Re: Require connecting systems to be a Domain Computers

From: Kevin3DR (dont.spam_at_me.com)
Date: 06/11/05


Date: Fri, 10 Jun 2005 18:18:20 -0500

Yeah, it looks like that will work. Thank you again for your
assistance.

I was hoping that it would be a little easier, like a local policy or
something in which I include the group Domain Computers.

Oh well.

On Fri, 10 Jun 2005 09:58:18 -0500, "Steven L Umbach"
<n9rou@nospam-comcast.net> wrote:

>If you have an ipsec require policy on the server and use the default
>kerberos computer authentication for the ipsec SA then the computer must be
>a domain member to connect to the server. There are a couple of things to
>keep in mind. In such case the server must not be a domain controller, the
>ipsec require policy will need to exempt all domain controllers with a rule
>that has a permit filter action for all traffic and the domain controllers
>listed in a filter by their static IP addresses, and any domain client that
>needs to connect to that server will need to be ipsec capable and be using
>at least the ipsec respond/client policy. Ipsec policies should be
>thoroughly tested out on preferably a test domain or as least a test OU
>before implementing. You can use AH, ESP, or null encryption ESP if you do
>not the overhead of encryption. The links below may help. --- Steve
>
>http://www.microsoft.com/windowsserver2003/technologies/networking/ipsec/default.mspx
>http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949 ---
>applies to Windows 2003 also
>
>"Kevin3DR" <dont.spam@me.com> wrote in message
>news:un7ja1hqsj54rvpnndfr1v1hjijo1e3o4o@4ax.com...
>> Does anyone know how to prohibit computers from connecting to a
>> Windows 2003 Server share unless the system they are connecting from
>> is a member of the domain.
>>
>> I a few "power users" and developers who keep removing their systems
>> from the domain, and just connecting to the server by browsing and
>> using their domain credentials. These users need to be able to add
>> computers to the domain, as they reinstall Windows often to test stuff
>> on a clean machines.
>>
>> If I don't allow them to connect to the file server unless their
>> system is a part of the domain, that will solve the problem.
>>
>> I feel that this should be such an obvious thing to do, but I have yet
>> to see any information on how to do this.
>>
>> Kevin
>>
>



Relevant Pages

  • Re: Isolate systems
    ... You also may want to download the " Securing Windows 2000 Server Security ... to use ipsec "filtering" policies to secure domain controllers and other ... >> filtering policy on your computers which is a policy that uses rules with ...
    (microsoft.public.win2000.security)
  • Re: Securing the communication between all workstations in a domain
    ... I am no expert at Ipsec. ... I would try using the server (request ... security) policy in that OU - the secure policy is rather extreme and can ... exempt the domain controllers from ipsec traffic - a request policy may work ...
    (microsoft.public.win2000.security)
  • Re: domain users force only local server access
    ... You can restrict computers using ipsec policies. ... complex topic and domain controllers need to be exempt from any policy to ...
    (microsoft.public.win2000.security)
  • Re: Assign Domain Security Policy/Manage remote computer
    ... as it's primary dns server. ... Run netdiag on the client computers to see ... As far as ipsec policy. ...
    (microsoft.public.win2000.security)
  • Re: GPO causing client security logs to fill?
    ... What bothers me is that if this policy, ... into from other computers. ... When I view the event logs through server management the ... All event logs should be set to a decent size (about 20MB at ...
    (microsoft.public.windows.server.sbs)