Re: Granting domain accounts access to a workgroup resource
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 8 Sep 2006 12:11:50 -0500
No you can not give "domain" accounts access by finding them and adding them
in the ACLs for a stand alone computer. Like I said you can create local
user accounts that have the same credentials as the domain users though that
is a lot of work for more then a few dozen users. Otherwise consider Roger's
suggestions. If need be as a last resort after making a risk management
decision you could leave the computer in the domain making sure that it is
properly hardened and monitored. If you do that however under no
circumstances logon to it locally or otherwise with any domain level
administrator account to manage [and configure user rights to enforce that
with the understanding that other administrators can modify those user
rights] it but instead use a local administrator account or regular domain
account that is in the local administrators group of that server only and
also make sure it has a unique password for the built in administrator
account and disable it so that is only available in Safe Mode. The risk
being that keyboard monitoring software could capture credentials and
malicious scripts could take advantage of such logons to escalate privileges
in the domain. Then also make sure that the firewall or ipsec policy only
allow it to access domain computers with the ports/protocols needed.
Steve
"Thomas Olsen" <thomas_olsen44@xxxxxxxxxxx> wrote in message
news:O4olUPz0GHA.4972@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for your reply Steven
The computer is indeed a standalone machine and I am not able to grant
domain users any access to the server. I just wanted to get some feedback
if it should be possible to grant them access or not.
But I will stick to having everyone using FTP to access the data on the
server.
Thanks again.
/Thomas O
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:Ow3O79v0GHA.4796@xxxxxxxxxxxxxxxxxxxxxxx
You could only be able to add domain users if the computer was a member
of the domain or a trusted domain. I would double check that the computer
is indeed a stand alone computer if you can add domain users/groups. A
stand alone computer can only grant access to local users/groups that
could have the same credentials as domain users and allow access to share
assuming ipsec or such is not denying access.
Steve
"Thomas Olsen" <thomas_olsen44@xxxxxxxxxxx> wrote in message
news:%23WsUX0v0GHA.3476@xxxxxxxxxxxxxxxxxxxxxxx
Hi all
I am in the process of installing an FTP server in our organization
(Gene6 FTP server running on Windows Server 2003). The server is located
in DMZ. I would like internal domain users to be able to access it
through windows file sharing and external users to use FTP client.
So I thought for security reasons to not add this server to our internal
domain.
My problem then is that I am to able to add users from our domain to a
security group on the FTP server.
Is this not possible by design, or am I doing something wrong here?
Appreciate some feedback.
Thanks.
/Thomas
.
- References:
- Granting domain accounts access to a workgroup resource
- From: Thomas Olsen
- Re: Granting domain accounts access to a workgroup resource
- From: Steven L Umbach
- Re: Granting domain accounts access to a workgroup resource
- From: Thomas Olsen
- Granting domain accounts access to a workgroup resource
- Prev by Date: Re: Granting domain accounts access to a workgroup resource
- Next by Date: Re: Granting Users Ownership Permissions
- Previous by thread: Re: Granting domain accounts access to a workgroup resource
- Next by thread: Re: Granting Users Ownership Permissions
- Index(es):
Relevant Pages
|
