Click here to get back home

prevent access to shared folder when not on a domain computer
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
prevent access to shared folder when not on a domain computer koolkat 07-11-2005
Get Chitika Premium
Posted by koolkat on July 11, 2005, 8:50 pm
Please log in for more thread options
 Hi,

Is there a way of preventing shared folder access from a non-domain member
computer?

Currently if a user brings his personal laptop to the office and gives the
pathname to his shared folder in Windows explorer he is asked for the
username and password. Since the same user has an account on the domain he
can then access the shared folder on his personal laptop. Is there a way of
preventing this?


Posted by Roger Abell on July 11, 2005, 11:10 pm
Please log in for more thread options
 The most effective way we have thought of is to use IPsec defs so that the
machine sharing-out requires Kerberos based machine security association
so that it will not communicate except to domain members.

--
Roger Abell
Microsoft MVP (Windows Security)

> Hi,
>
> Is there a way of preventing shared folder access from a non-domain member
> computer?
>
> Currently if a user brings his personal laptop to the office and gives the
> pathname to his shared folder in Windows explorer he is asked for the
> username and password. Since the same user has an account on the domain he
> can then access the shared folder on his personal laptop. Is there a way
of
> preventing this?




Posted by Steven L Umbach on July 12, 2005, 1:17 am
Please log in for more thread options
One solution would be to use ipsec with an ipsec server require policy on
the server which by default will then allow only domain computers with a
compatible ipsec policy to access the server. By default ipsec in a forest
will use kerberos for "computer" authentication before a security
association will allow communications. Note this will not work if the server
is a domain controller as you must configure ipsec policies to exempt domain
controllers from ipsec ESP/AH with other domain computers for at least
authentication and AD traffic. Ipsec policies must be carefully planned and
tested first so as to not lockout domain computers from legitmate traffic.
See the links below if interested. --- Steve

http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspx

--- using ipsec for domain isolation
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949


> Hi,
>
> Is there a way of preventing shared folder access from a non-domain member
> computer?
>
> Currently if a user brings his personal laptop to the office and gives the
> pathname to his shared folder in Windows explorer he is asked for the
> username and password. Since the same user has an account on the domain he
> can then access the shared folder on his personal laptop. Is there a way
> of
> preventing this?




Posted by koolkat on July 12, 2005, 12:48 am
Please log in for more thread options
Thanks Steven,

Unfortuneatly the shared folders reside on a Win 2003 Server that also acts
as the backup domain controller, so from what you mentioned below I won't be
able to use ipsec on my server. Isn't there any other method of preventing
non-domain computers accessing shared folders?

Regards,
----------------------

"Steven L Umbach" wrote:

> One solution would be to use ipsec with an ipsec server require policy on
> the server which by default will then allow only domain computers with a
> compatible ipsec policy to access the server. By default ipsec in a forest
> will use kerberos for "computer" authentication before a security
> association will allow communications. Note this will not work if the server
> is a domain controller as you must configure ipsec policies to exempt domain
> controllers from ipsec ESP/AH with other domain computers for at least
> authentication and AD traffic. Ipsec policies must be carefully planned and
> tested first so as to not lockout domain computers from legitmate traffic.
> See the links below if interested. --- Steve
>
>
http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspx

> --- using ipsec for domain isolation
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949
>
>
> > Hi,
> >
> > Is there a way of preventing shared folder access from a non-domain member
> > computer?
> >
> > Currently if a user brings his personal laptop to the office and gives the
> > pathname to his shared folder in Windows explorer he is asked for the
> > username and password. Since the same user has an account on the domain he
> > can then access the shared folder on his personal laptop. Is there a way
> > of
> > preventing this?
>
>
>


Posted by Roger Abell on July 12, 2005, 8:44 am
Please log in for more thread options
Shared folder access is checked within the user account context.
So, to control access based on machines rather than users you
need to use something that does its checks based on machines,
applied at a level in addition to the user access checks, and
that something right now appears to be IPsec.
You could consider moving the folders to a non-DC in order
to support your objective.

--
Roger Abell
Microsoft MVP (Windows Security)

> Thanks Steven,
>
> Unfortuneatly the shared folders reside on a Win 2003 Server that also
acts
> as the backup domain controller, so from what you mentioned below I won't
be
> able to use ipsec on my server. Isn't there any other method of preventing
> non-domain computers accessing shared folders?
>
> Regards,
> ----------------------
>
> "Steven L Umbach" wrote:
>
> > One solution would be to use ipsec with an ipsec server require policy
on
> > the server which by default will then allow only domain computers with a
> > compatible ipsec policy to access the server. By default ipsec in a
forest
> > will use kerberos for "computer" authentication before a security
> > association will allow communications. Note this will not work if the
server
> > is a domain controller as you must configure ipsec policies to exempt
domain
> > controllers from ipsec ESP/AH with other domain computers for at least
> > authentication and AD traffic. Ipsec policies must be carefully planned
and
> > tested first so as to not lockout domain computers from legitmate
traffic.
> > See the links below if interested. --- Steve
> >
> >
http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspx
> > --- using ipsec for domain isolation
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949
> >
> >
> > > Hi,
> > >
> > > Is there a way of preventing shared folder access from a non-domain
member
> > > computer?
> > >
> > > Currently if a user brings his personal laptop to the office and gives
the
> > > pathname to his shared folder in Windows explorer he is asked for the
> > > username and password. Since the same user has an account on the
domain he
> > > can then access the shared folder on his personal laptop. Is there a
way
> > > of
> > > preventing this?
> >
> >
> >




Similar ThreadsPosted
Anonymous Access to Shared Folder November 5, 2007, 1:13 pm
domain access control for local user of domain computer? April 3, 2008, 5:14 pm
Non-Domain computer access September 6, 2005, 3:47 pm
Prevent access to server for computers not part of domain January 22, 2007, 11:56 pm
Shared Folder Forensics November 14, 2005, 8:39 am
Shared folder permissions August 18, 2006, 3:20 pm
How to configure Domain access permissions for a user that would vary based on the computer they log into? June 21, 2006, 11:58 am
HOWTO: Creating a Drop-Only Shared Folder June 9, 2008, 3:05 pm
Can a Computer (so everyone who logs on on that computer) have access rights? January 12, 2006, 6:50 am
Prevent Folder moving July 11, 2005, 9:17 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap