Re: File Share Security
From: Brian (anonymous_at_discussions.microsoft.com)
Date: 05/28/04
- Next message: Lanwench [MVP - Exchange]: "Re: Multiple domain/workgroups in Network Places?"
- Previous message: Steven L Umbach: "Re: High Security W2k setup"
- In reply to: Steven L Umbach: "Re: File Share Security"
- Next in thread: Steven L Umbach: "Re: File Share Security"
- Reply: Steven L Umbach: "Re: File Share Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 28 May 2004 03:26:49 -0700
Steve,
Thank you very much. This is helpful information. I'm
more concerned with non-domain computer access to file
shares with the user using domain user account creditials
to access those shares than Internet access.
On one of our small, 10 client, completely private non-
Internet networks we managed to reduce risk by setting up
a RAS server in front of the data server. The PPTP VPN
conncetion was preset for each user, the password was
saved and the user didn't know the password. However, the
connection was very slow, even when using the "No
compression" option. This is a 100% gigabit netwwork
(including the multihomed RAS server) and the throughput
was only half of what a standard 100TX conncetion would
provide, so we abandoned the RAS.
I've only experimented with setting up a RADIIUS server
one time; can I use one of those with some type of IPsec
policy that you mentioned earlier without taking such a
huge performance hit? I'll read the links you provided.
Thanks again,
Brian
>-----Original Message-----
>I have to disagree with that. In a Windows 2000 domain
default installation a domain
>user can add up to ten workstations to the domain as
specified by the user right "add
>workstations to the domain" in Domain Controller
Security Policy under user rights.
>Perhaps you were thinking of user accounts.
>
>In a default installation a user can also log onto their
laptop as a local user with
>the same logon name/password as their domain account and
they will get access to
>domain resources that their user account has permissions
to UNLESS default security
>settings have been changed to enable ipsec reqire
policy, smb signing [digitally sign
>communications] is required and laptop does not have it
configured, or possibly lan
>manager authentication level has been increased to a
setting not compatible with the
>laptop. Only ipsec require policy using default kerberos
machine authentication would
>be the sure way to bar communications from non domain
computers as far as operating
>system restrictions. --- Steve
>
>
>"Subrahmanya Bhandarkar [MSFT]" <v-
subrab@online.microsoft.com> wrote in message
>news:sfrmf4AREHA.3996@cpmsftngxa10.phx.gbl...
>> By Default Adding new computer to the domain only
administrator and account
>> operator can perform. So Domain users cannot bring
just laptop and plug to
>> LAN and use the network resource with out
administrator permission.
>>
>>
>> Subbu
>> This posting is provided "AS IS" with no warranties,
and confers no rights.
>>
>
>
>.
>
- Next message: Lanwench [MVP - Exchange]: "Re: Multiple domain/workgroups in Network Places?"
- Previous message: Steven L Umbach: "Re: High Security W2k setup"
- In reply to: Steven L Umbach: "Re: File Share Security"
- Next in thread: Steven L Umbach: "Re: File Share Security"
- Reply: Steven L Umbach: "Re: File Share Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
