Re: how to exclude connections from servers not in the domain ?

From: Steve Riley [MSFT] (steriley_at_microsoft.com)
Date: 06/06/04

• Next message: Steve Riley [MSFT]: "Re: is there a way to........."
• Previous message: Steve Riley [MSFT]: "Re: Password Policies"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sat, 5 Jun 2004 20:11:22 -0700

I have an article in TechNet archives that discusses this specific solution.

http://www.microsoft.com/technet/archive/community/columns/security/askus/aus1201.mspx

-- 
Steve
steriley@microsoft.com
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message 
news:WKutc.10706$Ly.967@attbi_s01...
> Use ipsec require policy on those servers. Note that domain controllers 
> must be
> exempt from ipsec policies for domain member computers - ipsec is not 
> supported for
> traffic between domain controllers and domain members. A computer with 
> ipsec require
> policy using default kerberos machine authentication will not allow 
> traffic from any
> non domain computer or any domain computer that either does not support 
> ipsec
> [W9X/NT4.0], does not have at least a client/respond policy applied to it, 
> or is
> otherwise excluded possibly by IP address.  Otherwise look into using 
> switches that
> can control access by mac address or 802.1X authentication which would 
> also require a
> Certificate Authority to issue machine certificates and a radius/IAS 
> server on the
> network. --- Steve
>
> http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
> http://support.microsoft.com/?kbid=254949
>
> "new ms" <newb@q.net> wrote in message
> news:5Ystc.50468$tb4.1770523@news20.bellglobal.com...
>> I have a server that is a member of an Active Directory domain. How do I
>> deny connections (or logon sessions) to my server from any computers
>> that are not members of my domain (i.e. either are members of other
>> domains, or are not members of any domain at all)?
>>
>> Note that this is a question about computers, not about users.
>>
>> Specifically, I want to prevent the scenario where a user has a userid
>> and password valid in the domain but is connecting from a computer that
>> has not joined the domain.
>>
>> NM
>>
>>
>
> 

---

• Next message: Steve Riley [MSFT]: "Re: is there a way to........."
• Previous message: Steve Riley [MSFT]: "Re: Password Policies"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Securing the communication between all workstations in a domain ... I am no expert at Ipsec. ... I would try using the server (request ... security) policy in that OU - the secure policy is rather extreme and can ... exempt the domain controllers from ipsec traffic - a request policy may work ... (microsoft.public.win2000.security) Re: how to exclude connections from servers not in the domain ? ... > Use ipsec require policy on those servers. ... > traffic between domain controllers and domain members. ... >> I have a server that is a member of an Active Directory domain. ... (microsoft.public.win2000.active_directory) Re: how to exclude connections from servers not in the domain ? ... Use ipsec require policy on those servers. ... traffic between domain controllers and domain members. ... Certificate Authority to issue machine certificates and a radius/IAS server on the ... (microsoft.public.win2000.security) Re: RE: Front End/Back End communication ... and stick that in your DMZ. ... your internal mail server. ... If you are thinking about IPSec policies in Windows then you have to ... (Focus-Microsoft) Re: how to exclude connections from servers not in the domain ? ... Use ipsec require policy on those servers. ... traffic between domain controllers and domain members. ... Certificate Authority to issue machine certificates and a radius/IAS server on the ... (microsoft.public.win2000.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)