Re: Preventing users from c onnecting to shares NOT on the domain..

From: Miha Pihler [MVP] (mihap-news_at_atlantis.si)
Date: 01/19/05

  • Next message: Jordan Samulaitis: "Connecting a client with L2TP" 
    Date: Wed, 19 Jan 2005 23:23:36 +0100

    Hi,

    Another question for you. Are servers on same subnet as clients? It would be
    a benefit it they were not.

    Yes Kerberos is domain wide but IPSec policy can be OU, Site or Domain (just
    like policies). So you can require IPSec for only a group of PCs (PCs that
    are in same OU). If you require this computers to communicate with other
    computers (servers) in domain while this servers are not in same domain some
    small changes would be required on OU where servers are located. This change
    would tell the servers to respond to IPSec requests. This would not be
    required if the servers are in their own subnet...

    Feel free to post back with any additional questions that you might have. I
    will do my best to answer them, but that might not be before some time
    tomorrow. I have some work to do and get some sleep... 

    -- 
Mike
Microsoft MVP - Windows Security
"Javier J" <no.mail@please.no> wrote in message 
news:%23t6PXfm$EHA.608@TK2MSFTNGP15.phx.gbl...
> Hi!!!
>
> I'll give you a little more detail about what I am looking trying to do:
>
> - The domain is a Windows 2000 Domain, with W2000 Pro Client computers and 
> some WXP Pro. There is no "signing" of digital traffic going on.
>
> There is a number (abotut 50) client PCs that have to be specially 
> hardened. Those are all located on the same OU, so if any changes can be 
> done at the OU leve, that'd be a bonus. From the (admitedly slight) idea I 
> have about it, Kerberos settings are domain-wide, but domain-wide changes 
> are out of the question at the moment.
>
> I can make almost any change to the Computers in the OU, but the Domain is 
> out of my reach (at least, at the moment)
>
> I've done some testing using the GPOs that MS provides with the "Group 
> Policy Common Scenarios" docs and acompanying supporting information. I'm 
> using a "mix-and-match" version of the AppStation Scenario for the 
> computers on the OU.
>
> The computers in the OU _should_ be able to access any of the servers on 
> the Domain (ie., it's not possible to make a choice that limits them to a 
> single server), but that might be possible to change.
>
> From looking into the GPO settings on the sample OUs, I've seen settings 
> about "digital sign" and "encrypt" communications, so I was wondering if 
> there is some combination of settings that requires that all SMB traffic 
> be two-way signed. From my understanding of the matter, that'd mean both 
> computers are members of the same domain...
>
> Thanks a lot for the promtp response...
>
> Miha Pihler [MVP] wrote:
>> Hi Javier,
>>
>> If you want to prevent your computers from talking to computers that are 
>> not part of your domain, create an IPSec policy that would require 
>> authentication where you would use Kerberos as authenticating protocol. 
>> Computers that are not members of domain will not be able to authenticate 
>> and your clients will not want to talk to them.
>>
>> Your clients would need to be Windows 2000 or newer Microsoft operating 
>> system.
>>
>> Step-by-Step Guide to Internet Protocol Security (IPSec)
>> http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
>>
>> Assigning IPSec policy
>> http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsecpolassign.mspx
>>
  • Next message: Jordan Samulaitis: "Connecting a client with L2TP"

    Relevant Pages