Workgroup issues

Archived from groups: microsoft.public.win2000.security (More info?)

Hi guys,

here, in my company, I have a Windows 2003 Server and all workstation are
WinXP Pro and Window 2000. There are some users that have Laptops with
Windows 98 and log in my Server using Workgroup. Is there anyway to disable
that? I just want that Active Directory computers gain access in my network.

Tks,

Marco
1 answer Last reply
More about workgroup issues
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    I think you first should have an enforceable signed user policy with consequences for
    users who insist on doing that. How do you know those computers are not infected with
    something that could bring down your network and cause loss of data and time?

    Having said that you have some technical options.

    By default W98 computers use lm authentication. You could configure your Domain and
    Domain Controller Security Policy to have the security option for lan manager
    authentication level to be - respond ntlmv2 only - refuse lm and ntlm. Users who know
    how to update their W98 computers may figure out how to work around that but
    unlikely. Also keep in mind that you can not use that lan manager authentication
    level on RRAS servers and there may be problems with Exchange servers. I am not sure
    about how it affects Exchange servers, you could post in an Exchange newsgroup to
    find out more about if that would be a problem.

    You could use ipsec policy. Any domain computer that as an ipsec require policy would
    not be reachable by a W9X computer because kerberos authentication is used. Ipsec
    ESP/AH however can not be used for communications between domain computers and domain
    controllers, so if you use ipsec domain controllers will have to be exempt by filter
    rules using their static IP addresses. Ipsec also has some overhead [15-30 percent
    maybe], though you could use a AH policy instead of ESP encryption to reduce overhead
    quite a bit. The links below explain ipsec more.

    http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
    http://support.microsoft.com/?kbid=254949


    Another option us switch security. Switches such as the HP Procurve 2524 can restrict
    access based on port isolation, mac filtering, and 802.1x authentication using an IAS
    server and CA server [neither hard to do] on the network to issue computer
    certificates. Mac filtering, though not a 100 percent security solution, can be
    enabled in a learning mode with variable number of allowed addresses per port that
    requires no manually configuring of address tables and can be accomplished in a short
    time on a live network. These security capable switches are much more affordable
    these days. --- Steve

    http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&category=71523&item=5713919213&rd=1

    "Marco Roberto Gonçalves Junior" <marco.roberto@bol.com.br> wrote in message
    news:OVdRdEwfEHA.2908@TK2MSFTNGP10.phx.gbl...
    > Hi guys,
    >
    > here, in my company, I have a Windows 2003 Server and all workstation are
    > WinXP Pro and Window 2000. There are some users that have Laptops with
    > Windows 98 and log in my Server using Workgroup. Is there anyway to disable
    > that? I just want that Active Directory computers gain access in my network.
    >
    > Tks,
    >
    > Marco
    >
    >
Ask a new question

Read More

Windows Server 2003 Servers Windows