Re: user rights
From: Steven L Umbach (n9rou@attbi.com)
Date: 03/15/03
- Next message: Edward W. Ray: "Can Windows 2003 Server be used as a Backup DC in a Win2K network?"
- Previous message: Eric Perlin [MS]: "Re: 2000 domain change to workgroup"
- In reply to: Nathan: "user rights"
- Next in thread: Roger Abell [MVP]: "Re: user rights"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Steven L Umbach" <n9rou@attbi.com> Date: Sat, 15 Mar 2003 01:34:06 GMT
My guess this is due to supporting backward compatability for W98/95
machines. There are still millions of them used as workstations. W98/95 were
not designed as robust security operating systems and machines running them
can not be joined to a domain. A W98/95 machine can only be configured to
prompt a user to enter a username/password to log onto a domain. If you have
a real need to secure W2K computers against this kind of access you can
implement a ipsec "require" policy on them within a forest using ipsec, and
a ipsec "client" policy on those W2K/XP computers to be allowed access.
However I (an others) have not had good luck implementing ipsec require
policy on domain controllers and that would cause problems joining computers
to a domain. However I have seen recent posts here from MS (thanks for the
help guys/ladies) explaining that may be due need to modify policy to
accomodate icmp traffic. -- Steve
"Nathan" <n.kemble@empunity.com> wrote in message
news:046901c2ea52$9a1e2580$2f01280a@phx.gbl...
> I have expirenced this as well at the workstation level. I
> was working on it for a bit and let it go. I am not sure
> but am interested in what you find out. I have noticed too
> as a local admin on a machine that it has prompted me for
> the Network password and have used the local admin
> password for that machine and let me browse the network
> shares.. This is not good for security purposes. There
> must be some kind of cache on a DC that could allow this.
> Anyway Could you let me know what you find out.
> Thanks,
> Nate
>
> >-----Original Message-----
> >I just built a standalone windows 2000 server that is on
> >our lan but not in our domain. If I login as
> Administrator
> >and then go to the run command and type \\192.168.x.x,
> it
> >will bring up the shares on our domain. It does not
> prompt
> >me for domain/user name. If I logon as a local user that
> >does not have administrator rights to that server, it
> will
> >prompt me for domain/username to logon. How can a
> >administrator of a local machine get access to a domain
> >controller's shares if it does not have access to the
> >domain? I want to try and prevent this. Any ideas? Thanks.
> >
> >Mitch
> >.
> >
- Next message: Edward W. Ray: "Can Windows 2003 Server be used as a Backup DC in a Win2K network?"
- Previous message: Eric Perlin [MS]: "Re: 2000 domain change to workgroup"
- In reply to: Nathan: "user rights"
- Next in thread: Roger Abell [MVP]: "Re: user rights"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
