Re: Preventing users from c onnecting to shares NOT on the domain..

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 01/21/05 

Date: Fri, 21 Jan 2005 15:38:24 -0600

You could use an ipsec policy, though ipsec is computer specific. You could
put the computers you want to restrict access to only domain computers into
their own OU [if not already] and assign an ipsec "require" policy to those
computers. They will then only be ably to communicate with domain computers
that have a corresponding ipsec policy of at least "client/respond" ipsec
policy. Note that domain controllers must be exempt from any ipsec policies
that would try to engage ipsec negotiation [esp/ah] with them from domain
members. The easiest way would be to add the domain controllers static IP
addresses to any pertinent ipsec policy with a rule for permit filter
action. If you want to try ipsec be SURE to test out on a couple of
computers first. Though not as a secure solution you could also use ipsec
policy "filtering" rule to block access to certain IP destination addresses
which would require that the blocked computers have static IP addresses to
be effective. See the link below for more info on ipsec filtering. -- Steve

http://www.securityfocus.com/infocus/1559

"Javier J" <no.mail@please.no> wrote in message
news:uAhzqhw$EHA.3256@TK2MSFTNGP11.phx.gbl...
> Hi!
>
> The servers might be located on the same subnet of some of the clients.
> Not sure about that, would have to check the precise topology.
>
> The idea is:
> These 30+ Client PCs should _only_ be able to access resources on
> computers located on the Domain.
>
> IIRC, all the servers are located on the same OU, but as for their IP
> addresses, I don't know if they're on the OU or not.
>
> To be more precise, the setup is as follows:
>
> + AD
> - Users: Most users are placed on the default container
> |
> - OU=Restricted: Ou where we've placed the "secure" client PCs and
> related users.
>
> THe OU has two GPOs, one for "Machine" and one for user. The "Machine" GPO
> is set to apply to all Authenticad Users. The "User" GPO _only_ is applied
> to the members of a "Restricted" group.
>
> The users of the "Restricted" group "suffer" a desktop as locked down as
> I've managed to get (Redirected Folders, Roaming User Profiles deleted on
> logoff, no "All Users" programs and folders, etc). The _ideal_ setup would
> be one where the "restricted" can't connect to any non-domain PC, while a
> "normal" user doesn't have to suffer any more restrictions than
> necessary...
>
> The rest of the users/PCs on the domain should still be running "as is",
> that's why I'm looking for policies / changes that can be implemented
> per-OU.
>
> Is this possible with the solution you suggest?
>
> Thanks a lot
>
> Javier J
>
> Miha Pihler [MVP] wrote:
>> Hi,
>>
>> Another question for you. Are servers on same subnet as clients? It would
>> be a benefit it they were not.
>>
>> Yes Kerberos is domain wide but IPSec policy can be OU, Site or Domain
>> (just like policies). So you can require IPSec for only a group of PCs
>> (PCs that are in same OU). If you require this computers to communicate
>> with other computers (servers) in domain while this servers are not in
>> same domain some small changes would be required on OU where servers are
>> located. This change would tell the servers to respond to IPSec requests.
>> This would not be required if the servers are in their own subnet...
>>
>> Feel free to post back with any additional questions that you might have.
>> I will do my best to answer them, but that might not be before some time
>> tomorrow. I have some work to do and get some sleep...
>>

Relevant Pages

  • Re: Preventing users from c onnecting to shares NOT on the domain..
    ... Are servers on same subnet as clients? ... Yes Kerberos is domain wide but IPSec policy can be OU, ... If you require this computers to communicate with other ... >> and your clients will not want to talk to them. ...
    (microsoft.public.win2000.networking)
  • Re: Preventing users from c onnecting to shares NOT on the domain..
    ... Are servers on same subnet as clients? ... Yes Kerberos is domain wide but IPSec policy can be OU, ... If you require this computers to communicate with other ... >> and your clients will not want to talk to them. ...
    (microsoft.public.win2000.security)
  • Re: 2000 Server access
    ... Policy of the server to include only the users of the non XP Computers. ... You could also use ipsec to control access to the server if all the other computers ... Windows 2000 computers as client/respond policy. ... administrator to configure ipsec policy in Local Security Policy for a computer. ...
    (microsoft.public.win2000.security)
  • Re: OU GPO Corrupts 2003 Servers only??
    ... have impact on the Servers OU. ... then you are looking at the effect of the default behaviors of IPsec ... In W2k3 the IPsec Policy Agent will block inbound during the boot ... inbound and outbound TCP/IP network traffic that is not permitted by ...
    (microsoft.public.windows.group_policy)
  • Re: Preventing users from c onnecting to shares NOT on the domain..
    ... You could use an ipsec policy, ... put the computers you want to restrict access to only domain computers into ... > The servers might be located on the same subnet of some of the clients. ...
    (microsoft.public.win2000.networking)