Re: Require connecting systems to be a Domain Computers

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 06/10/05

  • Next message: matchstich: "ms02-039" 
    Date: Fri, 10 Jun 2005 09:58:18 -0500

    If you have an ipsec require policy on the server and use the default
    kerberos computer authentication for the ipsec SA then the computer must be
    a domain member to connect to the server. There are a couple of things to
    keep in mind. In such case the server must not be a domain controller, the
    ipsec require policy will need to exempt all domain controllers with a rule
    that has a permit filter action for all traffic and the domain controllers
    listed in a filter by their static IP addresses, and any domain client that
    needs to connect to that server will need to be ipsec capable and be using
    at least the ipsec respond/client policy. Ipsec policies should be
    thoroughly tested out on preferably a test domain or as least a test OU
    before implementing. You can use AH, ESP, or null encryption ESP if you do
    not the overhead of encryption. The links below may help. --- Steve

    http://www.microsoft.com/windowsserver2003/technologies/networking/ipsec/default.mspx
    http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949 ---
    applies to Windows 2003 also

    "Kevin3DR" <dont.spam@me.com> wrote in message
    news:un7ja1hqsj54rvpnndfr1v1hjijo1e3o4o@4ax.com...
    > Does anyone know how to prohibit computers from connecting to a
    > Windows 2003 Server share unless the system they are connecting from
    > is a member of the domain.
    >
    > I a few "power users" and developers who keep removing their systems
    > from the domain, and just connecting to the server by browsing and
    > using their domain credentials. These users need to be able to add
    > computers to the domain, as they reinstall Windows often to test stuff
    > on a clean machines.
    >
    > If I don't allow them to connect to the file server unless their
    > system is a part of the domain, that will solve the problem.
    >
    > I feel that this should be such an obvious thing to do, but I have yet
    > to see any information on how to do this.
    >
    > Kevin
    >

  • Next message: matchstich: "ms02-039"

    Relevant Pages

    • Re: Securing the communication between all workstations in a domain
      ... I am no expert at Ipsec. ... I would try using the server (request ... security) policy in that OU - the secure policy is rather extreme and can ... exempt the domain controllers from ipsec traffic - a request policy may work ...
      (microsoft.public.win2000.security)
    • Re: SBS Server keeps shutting down
      ... as we have had a few power cuts recently and the server kept chugging along. ... I have no idea what IPSec is ... multiple reboot mentioned above and some other troubleshooting steps ...
      (microsoft.public.windows.server.sbs)
    • Re: Require connecting systems to be a Domain Computers
      ... something in which I include the group Domain Computers. ... >kerberos computer authentication for the ipsec SA then the computer must be ... In such case the server must not be a domain controller, ... >ipsec require policy will need to exempt all domain controllers with a rule ...
      (microsoft.public.security)
    • Re: lan ipsec ws2003 / xp pro deplyoyment
      ... Remote Access on the server and configure it and then configure your XP computer to ... preshared key for machine authentication. ... If you use ipsec pre shared key [policy/all ... You could go to Local Security Policy of each ...
      (microsoft.public.windowsxp.security_admin)
    • Re: IPSEC Problems
      ... You may want to try and rebuild the ipsec policy. ... ipsec negotiation traffic between domain members and domain controllers as ... > this server and any communication was shown correctly in ipsecmon. ...
      (microsoft.public.windows.server.security)