RE: Dialup Special Group
From: Greg (123@123.com)
Date: 12/02/02
- Next message: Karl Levinson [x y] mvp: "Re: Blocking ports / DNS consulting Port"
- Previous message: Gary: "Service Pack 3"
- In reply to: Jack Wang: "RE: Dialup Special Group"
- Next in thread: Jack Wang: "RE: Dialup Special Group"
- Reply: Jack Wang: "RE: Dialup Special Group"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Greg" <123@123.com> Date: Mon, 2 Dec 2002 10:02:01 -0800
Then what is the purpose of the Dialup group??? You'd
think MS would provide this sort of protection, especially
since the claim is C2 level security.....
>-----Original Message-----
>Hi Greg,
>
>I have checked the Dialup group in VPN and RAS and found
that the group could not be
>used in this situation since the user will not be added
into the Dialup group.
>
>Sincerely,
>Jack Wang
>Microsoft Online Support Professional
>
>Get Secure! - www.microsoft.com/security
>
>=====================================================
>When responding to posts, please "Reply to Group" via
>your newsreader so that others may learn and benefit
>from your issue.
>=====================================================
>
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>--------------------
>| Content-Class: urn:content-classes:message
>| From: "Greg" <123@123.com>
>| Sender: "Greg" <123@123.com>
>| References: <1172001c2926e$9392bb40
$8af82ecf@TK2MSFTNGXA03>
><W4g3OZDlCHA.1672@cpmsftngxa08>
>| Subject: RE: Dialup Special Group
>| Date: Mon, 25 Nov 2002 09:52:04 -0800
>| Lines: 130
>| Message-ID: <15a4401c294ab$5d6eb4d0
$8af82ecf@TK2MSFTNGXA03>
>| MIME-Version: 1.0
>| Content-Type: text/plain;
>| charset="iso-8859-1"
>| Content-Transfer-Encoding: 7bit
>| X-Newsreader: Microsoft CDO for Windows 2000
>| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
>| Thread-Index: AcKUq11uDJQG8ePTSbKLR4z2Bj2g0A==
>| Newsgroups: microsoft.public.win2000.security
>| Path: cpmsftngxa08
>| Xref: cpmsftngxa08
microsoft.public.win2000.security:42892
>| NNTP-Posting-Host: TK2MSFTNGXA03 10.40.1.48
>| X-Tomcat-NG: microsoft.public.win2000.security
>|
>| Sure I know what you're saying however you cannot add
>| people to the special security group DIALUP. That
groups
>| membership is specific to what you do on the network.
>| Theoretically when you access the network through
Routing
>| and Remote acess you become a member of the DIALUP
group
>| automatically.
>|
>| My purpose is due to a security policy. We have a
certain
>| folder, we'll call it "secure", that cannot be accessed
by
>| remote users. Certain users access this folder when in
the
>| office but they cannont use VPN or DIAL-in when they
have
>| permissions to access the "secure" Folder. Currently,
if
>| they have permission to the "secure" folder we have to
>| manually disallow them use of VPN or Dial-in. We want
them
>| to be able to VPN but at the same time they VPN they
get
>| denied access to the "secure" folder. However, when
they
>| are in the office they should be able to access this
>| folder. The way the DIALUP group is defined, it should
>| work by placing the DIALUP group on the "secure" folder
>| and set DENY permission and add a "secure" group RW.
That
>| way when someone VPN's or Dial-in they become,
>| automatically, a member of the DIALUP group therefore
>| denied access when dialed in. And when they are in the
>| office they gain access to the "secure" folder via
>| the "secure group" and they are now not a member of the
>| DIALUP group since they are not VPN'd anymore.
>|
>| FYI, you only see the DIALUP group when adding
permissions
>| to a folder/file. You don't see it in Active Directory
>| since membership is controlled through the software.
>|
>| Greg
>| >-----Original Message-----
>| >Hi Greg,
>| >
>| >After the user joins in the domain remotely, the
>| permissions of the user will be the same
>| >as the local user account unless you use another user
>| account to logon remotely. I
>| >understand that you can add the user in two groups
such
>| as dialup and LAN. However,
>| >the user will be a member of the two groups no matter
of
>| logging on locally or remotely.
