Restrict Windows login to certain IPs/hosts for certain domain accounts?
- From: christopher@xxxxxxxxxxx
- Date: 27 Apr 2007 20:40:59 -0000
Hello to all,
I'm working with a particular client who would like to use a certain
domain account with local admin rights for config and other monitoring
via BMC, but would like to restrict that account so that it can only
log on to other systems from a single IP or a small range of IPs
(i.e., the monitoring servers), so that its local admin rights are not
used/abused by others. The client has Windows 2000 and 2003 servers,
and mostly 2000 and XP workstations. The client is using Cisco
Security Agent on the servers, so if that can factor in, that would be
fine, too. Essentially, we need an account with local admin that can
do anything on those systems for the monitoring but can't mess with AD
and can't be used from other locations by other users who might know
the password (or attackers who have guessed the password).
Is this possible? Would simply restricting local logon/TS logon via
user rights be enough? Anyone have ideas that might be helpful? I'm
wide open to suggestions; the Windows guys here are pretty good, but
even they aren't sure how to approach this. Thanks for any assistance.
Sincerely,
Chris Mallow
- Follow-Ups:
- RE: Restrict Windows login to certain IPs/hosts for certain domain accounts?
- From: Wayne S. Anderson
- RE: Restrict Windows login to certain IPs/hosts for certain domain accounts?
- From: Durr, Robert
- RE: Restrict Windows login to certain IPs/hosts for certain domain accounts?
- Prev by Date: SecurityFocus Microsoft Newsletter #339
- Next by Date: RE: Restrict Windows login to certain IPs/hosts for certain domain accounts?
- Previous by thread: SecurityFocus Microsoft Newsletter #339
- Next by thread: RE: Restrict Windows login to certain IPs/hosts for certain domain accounts?
- Index(es):
Relevant Pages
|
