Re: VPN Security, locking out non domain members

You are right, but imho it is a lot better to have computer certificate
authentication (+ user auth, of course), instead of trusting a simple client
side script (w2k3 quarantine control...).

--

************************
Best regards
Bagins
************************


"S. Pidgorny <MVP>" <slavickp@xxxxxxxxx> wrote in message
news:Ok%2379Q9qGHA.5108@xxxxxxxxxxxxxxxxxxxxxxx
If the computer is subsequently joins another domain, the certificate is
still in place. But we can argue that the computer account still has to be
in the right group in the AD to connect. Well, I can modify that system
(or its clone), do whatever - and the account is still in the group
because the system wasn't administratively deleted from the domain.

So the original goal of "domain members only" is suddenly replaced with
"systems based on the legitimate domain members". Which brings up the
whole problem of endpoint security.

I also believe that RAS has to authenticate users, not computers.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-


"bagins" <dejan /at\ levaja /.\ com> wrote in message
news:%23OqdBjyqGHA.4032@xxxxxxxxxxxxxxxxxxxxxxx
It does. If you set permissions on cert template only for domain
computers.

--

************************
Best regards
Bagins
************************


"S. Pidgorny <MVP>" <slavickp@xxxxxxxxx> wrote in message
news:%23Tsq7kxqGHA.3248@xxxxxxxxxxxxxxxxxxxxxxx
That doesn't make sure that the computers are members of the domain...

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"bagins" <dejan /at\ levaja /.\ com> wrote in message
news:Owqr3QrqGHA.1796@xxxxxxxxxxxxxxxxxxxxxxx
You can issue computer certificates to your clients, and use them for
authentication.








.

Relevant Pages

  • Solaris Security Summary
    ... Administering Security on the Solaris OE ... Configuration control, facility management, and system ... Authentication: The ability to prove who you are. ...
    (comp.unix.solaris)
  • Re: Enabling telnet, ftp, pop3 for root...
    ... Where did I say ANYTHING about not using authentication. ... You're presenting it like direct root login would be a total security ... DON'T have access to the port. ...
    (alt.os.linux)
  • Re: Enabling telnet, ftp, pop3 for root...
    ... Where did I say ANYTHING about not using authentication. ... You're presenting it like direct root login would be a total security ... The ssh account is only used for remote login. ... secret to get to your SSH port is as easy as sniffing. ...
    (alt.os.linux)
  • Re: Spoofing an IP over the internet
    ... The secure authentication script will support many levels of security, ... in case a hacker cost me very much bandwith what is my ...
    (Security-Basics)
  • Re: passwords
    ... different security domain ... by a public key (that has been registered in lieu of a shared-secret ... both originate as well as validate an authentication ... ... public key can't be used to originate an authentication ... ...
    (alt.computer.security)