Re: how to exclude connections from servers not in the domain ?

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 05/28/04

• Next message: Steven L Umbach: "Re: Where is my "password list?"
• Previous message: anonymous_at_discussions.microsoft.com: "Re: User removed Domain Admins group"
• In reply to: new ms: "how to exclude connections from servers not in the domain ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 27 May 2004 23:22:30 GMT

Use ipsec require policy on those servers. Note that domain controllers must be
exempt from ipsec policies for domain member computers - ipsec is not supported for
traffic between domain controllers and domain members. A computer with ipsec require
policy using default kerberos machine authentication will not allow traffic from any
non domain computer or any domain computer that either does not support ipsec
[W9X/NT4.0], does not have at least a client/respond policy applied to it, or is
otherwise excluded possibly by IP address. Otherwise look into using switches that
can control access by mac address or 802.1X authentication which would also require a
Certificate Authority to issue machine certificates and a radius/IAS server on the
network. --- Steve

http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
http://support.microsoft.com/?kbid=254949

"new ms" <newb@q.net> wrote in message
news:5Ystc.50468$tb4.1770523@news20.bellglobal.com...
> I have a server that is a member of an Active Directory domain. How do I
> deny connections (or logon sessions) to my server from any computers
> that are not members of my domain (i.e. either are members of other
> domains, or are not members of any domain at all)?
>
> Note that this is a question about computers, not about users.
>
> Specifically, I want to prevent the scenario where a user has a userid
> and password valid in the domain but is connecting from a computer that
> has not joined the domain.
>
> NM
>
>

• Next message: Steven L Umbach: "Re: Where is my "password list?"
• Previous message: anonymous_at_discussions.microsoft.com: "Re: User removed Domain Admins group"
• In reply to: new ms: "how to exclude connections from servers not in the domain ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Securing the communication between all workstations in a domain ... I am no expert at Ipsec. ... I would try using the server (request ... security) policy in that OU - the secure policy is rather extreme and can ... exempt the domain controllers from ipsec traffic - a request policy may work ... (microsoft.public.win2000.security) Re: how to exclude connections from servers not in the domain ? ... > Use ipsec require policy on those servers. ... > traffic between domain controllers and domain members. ... >> I have a server that is a member of an Active Directory domain. ... (microsoft.public.win2000.active_directory) Re: how to exclude connections from servers not in the domain ? ... > Use ipsec require policy on those servers. ... > traffic between domain controllers and domain members. ... >> I have a server that is a member of an Active Directory domain. ... (microsoft.public.win2000.security) Re: RE: Front End/Back End communication ... and stick that in your DMZ. ... your internal mail server. ... If you are thinking about IPSec policies in Windows then you have to ... (Focus-Microsoft) Re: how to exclude connections from servers not in the domain ? ... Use ipsec require policy on those servers. ... traffic between domain controllers and domain members. ... Certificate Authority to issue machine certificates and a radius/IAS server on the ... (microsoft.public.win2000.active_directory)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint