16 but applications
set to enabled. Also if you are not aware of it there is a registry mod for
XP SP2 where you can disable write access to USB devices which can be
implemented via a Group Policy startup script or creating a custom .adm for
computer configuration.

Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2otech.mspx

Controlling block storage devices on USB buses
What does controlling block storage devices on USB buses do?
This feature provides the ability to set a registry key that will prevent
write operations to USB block storage devices, such as memory sticks. When
this registry key is enabled, the devices function only as read-only
devices. You can implement this setting as part of a security strategy to
prevent users from transporting data using these devices.

Who does this feature apply to?
. Users who do not want data to be written from their computer to a
USB storage device.

. IT professionals who want to implement organization controls over
the use of USB block storage devices


What settings are added or changed in Windows XP Service Pack 2
Setting name Location Default value Possible values
WriteProtect
HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Control \StorageDevicePolicies
DWORD=0
0 - Disabled

1 - Enabled



> Thanks to all for the good ideas. I never thought of restricting their
> ability to logon from other computers. That sounds like the solution I
> want.
>
> I'm not really looking for a foolproof solution. If they are determined,
> it
> will take someone better than I to stop them. But, all email is monitored
> and sending files without consent is a releasable offense; remote
> "personal"
> mailboxes are prohibited (and Internet traffic is monitored); and USB
> devices do not appear in My Computer or Windows Explorer.
>
> The home laptop, on the other hand, seemed like a huge gaping hole that
> needed a plug; even an imperfect one.
>
> Thanks again.
>
> Later.
>
> James



Posted by Roger Abell [MVP] on August 28, 2006, 1:02 am
Please log in for more thread options
> That of course is normally a great solution but in this case it sounds
> like the file server is the domain controller which means ipsec could not
> be implemented as an ipsec require policy on a DC will cause problems with
> the

Good catch Steve, I overlooked the "single server" part of the post.
(but IPsec can, just not simply, be used on a DC).

> domain member computers. Since it is may be a small network some else
> mentioned that this worked for them. They configured the users account
> properties in ADUC so that they were restricted to what computer they
> could logon to and then they could not access domain resources from a non
> domain computer assuming that the non domain computer did not have a name
> in the list. That never occurred to me that it would work for network
> logon and I

But, I log into my domain workstation and map a drive that is shared by
my plugged in laptop at 10.0.1.53, i.e. .0.1.63\stash$

> tried it out and sure enough it worked giving some obscure message when I
> tired to access a domain share. While it is not a foolproof security
> solution it may help in smaller networks. Alas as you said none of this
> will most likely stop a determined user from copying files anyhow from
> their domain computer.
>
> Steve
>
>
>> Search on ms.com for the guidance papers on using
>> IPsec for "doman isolation"
>>
>> You could apply techniques from them to all only domain
>> members to have network traffic with the fileshare server.
>>
>> However, your users could/would just save copies to their
>> workstations and copy to their non-domain laptops/devices
>> from there (or email the docs out).
>>
>> Your attempt to accomplish this by setting permissions to
>> administrators and domain computers did not work because
>> the access is not being done by the domain computers but by
>> the account logged into the domain comp, so the check is
>> against that user account, not the computer account.
>>
>>> Single Windows Server 2003. All workstations are Windows XP SP2.
>>>
>>> I'm trying to restrict access to the shared files on the Server to
>>> computers
>>> that are members of the Domain and so far it isn't working out too well.
>>>
>>> Basically, we are allowing people to bring in laptop computers and
>>> connect
>>> to our network for Internet access and for access to certain printers
>>> but do
>>> not want to allow access to any shared files on the Server. We don't
>>> want
>>> any files copied to a laptop and leaving the premises. These computers
>>> are
>>> Workgroup computers; not Domain computers. I tried setting the
>>> Permissions
>>> for the shared files to only allow access by Administrators and Domain
>>> Computers, but this cut off access by all computers even though the
>>> computers I tested with were clearly members of the Domain Computers
>>> group.
>>>
>>> Any idea what I'm missing here? Do the Permissions/Security settings
>>> need
>>> to be some combination of Domain Computers and Authenticated Users in
>>> order
>>> to accomplish this?
>>>
>>> Please help.
>>>
>>> Thanks.
>>>
>>> James
>>
>>
>
>



