Re: Deny access to certain IP address
From: Karl Levinson, mvp (levinson_k_at_despammed.com)
Date: 09/01/05
- Next message: PA Bear: "Re: AntiSpyware Beta"
- Previous message: Harvey: "Security Center - firewall"
- Next in thread: Karl Levinson, mvp: "Re: Deny access to certain IP address"
- Maybe reply: Karl Levinson, mvp: "Re: Deny access to certain IP address"
- Maybe reply: Dave Morschhauser: "Re: Deny access to certain IP address"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 31 Aug 2005 20:06:25 -0400
Thanks... but I'm still confused. If they're accessing files and shares on
the servers, aren't they using accounts on the servers that are under your
control? Or if they don't have accounts, then they shouldn't be able to
harm the servers, correct? Most spyware I'm familiar with could affect the
client computers, and could put extra strain on the Internet connection, but
I would think shouldn't touch or affect servers, especially those where the
users don't have accounts.
If their computers are sending traffic directly to your servers and/or
severely clogging your internal network performance, I would expect that's
most likely due to viruses rather than spyware / adware. If so, then using
IPsec blocking is a good idea that might indeed reduce the amount of traffic
on the network somewhat, and restricting user accounts would not help that
at all.
In that case, I would also first recommend putting the same rules on the
router separating you from them, or put in a cheap firewall like
www.netscreen.com. That way, you can centrally control the rules instead of
having to configure rule changes across multiple servers and have more
assurance that it's working as expected. If there aren't any routers
between you and them, then I guess that could be a problem.
"Craig B" <CraigB@discussions.microsoft.com> wrote in message
news:630F3EDA-8E0E-498F-831B-1343C5C0160A@microsoft.com...
> The reason since you want to know is that we have non domain users working
in
> our offices that work for another company we have no control over that's
the
> real world reason. Sure i would like to either make them a domain user
and
> control their pc's or just say no they can't get on our network but I
don't
> have that power. They use us just as a dhcp provider then use our internet
> and in the process spew their spyware all over our network.
>
> "Karl Levinson, mvp" wrote:
>
> > You lose accountability if users use shared accounts. That's not a
> > Microsoft thing. I guess there could be some "real world" reasons why
you
> > would need to use shared accounts, like poorly written apps, but it's to
be
> > avoided.
> >
> > You can use IPSec rules to block access per IP address. Note that with
> > Microsoft IPsec it is not really feasible to log and view the traffic.
I
> > agree with the other posters that this is not likely to be as secure or
> > reliable as blocking per user ID, because all that user needs to do is
log
> > into a different account, or set a static IP address instead of getting
one
> > from DHCP. Whatever caused your environment to deviate from best
security
> > practices, I hope it's possible to reconsider this.
> >
> > http://securityadmin.info/faq.asp#ipsec
> >
> >
> > "Craig B" <CraigB@discussions.microsoft.com> wrote in message
> > news:FAFF801A-ED8C-43B8-8ACE-5F514AA280C0@microsoft.com...
> > > It's a long story but basically I work in the real world where
everything
> > > isn't always the perfect MS way. Permissions will not work.
> > >
> > > I will look for other methods
> > >
> > > "Phillip Windell" wrote:
> > >
> > > > That is the wrong approach. You should be controlling access based
on
> > who
> > > > the user is,...not what thier IP# happens to be. what do you mean
by
> > > > "Permissions won't work at this point"? There is no reason
permissions
> > > > shouldn't work.
> > > >
> > > > --
> > > > Phillip Windell [MCP, MVP, CCNA]
> > > > www.wandtv.com
> > > > -----------------------------------------------------
> > > > Understanding the ISA 2004 Access Rule Processing
> > > > http://www.isaserver.org/articles/ISA2004_AccessRules.html
> > > >
> > > > Microsoft Internet Security & Acceleration Server: Guidance
> > > > http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
> > > > http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
> > > >
> > > > Microsoft Internet Security & Acceleration Server: Partners
> > > > http://www.microsoft.com/isaserver/partners/default.asp
> > > > -----------------------------------------------------
> > > >
> > > >
> > > > "Craig B" <CraigB@discussions.microsoft.com> wrote in message
> > > > news:E968040C-4DA1-4560-B52A-851AACCAD3B7@microsoft.com...
> > > > > How would you go about denying access to various 2000/2003 servers
to
> > one
> > > > > specfic IP address?
> > > > >
> > > > > I know how to block at my firewall but a internal user is inside
and I
> > > > need
> > > > > to block his access to various servers. Permissions won't work at
> > this
> > > > point
> > > > > I used DHCP to lock his pc to a certain IP address and now I want
to
> > block
> > > > > this ip address access to various servers.
> > > > >
> > > > > Thanks
> > > >
> > > >
> > > >
> >
> >
> >
- Next message: PA Bear: "Re: AntiSpyware Beta"
- Previous message: Harvey: "Security Center - firewall"
- Next in thread: Karl Levinson, mvp: "Re: Deny access to certain IP address"
- Maybe reply: Karl Levinson, mvp: "Re: Deny access to certain IP address"
- Maybe reply: Dave Morschhauser: "Re: Deny access to certain IP address"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
