Re: ACL login security access

From: Leonardo Faoro (leo_at_firewallsrl.it)
Date: 07/06/05 

Date: Wed, 6 Jul 2005 09:19:06 -0700

Hi Steven,

First of all, thank you for your reply.
I am already using IPSec with Kerberos authentification on my Domain network

What I was looking for is to oblige Domain Users to be logged into the
domain trough a computer-like session.
What I'm trying to say is that you can login into the shared resources using
Kerberos even from a Workgroup machine, just by opening a Windows Explorer
and typing \\server\share, and you get a prompt asking to put in your
username and password to enter the resource; at this point you simply type
Username: domain\user , Password: mypass and YOU ARE IN!! :)
Confirm?

What I need to do is to block this, by obliging the Domain User to have his
machine joined in the Domain and also stricly obliged to be logged into the
Domain using the Computer profile; not just by opening a Windows Explorer and
\\ing to explore the servers and resources.

Do you know if this can be done?
Hope to have been much more clear this time, and really hope that exists a
way to have this done...

My very thanks
-Leonardo

"Steven L Umbach" wrote:

> First off I would enable a strict computer use policy that prohibits that
> users plug laptops into your network. In addition to your concerns such a
> computer could be infected with a worm or allow a backdoor into your
> network. Make sure the users understand the policy, sign it, have their own
> copy and understand the consequences and then strictly enforce the policy.
>
> Having said that you possibly could use ipsec to protect your servers. Any
> domain computer with a require ipsec policy will not allow communications
> with a computer that can not authenticate via kerberos [default
> authentication method] which would be any computer outside of your
> domain/forest. Ipsec policies take quite a bit of planning and testing and
> domain controllers require special consideration with exempting them for
> traffic that involves authentication and Active Directory with domain
> computers. The links below will explain more and the ipsec white paper on
> domain isolation [last link] would be something you may want to strongly
> consider. --- Steve
>
> http://www.microsoft.com/windowsserver2003/technologies/networking/ipsec/default.mspx
> http://www.microsoft.com/downloads/details.aspx?FamilyId=15E5FC29-B52C-41A4-9EE5-D95916FFE53E&displaylang=en
> http://www.microsoft.com/seminar/shared/asp/view.asp?url=/Seminar/en/20030424vcon48/manifest.xml
>
> "Leonardo Faoro" <leo@firewallsrl.it> wrote in message
> news:A933919F-7F65-4445-B555-BCE4406AC66C@microsoft.com...
> > Hello,
> >
> > I need to secure the information contained in my storage servers from
> > external intruders.
> > I have a W2k3 Domain, in native mode.
> > My domain users can logon only on the computer allowed
> >
> > My problem is that, if one of the employees comes at work with his laptop
> > in
> > a bag and joins the network as workgroup (since he cant login with his
> > user
> > into the domain from a computer with different MAC) and starts to access
> > the
> > enterprise shares using his domain username and password, the situation
> > becomes critical. Enterprise data must not leave the Enterprise.
> >
> > I thought that settings the ACL permission to 'Authenticated Users' will
> > force the users to login into the domain before they can access the
> > shares.
> > But I was and am wrong; whoever accesses the network and knows the
> > credentials can see and copy the company information.
> >
> > Do any of you know if there is a way to force the users to be logged into
> > the domain before they are allowed to access a domain share?
> >
> >
> > Please if all this did not sound clear or enuff explainatory for you to
> > understand let me know, I'll try to find some better words to explain my
> > problem.
> >
> >
> > My very thanks,
> > -Leonardo
>
>
>

Relevant Pages

  • Re: Kerberos machine authentication - apparent authentication failures
    ... When you joined your computer to the domain your wireless network card was ... denied access until you can authenticate to a domain controller as a user. ... While kerberos is the default authentication protocol of choice, ...
    (microsoft.public.windows.server.security)
  • Re: EAP-Kerberos
    ... considering Authentication is the mobile connectivity which is ... properties make wireless clients different from fixed IP clients. ... think that proxying Kerberos is not specific to ... borders (like in Dial-In network access providers). ...
    (comp.protocols.kerberos)
  • Re: Symbol Wifi Card changes my laptop network settings
    ... is present a Kerberos domain server in a kerberos domain: ... Kerberos is a network authentication protocol. ... the card don't do this change. ...
    (microsoft.public.pocketpc.wireless)
  • Re: NON-ACTIVE DIRECTORY NETWORK
    ... > You would be much better off in getting Kerberos authentication working ... >> i am running an NT 4.0 network. ... Kerberos is the authentication system ... >> set it up to use NTLM to connect to network instead of it ...
    (microsoft.public.windowsxp.security_admin)
  • Re: IPSec / domain isolation: confusing MS documents
    ... simply not possible using ipsec and that is their choice. ... network with stated consequences. ... If the domain controllers are Windows 2003 I would use Software ... set the security option for lan manager authentication level to be send ...
    (microsoft.public.windows.server.security)