How to deny access to domain shares from a workgroup computer
- From: "swb" <swb_mct@xxxxxxx>
- Date: Tue, 28 Jul 2009 10:40:25 -0500
( I posted a version of the question the Small Business Server newsgroup -
no response - I hope that doesn't violate a posting rule )
Can anyone explain why a local account on a workgroup computer has access to
domain shares (sbs2008) if the local username and password are synchronized
with a domain username and password ?
The local workgroup account is allowed the same access as specified by NTFS
file permissions assigned to the domain account of the same
username/password.
I though the ACL on NTFS file shares on a Domain Controller required the
users access token to include a domain SID for the user.
This seems to be true on all Microsoft networks . . . I audit banks. They
give me a domain admin account for my visit. When I create a matching
account username/password on my notebook, I have access to all shares on the
Microsoft network, only using the domain account they created for me for
terminal service logins.
Is there a Security Option in to disable access to domain shares using a
synchronized local account on a workgroup computer.
Bigger Picture: What is all the Kerberos Trust path stuff about, if access
to shares only requires a synched username/password from any workgroup ?
.
- Follow-Ups:
- Re: How to deny access to domain shares from a workgroup computer
- From: Anthony [MVP]
- Re: How to deny access to domain shares from a workgroup computer
- From: Meinolf Weber [MVP-DS]
- Re: How to deny access to domain shares from a workgroup computer
- Prev by Date: Re: A Standard windows server 2003 security question
- Next by Date: Re: How to deny access to domain shares from a workgroup computer
- Previous by thread: A Standard windows server 2003 security question
- Next by thread: Re: How to deny access to domain shares from a workgroup computer
- Index(es):
Relevant Pages
|
