Re: 2000 Server access

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 08/10/04

  • Next message: Steven L Umbach: "Re: Secure Boot Settings "on." Can't turn "off" on local system." 
    Date: Tue, 10 Aug 2004 03:39:53 GMT

    There may be a scripting solution, though I do not know of one offhand. A couple
    things that would work is to modify the user right assignment in Local Security
    Policy of the server to include only the users of the non XP Computers. That user
    right is located under security settings/local policies/user rights - access this
    computer from the network.

    You could also use ipsec to control access to the server if all the other computers
    are Windows 2000. The server could be configured with a require ipsec policy and the
    Windows 2000 computers as client/respond policy. Then you would have to either use
    preshared key or computer certificates as the computer authentication method.
    Certificate is the preferred method for non domains as the preshared key is stored on
    the computer in clear text though the computer user would need to be a local
    administrator to configure ipsec policy in Local Security Policy for a computer. If
    you are using a domain [I was assuming you were not at first], kerberos will be used
    by default for ipsec and you could simply put the XP Pro computers in their own OU
    and not assign an ipsec policy to them while having the other computers in their own
    OU with the ipsec policy assigned. There is a limitation in ipsec in that domain
    computers and domain members can not engage in ipsec negotiation so you need to keep
    that in mind when configuring ipsec policies. The link below explains ipsec more if
    you are interested. --- Steve

    http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
    http://support.microsoft.com/?kbid=254949

    "kevin" <kevin@discussions.microsoft.com> wrote in message
    news:06B4E041-C621-4B72-B7C7-A1AED57275E9@microsoft.com...
    > Does anyone know if it's possible to limit access to a Windows 2000 server
    > based on operating system? Specifically, we want to deny access to Windows XP
    > users in our classroom.
    >
    > Thanks.

  • Next message: Steven L Umbach: "Re: Secure Boot Settings "on." Can't turn "off" on local system."

    Relevant Pages

    • IPSEC with certificates on Windows XP (Certificate donīt have a private key )
      ... I have a question for the Microsoft CSP and IPSEC. ... I have installed a small network of 4 computers. ... computers and two windows 2000 computers. ... The program certreq.exe generate a certificate request. ...
      (microsoft.public.platformsdk.security)
    • Re: Preventing users from c onnecting to shares NOT on the domain..
      ... You could use an ipsec policy, ... put the computers you want to restrict access to only domain computers into ... > The servers might be located on the same subnet of some of the clients. ...
      (microsoft.public.win2000.networking)
    • Re: Preventing users from c onnecting to shares NOT on the domain..
      ... You could use an ipsec policy, ... put the computers you want to restrict access to only domain computers into ... > The servers might be located on the same subnet of some of the clients. ...
      (microsoft.public.win2000.security)
    • Re: Isolate systems
      ... If you have access to the firewall, you might be able to configure what IP ... filtering policy on your computers which is a policy that uses rules with ... Ipsec policies are best when trying to configure for a subnet ... network layout you may be able to implement ...
      (microsoft.public.win2000.security)
    • Re: Isolate systems
      ... You also may want to download the " Securing Windows 2000 Server Security ... to use ipsec "filtering" policies to secure domain controllers and other ... >> filtering policy on your computers which is a policy that uses rules with ...
      (microsoft.public.win2000.security)