Re: domain users force only local server access

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 10/22/05 

Date: Fri, 21 Oct 2005 19:00:43 -0500

You can restrict computers using ipsec policies. Ipsec is a relatively
complex topic and domain controllers need to be exempt from any policy to
make sure ipsec is not attempted for communications between domain computer
and domain controllers. The link below explains how MS uses ipsec for domain
isolation.

http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspx

Otherwise do as you are suggesting and put those users into a global group
and give that global group user right for "deny access this computer from
the network" [see link below] to network computers you do not want them to
access. However make sure they do not have that deny user right for any
domain controllers or else authentication and Group Policy problems can
result. --- Steve

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/7aca1280-42cd-4511-93df-d95bd748d979.mspx

"m0rk" <no@email.ever> wrote in message
news:MPG.1dc37f76c6bf9f6d989713@news.gradwell.com...
> Is it possible to secure specific domain users/machines on a remote site
> to only have access to that sites local resources and nowhere else on
> the wan, problem being domain users group is used all over the place for
> initial list/read access?
>
> The users are not employees but clients of ours - this remote office
> needs them to use their local resources but doesnt want the users to
> have any other domain access.
>
> They are to use the local file server, the internet but not the intranet
> which is generally available to all as a home page group policy at
> highest default domain policy level ....
>
> Other than creating a new group such as Untrusted Domain Users and going
> from there im not sure where to start .... any pointers?

Relevant Pages

  • Re: Securing the communication between all workstations in a domain
    ... I am no expert at Ipsec. ... I would try using the server (request ... security) policy in that OU - the secure policy is rather extreme and can ... exempt the domain controllers from ipsec traffic - a request policy may work ...
    (microsoft.public.win2000.security)
  • Re: authentication problem
    ... double or triple duty most traffic [authentication and AD replication] is ... laptops and I bring up ipsec as a possible solution with the caveat on ... domain controllers because many admins right away want to enable the require ... policy at the domain level which can bring their network to it's knees. ...
    (microsoft.public.win2000.security)
  • Re: Preventing PCs from accessing the network
    ... Ipsec policies can be used to prevent non domain computers from accessing domain ... resources if the resource computer has a "ipsec require" policy. ... or port isolation. ...
    (microsoft.public.win2000.networking)
  • Re: Green Admin - Brute Force Attack - Pls Help
    ... Ipsec configuration is very similar [if ... specifics on how to use ipsec "filtering" policy to protect computers. ... is managing a network - particularly one in a hostile environment. ...
    (microsoft.public.security)
  • Re: IPSec and Group Policy
    ... Using netdiag I can now see the IPSec policies applied from the AD GP. ... reveal that the Group Policy and IPSec policy are in place. ... Further when I run the first test between the two computers (logged in as ...
    (microsoft.public.win2000.security)