Re: prevent access to shared folder when not on a domain computer

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 07/12/05 

Date: Tue, 12 Jul 2005 01:17:35 -0500

One solution would be to use ipsec with an ipsec server require policy on
the server which by default will then allow only domain computers with a
compatible ipsec policy to access the server. By default ipsec in a forest
will use kerberos for "computer" authentication before a security
association will allow communications. Note this will not work if the server
is a domain controller as you must configure ipsec policies to exempt domain
controllers from ipsec ESP/AH with other domain computers for at least
authentication and AD traffic. Ipsec policies must be carefully planned and
tested first so as to not lockout domain computers from legitmate traffic.
See the links below if interested. --- Steve

http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspx
 --- using ipsec for domain isolation
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949

"koolkat" <koolkat@discussions.microsoft.com> wrote in message
news:C1665EBF-8458-48E4-802A-61ED1D5A70D2@microsoft.com...
> Hi,
>
> Is there a way of preventing shared folder access from a non-domain member
> computer?
>
> Currently if a user brings his personal laptop to the office and gives the
> pathname to his shared folder in Windows explorer he is asked for the
> username and password. Since the same user has an account on the domain he
> can then access the shared folder on his personal laptop. Is there a way
> of
> preventing this?

Relevant Pages

  • Re: Securing the communication between all workstations in a domain
    ... I am no expert at Ipsec. ... I would try using the server (request ... security) policy in that OU - the secure policy is rather extreme and can ... exempt the domain controllers from ipsec traffic - a request policy may work ...
    (microsoft.public.win2000.security)
  • Re: Group policy to restrict who Recieves an IP from DHCP???
    ... DHCP is not a good security mechanism though you can use reservations that ... capable switches, compatible operating systems, PKI, and IAS server on the ... Ipsec may be something to look at. ... While you can use ipsec to protect domain computers, ...
    (microsoft.public.win2000.group_policy)
  • Re: Require connecting systems to be a Domain Computers
    ... something in which I include the group Domain Computers. ... >kerberos computer authentication for the ipsec SA then the computer must be ... In such case the server must not be a domain controller, ... >ipsec require policy will need to exempt all domain controllers with a rule ...
    (microsoft.public.security)
  • Re: lan ipsec ws2003 / xp pro deplyoyment
    ... Remote Access on the server and configure it and then configure your XP computer to ... preshared key for machine authentication. ... If you use ipsec pre shared key [policy/all ... You could go to Local Security Policy of each ...
    (microsoft.public.windowsxp.security_admin)
  • Re: IPSEC Problems
    ... You may want to try and rebuild the ipsec policy. ... ipsec negotiation traffic between domain members and domain controllers as ... > this server and any communication was shown correctly in ipsecmon. ...
    (microsoft.public.windows.server.security)