restricting admin to specific machines
Last response: in Windows 2000/NT
Archived from groups: microsoft.public.win2000.security (More info?)
Hiya everyone.
We have a server running TS, etc. We want to be able to admin the server,
but we want the admin to only be allowed from specific computers on the
domain. Since we have some fellows who VPN in, we want to block any admin
access to these machines from the VPN. HOWEVER, they should be able to log
in as regular users.
I.E. Regular user can TS or access machine over VPN or locally.
Admin can TS AND use admin tools from a local PC on the local domain.
Admin can NOT TS OR use admin tools from a remote PC that is VPN'd.
Can this be done?
Hiya everyone.
We have a server running TS, etc. We want to be able to admin the server,
but we want the admin to only be allowed from specific computers on the
domain. Since we have some fellows who VPN in, we want to block any admin
access to these machines from the VPN. HOWEVER, they should be able to log
in as regular users.
I.E. Regular user can TS or access machine over VPN or locally.
Admin can TS AND use admin tools from a local PC on the local domain.
Admin can NOT TS OR use admin tools from a remote PC that is VPN'd.
Can this be done?
More about : restricting admin specific machines
Archived from groups: microsoft.public.win2000.security (More info?)
An admin is an admin know matter how they access the computer. You can "try" to
restrict them however if they want they can reconfigure the restrictions on "that"
computer. You can disable any users ability to logon to a TS in their account
properties and also use Remote Access Polices to restrict where a user can go, via
input/output filters, on the local lan when they access the network via VPN. Ipsec
can also be used possibly to restrict access to the TS from only authorized
"computers". For instance the TS could be configured with and ipsec require policy
[exempting domain controllers by IP address] and only those computers that could
access it would have an ipsec client/respond policy. If certificates are used for the
ipsec authentication you could prevent a user that is an administrator on only he
local computer from obtaining the necessary certificate. The default kerberos
authentication would work but a local administrator could possibly configure his
computer to have a compatible ipsec policy then. --- Steve
"Alex Vladimir" <AlexVladimir@discussions.microsoft.com> wrote in message
news:179F41A5-D97F-4838-8638-2E4BE3B3BE62@microsoft.com...
> Hiya everyone.
>
> We have a server running TS, etc. We want to be able to admin the server,
> but we want the admin to only be allowed from specific computers on the
> domain. Since we have some fellows who VPN in, we want to block any admin
> access to these machines from the VPN. HOWEVER, they should be able to log
> in as regular users.
>
> I.E. Regular user can TS or access machine over VPN or locally.
> Admin can TS AND use admin tools from a local PC on the local domain.
> Admin can NOT TS OR use admin tools from a remote PC that is VPN'd.
>
> Can this be done?
>
An admin is an admin know matter how they access the computer. You can "try" to
restrict them however if they want they can reconfigure the restrictions on "that"
computer. You can disable any users ability to logon to a TS in their account
properties and also use Remote Access Polices to restrict where a user can go, via
input/output filters, on the local lan when they access the network via VPN. Ipsec
can also be used possibly to restrict access to the TS from only authorized
"computers". For instance the TS could be configured with and ipsec require policy
[exempting domain controllers by IP address] and only those computers that could
access it would have an ipsec client/respond policy. If certificates are used for the
ipsec authentication you could prevent a user that is an administrator on only he
local computer from obtaining the necessary certificate. The default kerberos
authentication would work but a local administrator could possibly configure his
computer to have a compatible ipsec policy then. --- Steve
"Alex Vladimir" <AlexVladimir@discussions.microsoft.com> wrote in message
news:179F41A5-D97F-4838-8638-2E4BE3B3BE62@microsoft.com...
> Hiya everyone.
>
> We have a server running TS, etc. We want to be able to admin the server,
> but we want the admin to only be allowed from specific computers on the
> domain. Since we have some fellows who VPN in, we want to block any admin
> access to these machines from the VPN. HOWEVER, they should be able to log
> in as regular users.
>
> I.E. Regular user can TS or access machine over VPN or locally.
> Admin can TS AND use admin tools from a local PC on the local domain.
> Admin can NOT TS OR use admin tools from a remote PC that is VPN'd.
>
> Can this be done?
>
Related ressources:
- Forumrestricting administrators
- Forumrestricting access to a share for only a specific IP address
- ForumRestricting driver installation in Terminal Services.
- Forumlimit domain user login to specific group on 2 xp machines
- ForumLocal admin group?
- ForumAdd domain Admin account to all Win2k Clients local admin ..
- ForumUser in two groups Admin and Power User
- Forumway to let users run program as admin iwthout knowing admi..
- ForumPrograms that need admin rights, but user shouldn't have t..
- ForumDisabling Null sessions on W2K machines from Win2003 DCs
- ForumBlocking non admin users from connecting to MMC from a rem..
- Forumhow do i restrict dowwnloading for a specific user
- ForumFull 3D gaming in virtual machine
- Forumadd specific accouny when joining a domain
- ForumBan Assault Weapons
- ForumAdmin privilegies!
- Forumhow to restrict admin to install program
- ForumParallel and com ports not appearing in device manager
- ForumWin2k admin password
- Forumwin2k admin password
- More resources
!
