Re: A "secure" Guest account for ISA server
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 12/14/03
- Next message: Randy: "earlier post re:cant add/remove hardware after usb install"
- Previous message: Robert Moir: "Re: Windows 2000 Advanced Server"
- In reply to: BOT House: "A "secure" Guest account for ISA server"
- Next in thread: Robert Moir: "Re: A "secure" Guest account for ISA server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 14 Dec 2003 20:54:13 GMT
Assuming you need to use the guest account, which I don't know for sure since I am
not an ISA guru, you can replace users/everyone group on acls with the authenticated
users to places you do not want anonymous access as access will be denied. Also
disabling file and print sharing on the ISA server will go a long way to protect it
assuming of course it does not need to offer shares, but that will also disable the
use of Computer Management for remote management. Of course you could still use
Terminal Services to remotely manage the server in administration mode which would
only allow administrators to use it to access the computer and of course complex
passwords must be used. I would also add the guest account to deny logon localy user
right for that computer. --- Steve
"BOT House" <BOTHouse@insight-*-rr-*-com> wrote in message
news:Od86CbnwDHA.3468@TK2MSFTNGP11.phx.gbl...
> Humor me on this, please. I know it's a stupid question.
>
> Given:
>
> a)the Guest account has been renamed
>
> b)the Guest account's password is blank
>
> c)the only right the Guest account needs is "access this computer from the
network", but it doesn't need file or print access
>
> d)this is a Windows 2000 member server in an NT4 domain (AD to be implemented next
year)
>
> How would you go about "securing" the server?
>
> I'm thinking explicit denies on various registry keys and system files.
>
> The problem is this: management wants to deploy an interior anonymous proxy server,
but they want to know who uses it to go where.
> Probably 75% of the users will be from trusted domains. It is up to the untrusted
domains as to how they will prevent "their" users
> from using "our" proxy (yes, it's a political nightmare).
>
> The only way around this that I can see (without an ISA everyone/everywhere
anonymous rule, which is enforced before authentication)
> is a Guest account with a blank password.
>
> This worked well on Proxy 2.0 because it would log PROXYSERVER\UNTRUSTEDDOMAINUSER
whenever someone used the Guest account. ISA
> unfortunately logs ISASERVER\GUESTACCOUNT, but I can live with that.
>
> The ISA server sits behind a PIX so it's not directly exposed to the Internet. It
will support Web Proxy and Firewall clients, but
> not SecureNAT clients.
>
> REGARDLESS OF THE UNDENIABLE FACT THAT ENABLING "GUEST" WITH A BLANK PASSWORD IS A
BAD IDEA, how would you go about locking it down
> as much as possible but retaining ISA functionality?
>
>
- Next message: Randy: "earlier post re:cant add/remove hardware after usb install"
- Previous message: Robert Moir: "Re: Windows 2000 Advanced Server"
- In reply to: BOT House: "A "secure" Guest account for ISA server"
- Next in thread: Robert Moir: "Re: A "secure" Guest account for ISA server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