>| >So, if the LAN group has the permission to access the
>| folder, the user will access the
>| >folder locally and remotely. If you deny the dialup
group
>| to access the folder, the user
>| >will not access the folder even he logs on locally.
>| >
>| >Could you let me know the goal that you would like to
>| archive? Why do you need to
>| >deny the access permission of the folder when the user
>| logon remotely.
>| >
>| >Sincerely,
>| >Jack Wang
>| >Microsoft Online Support Professional
>| >
>| >Get Secure! - www.microsoft.com/security
>| >
>| >=====================================================
>| >When responding to posts, please "Reply to Group" via
>| >your newsreader so that others may learn and benefit
>| >from your issue.
>| >=====================================================
>| >
>| >This posting is provided "AS IS" with no warranties,
and
>| confers no rights.
>| >--------------------
>| >| Content-Class: urn:content-classes:message
>| >| From: "Greg" <123@123.com>
>| >| Sender: "Greg" <123@123.com>
>| >| Subject: Dialup Special Group
>| >| Date: Fri, 22 Nov 2002 13:31:53 -0800
>| >| Lines: 30
>| >| Message-ID: <1172001c2926e$9392bb40
>| $8af82ecf@TK2MSFTNGXA03>
>| >| MIME-Version: 1.0
>| >| Content-Type: text/plain;
>| >| charset="iso-8859-1"
>| >| Content-Transfer-Encoding: 7bit
>| >| X-Newsreader: Microsoft CDO for Windows 2000
>| >| X-MimeOLE: Produced By Microsoft MimeOLE
V5.50.4910.0300
>| >| Thread-Index: AcKSbpOSUwDz48EWRiGX8m61l3Km1Q==
>| >| Newsgroups: microsoft.public.win2000.security
>| >| Path: cpmsftngxa06
>| >| Xref: cpmsftngxa06
>| microsoft.public.win2000.security:43425
>| >| NNTP-Posting-Host: TK2MSFTNGXA03 10.40.1.48
>| >| X-Tomcat-NG: microsoft.public.win2000.security
>| >|
>| >| I would like to deny VPN (and/or Dialin) users
access
>| to
>| >| a "Folder" when they are entering the Network
remotely.
>| >| However, when the same user is in the network on the
>| LAN
>| >| they can gain access. To do this I was thinking
about
>| >| adding the DIALUP special security group to the
folder
>| and
>| >| DENY access and giving Domain Users RW access.
>| >|
>| >| Isn't the DIALUP security group a group that
>| >| controls membership based on what you are doing on
the
>| >| network? As in, when you dial up (or go through R&R
>| Remote
>| >| Access) then you automatically become a member of
this
>| >| group. Just like Authenticated User and Creator
Owner.
>| >| Here is what I found on ms support as an explanation
of
>| >| this group.
>| >|
>| >| SID: S-1-5-1
>| >| Name: Dialup
>| >| Description: A group that includes all users who
have
>| >| logged on through a dial-up connection. Membership
is
>| >| controlled by the operating system.
>| >|
>| >| So in theory a VPN user becomes a member of the
DIALUP
>| >| group, therefore can be denied access when the group
is
>| >| added to the permissions of the folder.
>| >|
>| >| I can't seem to get this to work. Any ideas? Or does
>| >| anyone know of an alternative method to accomplish
this?
>| >|
>| >| Thanks,
>| >| Greg
>| >|
>| >
>| >
>| >.
>| >
>|
>
>
>.
>
- Next message: Karl Levinson [x y] mvp: "Re: Blocking ports / DNS consulting Port"
- Previous message: Gary: "Service Pack 3"
- In reply to: Jack Wang: "RE: Dialup Special Group"
- Next in thread: Jack Wang: "RE: Dialup Special Group"
- Reply: Jack Wang: "RE: Dialup Special Group"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
