Re: File Share Security

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 05/28/04 

Date: Thu, 27 May 2004 23:46:24 GMT

This is a copy of my reply to another post from a user asking basically the same
question. Unless you are using ISA and a firewall client, preventing a user from
gaining access to the internet would require the type of switch I mentioned below. A
user does not need any sort of authentication to access the internet otherwise - just
the IP address of the default gateway assuming that the firewall does not block
access due to IP address filtering rules. --- Steve

*****************************************************************

Use ipsec require policy on those servers. Note that domain controllers must be
exempt from ipsec policies for domain member computers - ipsec is not supported for
traffic between domain controllers and domain members. A computer with ipsec require
policy using default kerberos machine authentication will not allow traffic from any
non domain computer or any domain computer that either does not support ipsec
[W9X/NT4.0], does not have at least a client/respond policy applied to it, or is
otherwise excluded possibly by IP address. Otherwise look into using switches that
can control access by mac address or 802.1X authentication which would also require a
Certificate Authority to issue machine certificates and a radius/IAS server on the
network. --- Steve

http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
http://support.microsoft.com/?kbid=254949

"Brian" <anonymous@discussions.microsoft.com> wrote in message
news:130b001c4439d$b19dc5d0$a401280a@phx.gbl...
> Hi,
>
> We have a Windows 2000 AD domain runing on a private
> network behind a firewall. The firewall is the DHCP
> server, set up to use our DC as its primary source for
> DNS and WINS.
>
> Is it possible to use AD to prevent a user from
> connecting their personal notebook computers to any of
> the ports on our LAN and use their domain credintials to
> gain access to our network or Internet connection? Is it
> possible to do this without using smart card
> authentication or setting up a PKI?
>
> Thanks

Relevant Pages

  • Authentication Prompts in IE
    ... of the Firewall Policy rules checks for Authentication, ... user changes their password, IE will reprompt for authentication, ... the Firewall Client. ...
    (microsoft.public.isa.clients)
  • RE: Authentication Prompts in IE
    ... Authentication" dated July, 28th. ... I never have the problem when the user change the password.. ... > of the Firewall Policy rules checks for Authentication, ... > the Firewall Client. ...
    (microsoft.public.isa.clients)
  • Re: Win2K Security & Firewall - long post
    ... IPSec, and more so some reasons why it might be a bad idea for MS to ... realize that tailoring an IPSec policy for a specific home user, ... disabled their personal firewall. ... Won't work if the malware uses a "legitimate" means of disabling ...
    (comp.security.firewalls)
  • Re: Isolate systems
    ... some sort of port/protocol/Ip/mac"filtering" via switches, ipsec filtering, ... firewall yourself from outside the network, even if you use a self scan site ... If legitimate users are trying to attack your computers you may have to see ...
    (microsoft.public.win2000.security)
  • Re: Outlook using RPC over HTTPS does not authenticate using the Kerberos Realm
    ... Used Outlook in Safe Mode, ... For testing, client and server are on the same network, so no proxy server. ... Please first select "Integrated Windows Authentication" on the PRC virtual ... Disable firewall or antivirus on PC, ...
    (microsoft.public.exchange.admin)