Archived from groups: microsoft.public.win2000.security (
More info?)
I think you first should have an enforceable signed user policy with consequences for
users who insist on doing that. How do you know those computers are not infected with
something that could bring down your network and cause loss of data and time?
Having said that you have some technical options.
By default W98 computers use lm authentication. You could configure your Domain and
Domain Controller Security Policy to have the security option for lan manager
authentication level to be - respond ntlmv2 only - refuse lm and ntlm. Users who know
how to update their W98 computers may figure out how to work around that but
unlikely. Also keep in mind that you can not use that lan manager authentication
level on RRAS servers and there may be problems with Exchange servers. I am not sure
about how it affects Exchange servers, you could post in an Exchange newsgroup to
find out more about if that would be a problem.
You could use ipsec policy. Any domain computer that as an ipsec require policy would
not be reachable by a W9X computer because kerberos authentication is used. Ipsec
ESP/AH however can not be used for communications between domain computers and domain
controllers, so if you use ipsec domain controllers will have to be exempt by filter
rules using their static IP addresses. Ipsec also has some overhead [15-30 percent
maybe], though you could use a AH policy instead of ESP encryption to reduce overhead
quite a bit. The links below explain ipsec more.
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
http://support.microsoft.com/?kbid=254949
Another option us switch security. Switches such as the HP Procurve 2524 can restrict
access based on port isolation, mac filtering, and 802.1x authentication using an IAS
server and CA server [neither hard to do] on the network to issue computer
certificates. Mac filtering, though not a 100 percent security solution, can be
enabled in a learning mode with variable number of allowed addresses per port that
requires no manually configuring of address tables and can be accomplished in a short
time on a live network. These security capable switches are much more affordable
these days. --- Steve
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&category=71523&item=5713919213&rd=1
"Marco Roberto Gonçalves Junior" <marco.roberto@bol.com.br> wrote in message
news:OVdRdEwfEHA.2908@TK2MSFTNGP10.phx.gbl...
> Hi guys,
>
> here, in my company, I have a Windows 2003 Server and all workstation are
> WinXP Pro and Window 2000. There are some users that have Laptops with
> Windows 98 and log in my Server using Workgroup. Is there anyway to disable
> that? I just want that Active Directory computers gain access in my network.
>
> Tks,
>
> Marco
>
>
Facebook
Twitter
Instagram