Re: File Share Security
From: Steven L Umbach (n9rou_at_nscomcast.net)
Date: 05/29/04
- Next message: Steven L Umbach: "Re: Cannot Delete Microsoft Explorer "History""
- Previous message: bobp_at_netway.net: "changed password"
- In reply to: Brian: "Re: File Share Security"
- Next in thread: Steven L Umbach: "Re: File Share Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 29 May 2004 00:08:07 GMT
Hi Brian.
If it is a W2K or Windows 2003 domain and all the computers that need access
to the server [and it is not a domain controller] are W2K/XP Pro you can use
ipsec and do not need a radius/IAS server which would be needed with 802.1X
authentication switches. Kerberos would be ther default machine
authentication though you can use certificates.
You could assign a client/respond policy to the client computers and a
secure server/require policy to the server being sure to exempt the domain
controller[s] by their IP addresses in the require policy. Then only a
domain computer in the forest would be able to access that server. By
default ipsec uses ESP for confidentiality and will have somewhat of a
performance hit but should still perform well on the network you described.
If confidentiality of data is not necessary you can use AH [authenticated
header] which will have less of a performance hit or use nics that can
process ipsec at their level. Keep in mind that by default regular users can
add a workstation to a domain up to ten times which can be a security risk.
That can be disabled in Domain Controller Security Policy/user right - add
workstation to the domain. You can remove authenticated users and add domain
admins. The link below is for Windows 2003 ipsec, but I find it very good
and almost all applies to W2K. --- Steve
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deploy
guide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/de
ployguide/en-us/DNSBJ_IPS_OVERVIEW.asp
http://tinyurl.com/2v8na -- same link as above, shorter.
http://www.dlink.com/products/?pid=87 -- an under $500 switch with mac
filtering and 802.1X port authentication [have not tried it myself yet]
"Brian" <anonymous@discussions.microsoft.com> wrote in message
news:1426901c4449e$492f61a0$a001280a@phx.gbl...
> Steve,
>
> Thank you very much. This is helpful information. I'm
> more concerned with non-domain computer access to file
> shares with the user using domain user account creditials
> to access those shares than Internet access.
>
> On one of our small, 10 client, completely private non-
> Internet networks we managed to reduce risk by setting up
> a RAS server in front of the data server. The PPTP VPN
> conncetion was preset for each user, the password was
> saved and the user didn't know the password. However, the
> connection was very slow, even when using the "No
> compression" option. This is a 100% gigabit netwwork
> (including the multihomed RAS server) and the throughput
> was only half of what a standard 100TX conncetion would
> provide, so we abandoned the RAS.
>
> I've only experimented with setting up a RADIIUS server
> one time; can I use one of those with some type of IPsec
> policy that you mentioned earlier without taking such a
> huge performance hit? I'll read the links you provided.
>
> Thanks again,
> Brian
> >-----Original Message-----
> >I have to disagree with that. In a Windows 2000 domain
> default installation a domain
> >user can add up to ten workstations to the domain as
> specified by the user right "add
> >workstations to the domain" in Domain Controller
> Security Policy under user rights.
> >Perhaps you were thinking of user accounts.
> >
> >In a default installation a user can also log onto their
> laptop as a local user with
> >the same logon name/password as their domain account and
> they will get access to
> >domain resources that their user account has permissions
> to UNLESS default security
> >settings have been changed to enable ipsec reqire
> policy, smb signing [digitally sign
> >communications] is required and laptop does not have it
> configured, or possibly lan
> >manager authentication level has been increased to a
> setting not compatible with the
> >laptop. Only ipsec require policy using default kerberos
> machine authentication would
> >be the sure way to bar communications from non domain
> computers as far as operating
> >system restrictions. --- Steve
> >
> >
> >"Subrahmanya Bhandarkar [MSFT]" <v-
> subrab@online.microsoft.com> wrote in message
> >news:sfrmf4AREHA.3996@cpmsftngxa10.phx.gbl...
> >> By Default Adding new computer to the domain only
> administrator and account
> >> operator can perform. So Domain users cannot bring
> just laptop and plug to
> >> LAN and use the network resource with out
> administrator permission.
> >>
> >>
> >> Subbu
> >> This posting is provided "AS IS" with no warranties,
> and confers no rights.
> >>
> >
> >
> >.
> >
- Next message: Steven L Umbach: "Re: Cannot Delete Microsoft Explorer "History""
- Previous message: bobp_at_netway.net: "changed password"
- In reply to: Brian: "Re: File Share Security"
- Next in thread: Steven L Umbach: "Re: File Share Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
