Re: ACL on Interfaces
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 11/19/04
- Next message: Marco: "Re: Audit & log CDROM Access"
- Previous message: Joemillinux: "shut down the server problem using asp.net -System.ComponentModel.Win32Exception: Access is denied"
- In reply to: Russ: "Re: ACL on Interfaces"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 19 Nov 2004 01:49:09 -0700
Yes, that is more clear as to what's up.
Like Steve mentioned, you do not need to give out admin
for them to TS/RDP into the system.
As devs, they evidently need to test their apps, install,
uninstall, reinstall (right?) and hence the admin is needed
anyway. At any rate, as devs if you set msi's to run with
elevated privs, they would just make and msi to elevate
themselves anyway :-(
I do not see a simple solution for you, to keep them from
probing on the mgmt network, and what is worse, you also
need to keep them from enabling routing into it from the
internet interface (turning on ICS).
-- Roger "Russ" <russell@nospam.com> wrote in message news:OgvFD6YzEHA.824@TK2MSFTNGP11.phx.gbl... > Let me clarify myself a bit. Your are almost correct how this is setup. > > I've got 10 machines that are dual homed (except the domain controller). > Each of the 10 machines have one interface on 192.168.15.0/24 and > 192.168.20.0/24. To simplify things let call 192.168.15.0/24 (Internet > Int.) and 192.168.20.0/24 (Management Int.). Only the Internet Int. has a > default gateway to the internet, whereas the Management Int. does not. > > Internet traffic, VPN, SQL all come in on the Internet Inf. and Sitescope, > MOM, Baseline Security Analyzer traffic all come from Management Int. > > There are developers who vpn into the Internet Int. to do work on that > network. The developers require Remote Desktop Access to the servers, which > means they require Local Administrator rights. Plus, they require local > administrator rights to install our application. NOTE: These users are > part of the domain users group and are NOT domain admins. > > Once one of these developers initiates a remote desktop session to anyone of > the 10 machines there is nothing preventing them from running an 'ipconfig > /all' finding what IP addresses are attached to each interface. Hence they > could run a port scan and find IP addresses on the Management Int that > should not be exposed to them. I have however, locked down their ability to > change anything with the network cards on those servers. > > MY OBJECTIVE: > *To apply some policy only to the developers to that when they logon to > their respective development machine they are not able to send traffic out > the Management Int. But, If I log on to the machines, I can. Now, it might > turn out that what I'm trying to do is not possible in Windows 2000 without > putting a firewall in between the networks. I wanted to avoid installing a > firewall if possible because it seems like I would not be the only person > that has attempted this design. > > I hope this clears up some confusion. > > > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message > news:%23r5fhOTzEHA.924@TK2MSFTNGP10.phx.gbl... > > Russ, > > > > I think we need to back up here, and rather than following on > > the hints of what you think to be the solution, instead get a better > > handle on what your concerns and objectives are. > > > > Rereading, what I now think you are saying is the this machine > > is dual homed. On one side it serves out IIS and on that network > > reside general users. On the other interface you have only > > management uses, and you want to make sure that users from > > the IIS served network cannot access the management network. > > > > If that is the case, then you are already there as long as you do > > not inable routing between the two networks, either through RRAS > > or if this is a W2k3 server by enabling ICS. > > If you wanted to be more strict then you could define IPsec in a > > filtering mode such that the IIS side only listens/responds on the > > Tcp ports needed for IIS and thus guarantee that even if routing > > did accidentally become defined between the two networks, it > > would only be possible for the Tcp 80 and 443 port traffic. > > > > -- > > Roger Abell > > > > "Russ" <russellfindley@hotmail.com> wrote in message > > news:eH3tT0DzEHA.3548@TK2MSFTNGP09.phx.gbl... > >> I have two different networks. The first if for all IIS and Domain > > traffic > >> and the second is for management. In other words, one server will have a > >> network card connected to each LAN. > >> > >> On the LAN that handles the IIS traffic, I will have users that I don't > > want > >> to grant access to the Management VLAN. I would like to know if there is > > a > >> way to apply and ACL based upon your user credential that will deny > > traffic > >> from going out the Managment interface. If it could be done as a Group > >> Policy that would be preferred. > >> > >> Thanks > >> > >> > >> > >> > > > > > >
- Next message: Marco: "Re: Audit & log CDROM Access"
- Previous message: Joemillinux: "shut down the server problem using asp.net -System.ComponentModel.Win32Exception: Access is denied"
- In reply to: Russ: "Re: ACL on Interfaces"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
