Re: ACL on Interfaces

From: Russ (russell_at_nospam.com)
Date: 11/18/04 

Date: Thu, 18 Nov 2004 08:49:00 -0800

Let me clarify myself a bit. Your are almost correct how this is setup.

I've got 10 machines that are dual homed (except the domain controller).
Each of the 10 machines have one interface on 192.168.15.0/24 and
192.168.20.0/24. To simplify things let call 192.168.15.0/24 (Internet
Int.) and 192.168.20.0/24 (Management Int.). Only the Internet Int. has a
default gateway to the internet, whereas the Management Int. does not.

Internet traffic, VPN, SQL all come in on the Internet Inf. and Sitescope,
MOM, Baseline Security Analyzer traffic all come from Management Int.

There are developers who vpn into the Internet Int. to do work on that
network. The developers require Remote Desktop Access to the servers, which
means they require Local Administrator rights. Plus, they require local
administrator rights to install our application. NOTE: These users are
part of the domain users group and are NOT domain admins.

Once one of these developers initiates a remote desktop session to anyone of
the 10 machines there is nothing preventing them from running an 'ipconfig
/all' finding what IP addresses are attached to each interface. Hence they
could run a port scan and find IP addresses on the Management Int that
should not be exposed to them. I have however, locked down their ability to
change anything with the network cards on those servers.

MY OBJECTIVE:
*To apply some policy only to the developers to that when they logon to
their respective development machine they are not able to send traffic out
the Management Int. But, If I log on to the machines, I can. Now, it might
turn out that what I'm trying to do is not possible in Windows 2000 without
putting a firewall in between the networks. I wanted to avoid installing a
firewall if possible because it seems like I would not be the only person
that has attempted this design.

I hope this clears up some confusion.

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23r5fhOTzEHA.924@TK2MSFTNGP10.phx.gbl...
> Russ,
>
> I think we need to back up here, and rather than following on
> the hints of what you think to be the solution, instead get a better
> handle on what your concerns and objectives are.
>
> Rereading, what I now think you are saying is the this machine
> is dual homed. On one side it serves out IIS and on that network
> reside general users. On the other interface you have only
> management uses, and you want to make sure that users from
> the IIS served network cannot access the management network.
>
> If that is the case, then you are already there as long as you do
> not inable routing between the two networks, either through RRAS
> or if this is a W2k3 server by enabling ICS.
> If you wanted to be more strict then you could define IPsec in a
> filtering mode such that the IIS side only listens/responds on the
> Tcp ports needed for IIS and thus guarantee that even if routing
> did accidentally become defined between the two networks, it
> would only be possible for the Tcp 80 and 443 port traffic.
>
> --
> Roger Abell
>
> "Russ" <russellfindley@hotmail.com> wrote in message
> news:eH3tT0DzEHA.3548@TK2MSFTNGP09.phx.gbl...
>> I have two different networks. The first if for all IIS and Domain
> traffic
>> and the second is for management. In other words, one server will have a
>> network card connected to each LAN.
>>
>> On the LAN that handles the IIS traffic, I will have users that I don't
> want
>> to grant access to the Management VLAN. I would like to know if there is
> a
>> way to apply and ACL based upon your user credential that will deny
> traffic
>> from going out the Managment interface. If it could be done as a Group
>> Policy that would be preferred.
>>
>> Thanks
>>
>>
>>
>>
>
>

Relevant Pages

  • Re: ACL on Interfaces
    ... probing on the mgmt network, and what is worse, you also ... > I've got 10 machines that are dual homed. ... Baseline Security Analyzer traffic all come from Management Int. ... >> the IIS served network cannot access the management network. ...
    (microsoft.public.windows.server.security)
  • Re: Public facing IIS/MSSQL servers in AD?
    ... to or listen to" other AD member machines ... even in the internal network; ... How many servers or users can you have in such a configuration? ... Is there a good alternative to AD for management? ...
    (microsoft.public.windows.server.security)
  • Re: Is it possible to create a secure AD environment for widely dispersed PCs behind other instiutio
    ... a cold sweat just thinking about creating an unwieldy IPSEC VPN network. ... A lot of the machines connect to Cisco gatekeepers, ... The firewalls would never allow it. ... Any management traffic would need to be sent encrypted so I ...
    (microsoft.public.windows.server.active_directory)
  • RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)
    ... three machines in my bedroom LAN" folks and yes, ... > tell you it was a bargain (yeah, ... that requires more management buy-in than most ... > MAC addresses of machines before they get connected to the network. ...
    (Full-Disclosure)
  • Re: Server 2003 using Win98 os
    ... Microsoft MVP for Windows Server - Management ... The machines were logging on ... > clicked on Network Neighborhood. ... >>Microsoft MVP for Windows Server - Management ...
    (microsoft.public.windows.server.general)