Posted by Steven L Umbach on August 28, 2006, 1:52 am
Please log in for more thread options
That is a good point that you could access a share on your laptop from your
domain computer to transfer data. In that case an ipsec policy could be
implemented that could require ipsec [even null ESP] to all outbound traffic
from the domain workstations with exceptions for the IP addresses of the
domain controller and internet traffic outside the subnet and make sure that
regular domain users can not add workstations to the domain unlike default
configuration. Again that is not a 100 percent solution if someone was able
to put their computer on the network with the IP address of a domain
controller though usually tcp/ip will detect an existing IP address and deny
access via the duplicate IP address I believe. The user should consider
another server for file serving so that he could implement and ipsec require
policy on it. I hope Vista allows domain controllers to use ipsec for
traffic used for authentication to it [which includes SMB] between domain
controllers and domain workstations or at least improve on current situation
so that SMB can be protected. I read that is a good possibility.

Steve


>> That of course is normally a great solution but in this case it sounds
>> like the file server is the domain controller which means ipsec could not
>> be implemented as an ipsec require policy on a DC will cause problems
>> with the
>
> Good catch Steve, I overlooked the "single server" part of the post.
> (but IPsec can, just not simply, be used on a DC).
>
>> domain member computers. Since it is may be a small network some else
>> mentioned that this worked for them. They configured the users account
>> properties in ADUC so that they were restricted to what computer they
>> could logon to and then they could not access domain resources from a non
>> domain computer assuming that the non domain computer did not have a name
>> in the list. That never occurred to me that it would work for network
>> logon and I
>
> But, I log into my domain workstation and map a drive that is shared by
> my plugged in laptop at 10.0.1.53, i.e. .0.1.63\stash$
>
>> tried it out and sure enough it worked giving some obscure message when I
>> tired to access a domain share. While it is not a foolproof security
>> solution it may help in smaller networks. Alas as you said none of this
>> will most likely stop a determined user from copying files anyhow from
>> their domain computer.
>>
>> Steve
>>
>>
>>> Search on ms.com for the guidance papers on using
>>> IPsec for "doman isolation"
>>>
>>> You could apply techniques from them to all only domain
>>> members to have network traffic with the fileshare server.
>>>
>>> However, your users could/would just save copies to their
>>> workstations and copy to their non-domain laptops/devices
>>> from there (or email the docs out).
>>>
>>> Your attempt to accomplish this by setting permissions to
>>> administrators and domain computers did not work because
>>> the access is not being done by the domain computers but by
>>> the account logged into the domain comp, so the check is
>>> against that user account, not the computer account.
>>>
>>>> Single Windows Server 2003. All workstations are Windows XP SP2.
>>>>
>>>> I'm trying to restrict access to the shared files on the Server to
>>>> computers
>>>> that are members of the Domain and so far it isn't working out too
>>>> well.
>>>>
>>>> Basically, we are allowing people to bring in laptop computers and
>>>> connect
>>>> to our network for Internet access and for access to certain printers
>>>> but do
>>>> not want to allow access to any shared files on the Server. We don't
>>>> want
>>>> any files copied to a laptop and leaving the premises. These computers
>>>> are
>>>> Workgroup computers; not Domain computers. I tried setting the
>>>> Permissions
>>>> for the shared files to only allow access by Administrators and Domain
>>>> Computers, but this cut off access by all computers even though the
>>>> computers I tested with were clearly members of the Domain Computers
>>>> group.
>>>>
>>>> Any idea what I'm missing here? Do the Permissions/Security settings
>>>> need
>>>> to be some combination of Domain Computers and Authenticated Users in
>>>> order
>>>> to accomplish this?
>>>>
>>>> Please help.
>>>>
>>>> Thanks.
>>>>
>>>> James
>>>
>>>
>>
>>
>
>



Similar ThreadsPosted
Security 101: Only allow access to domain computers October 3, 2008, 8:53 am
Prevent access to server for computers not part of domain January 22, 2007, 11:56 pm
Restrict access to ATL COM service June 3, 2005, 2:08 pm
Restrict access to COM application settings September 6, 2006, 5:00 pm
Restrict copy access on files on server June 8, 2006, 5:36 pm
RDP : restrict administrator to access system without my permission through rdp June 15, 2006, 6:49 am
Restrict user access to CD,floppy and removable media December 15, 2005, 2:41 am
HELP Needed: Win2k3 - How to restrict Internet access after log on expires. June 23, 2006, 10:24 am
allow non compliant NAP computers to access the internet November 15, 2008, 7:25 am
Right to add computers to a domain May 15, 2006, 5:08 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap