Re: ACL on Interfaces
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 11/19/04
- Next message: Steven L Umbach: "Re: Denying file access"
- Previous message: Mark-Allen Perry: "Re: KB Article 831112.."
- In reply to: Russ: "Re: ACL on Interfaces"
- Next in thread: Roger Abell: "Re: ACL on Interfaces"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 18 Nov 2004 18:55:38 -0600
I don't see a direct way to accomplish what you want. However to clarify,
you do not have to be an administrator to logon via Remote Desktop or TS
Remote Administration. That is the default but you can configure RDP
permissions to allow non administrators to use it. Also if the applications
they need to install are .msi or can be converted to .msi packages you can
use Group Policy to assign or publish the applications so that the user does
not need to be a local administrator to install them. On Windows 2003 server
you can use Software Restriction Policies to restrict what a user can
install or run - even if they are a local administrator logging on as a
local administrator with computer policy though it would apply to all local
administrators if using computer policy. I don't know if you are running any
Windows 2003 servers or not. I can't think of much else offhand other than a
strict written user policy prohibiting what could be interpredted as
malicious actions that you might be able to track with auditing enabled.
That is a very difficult situation when access needs to be given to others
as local administrators. --- Steve
"Russ" <russell@nospam.com> wrote in message
news:OgvFD6YzEHA.824@TK2MSFTNGP11.phx.gbl...
> Let me clarify myself a bit. Your are almost correct how this is setup.
>
> I've got 10 machines that are dual homed (except the domain controller).
> Each of the 10 machines have one interface on 192.168.15.0/24 and
> 192.168.20.0/24. To simplify things let call 192.168.15.0/24 (Internet
> Int.) and 192.168.20.0/24 (Management Int.). Only the Internet Int. has a
> default gateway to the internet, whereas the Management Int. does not.
>
> Internet traffic, VPN, SQL all come in on the Internet Inf. and Sitescope,
> MOM, Baseline Security Analyzer traffic all come from Management Int.
>
> There are developers who vpn into the Internet Int. to do work on that
> network. The developers require Remote Desktop Access to the servers,
> which means they require Local Administrator rights. Plus, they require
> local administrator rights to install our application. NOTE: These users
> are part of the domain users group and are NOT domain admins.
>
> Once one of these developers initiates a remote desktop session to anyone
> of the 10 machines there is nothing preventing them from running an
> 'ipconfig /all' finding what IP addresses are attached to each interface.
> Hence they could run a port scan and find IP addresses on the Management
> Int that should not be exposed to them. I have however, locked down their
> ability to change anything with the network cards on those servers.
>
> MY OBJECTIVE:
> *To apply some policy only to the developers to that when they logon to
> their respective development machine they are not able to send traffic out
> the Management Int. But, If I log on to the machines, I can. Now, it
> might turn out that what I'm trying to do is not possible in Windows 2000
> without putting a firewall in between the networks. I wanted to avoid
> installing a firewall if possible because it seems like I would not be the
> only person that has attempted this design.
>
> I hope this clears up some confusion.
>
>
>
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:%23r5fhOTzEHA.924@TK2MSFTNGP10.phx.gbl...
>> Russ,
>>
>> I think we need to back up here, and rather than following on
>> the hints of what you think to be the solution, instead get a better
>> handle on what your concerns and objectives are.
>>
>> Rereading, what I now think you are saying is the this machine
>> is dual homed. On one side it serves out IIS and on that network
>> reside general users. On the other interface you have only
>> management uses, and you want to make sure that users from
>> the IIS served network cannot access the management network.
>>
>> If that is the case, then you are already there as long as you do
>> not inable routing between the two networks, either through RRAS
>> or if this is a W2k3 server by enabling ICS.
>> If you wanted to be more strict then you could define IPsec in a
>> filtering mode such that the IIS side only listens/responds on the
>> Tcp ports needed for IIS and thus guarantee that even if routing
>> did accidentally become defined between the two networks, it
>> would only be possible for the Tcp 80 and 443 port traffic.
>>
>> --
>> Roger Abell
>>
>> "Russ" <russellfindley@hotmail.com> wrote in message
>> news:eH3tT0DzEHA.3548@TK2MSFTNGP09.phx.gbl...
>>> I have two different networks. The first if for all IIS and Domain
>> traffic
>>> and the second is for management. In other words, one server will have
>>> a
>>> network card connected to each LAN.
>>>
>>> On the LAN that handles the IIS traffic, I will have users that I don't
>> want
>>> to grant access to the Management VLAN. I would like to know if there
>>> is
>> a
>>> way to apply and ACL based upon your user credential that will deny
>> traffic
>>> from going out the Managment interface. If it could be done as a Group
>>> Policy that would be preferred.
>>>
>>> Thanks
>>>
>>>
>>>
>>>
>>
>>
>
>
- Next message: Steven L Umbach: "Re: Denying file access"
- Previous message: Mark-Allen Perry: "Re: KB Article 831112.."
- In reply to: Russ: "Re: ACL on Interfaces"
- Next in thread: Roger Abell: "Re: ACL on Interfaces"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
