Re: ACL login security access

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 07/06/05 

Date: Wed, 6 Jul 2005 07:20:42 -0700

Steve has pointed you in the correct direction, namely setting
the server that is doing the sharing so that it requires with IPsec
a machine authentication such that only members of your domain
may access it for filesharing.

I wanted to clarify two points where you stated

> I thought that settings the ACL permission to 'Authenticated Users' will
> force the users to login into the domain before they can access the
shares.

Authenticated Users will for the accessing account to have authenticated
_somewhere_ in the forest. Domain Users would be domain specific.
However, the authentication may be of any type, that is local or network
login, which is where you are having an issue.

> But I was and am wrong; whoever accesses the network and knows the
> credentials can see and copy the company information.
>
> Do any of you know if there is a way to force the users to be logged into
> the domain before they are allowed to access a domain share?

You want to force them not just to be logged into the domain, but to have
logged in to the accessing machine with domain credentials. Again, a
network login is logging into the domain. 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
"Leonardo Faoro" <leo@firewallsrl.it> wrote in message
news:A933919F-7F65-4445-B555-BCE4406AC66C@microsoft.com...
> Hello,
>
> I need to secure the information contained in my storage servers from
> external intruders.
> I have a W2k3 Domain, in native mode.
> My domain users can logon only on the computer allowed
>
> My problem is that, if one of the employees comes at work with his laptop
in
> a bag and joins the network as workgroup (since he cant login with his
user
> into the domain from a computer with different MAC) and starts to access
the
> enterprise shares using his domain username and password, the situation
> becomes critical. Enterprise data must not leave the Enterprise.
>
> I thought that settings the ACL permission to 'Authenticated Users' will
> force the users to login into the domain before they can access the
shares.
> But I was and am wrong; whoever accesses the network and knows the
> credentials can see and copy the company information.
>
> Do any of you know if there is a way to force the users to be logged into
> the domain before they are allowed to access a domain share?
>
>
> Please if all this did not sound clear or enuff explainatory for you to
> understand let me know, I'll try to find some better words to explain my
> problem.
>
>
> My very thanks,
> -Leonardo

Relevant Pages

  • [Full-Disclosure] Advisory: Dark Age of Camelot - Weak encryption of network traffic exposed persona
    ... Weak encryption in game client exposed customer billing and authentication ... encryption for billing information. ... The login binary has undergone several updates since then. ...
    (Full-Disclosure)
  • Mapped drives and updates
    ... After upgrading a Windows 98 PC on a 2K network ... Authentication was good, login ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: [PHP] Is this the best way?
    ... Why is Jason schreefing again? ... maybe I should edit my authentication function... ... attempting to login. ... really be either attempting an authentication *or* outputting some ...
    (php.general)
  • Authentication Sharing Across Apps
    ... For my part "B" question that I had (Login App was not returning ... authentication to calling app), I found the solution. ... Basically, in both the Login App and Calling App Web.Config, I did ... authenticated connection with SQL server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: [PHP] Is this the best way?
    ... Jason Pruim schreef: ... I am attempting to add a little error checking for a very simple login system. ... So maybe I should edit my authentication function... ... really be either attempting an authentication *or* outputting some message ...
    (php.general)