Preventing users from connecting to shares NOT on the doma..

Archived from groups: microsoft.public.win2000.security,microsoft.public.win2000.networking (More info?)

Hi!!

I'm pretty sure that there has to be a simple way of doing this.

What I want to know is HOW I should configure a computer's settings so
that it will only be able to access Network shares on other computers
that are part of the domain, but NOT on "stand-alone" PCs and the like...

In that way, the "security problem" is just limited to the computers on
the domain.

Thanks a lot.

Javier Jarava
7 answers Last reply
More about preventing users connecting shares doma
  1. Archived from groups: microsoft.public.win2000.security,microsoft.public.win2000.networking (More info?)

    Hi Javier,

    If you want to prevent your computers from talking to computers that are not
    part of your domain, create an IPSec policy that would require
    authentication where you would use Kerberos as authenticating protocol.
    Computers that are not members of domain will not be able to authenticate
    and your clients will not want to talk to them.

    Your clients would need to be Windows 2000 or newer Microsoft operating
    system.

    Step-by-Step Guide to Internet Protocol Security (IPSec)
    http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp

    Assigning IPSec policy
    http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsecpolassign.mspx

    --
    Mike
    Microsoft MVP - Windows Security

    "Javier J" <no.mail@please.no> wrote in message
    news:uVbH$3l$EHA.2016@TK2MSFTNGP15.phx.gbl...
    > Hi!!
    >
    > I'm pretty sure that there has to be a simple way of doing this.
    >
    > What I want to know is HOW I should configure a computer's settings so
    > that it will only be able to access Network shares on other computers that
    > are part of the domain, but NOT on "stand-alone" PCs and the like...
    >
    > In that way, the "security problem" is just limited to the computers on
    > the domain.
    >
    > Thanks a lot.
    >
    > Javier Jarava
  2. Archived from groups: microsoft.public.win2000.security,microsoft.public.win2000.networking (More info?)

    Hi!!!

    I'll give you a little more detail about what I am looking trying to do:

    - The domain is a Windows 2000 Domain, with W2000 Pro Client computers
    and some WXP Pro. There is no "signing" of digital traffic going on.

    There is a number (abotut 50) client PCs that have to be specially
    hardened. Those are all located on the same OU, so if any changes can be
    done at the OU leve, that'd be a bonus. From the (admitedly slight) idea
    I have about it, Kerberos settings are domain-wide, but domain-wide
    changes are out of the question at the moment.

    I can make almost any change to the Computers in the OU, but the Domain
    is out of my reach (at least, at the moment)

    I've done some testing using the GPOs that MS provides with the "Group
    Policy Common Scenarios" docs and acompanying supporting information.
    I'm using a "mix-and-match" version of the AppStation Scenario for the
    computers on the OU.

    The computers in the OU _should_ be able to access any of the servers on
    the Domain (ie., it's not possible to make a choice that limits them to
    a single server), but that might be possible to change.

    From looking into the GPO settings on the sample OUs, I've seen
    settings about "digital sign" and "encrypt" communications, so I was
    wondering if there is some combination of settings that requires that
    all SMB traffic be two-way signed. From my understanding of the matter,
    that'd mean both computers are members of the same domain...

    Thanks a lot for the promtp response...

    Miha Pihler [MVP] wrote:
    > Hi Javier,
    >
    > If you want to prevent your computers from talking to computers that are not
    > part of your domain, create an IPSec policy that would require
    > authentication where you would use Kerberos as authenticating protocol.
    > Computers that are not members of domain will not be able to authenticate
    > and your clients will not want to talk to them.
    >
    > Your clients would need to be Windows 2000 or newer Microsoft operating
    > system.
    >
    > Step-by-Step Guide to Internet Protocol Security (IPSec)
    > http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
    >
    > Assigning IPSec policy
    > http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsecpolassign.mspx
    >
  3. Archived from groups: microsoft.public.win2000.security,microsoft.public.win2000.networking (More info?)

    Hi,

    Another question for you. Are servers on same subnet as clients? It would be
    a benefit it they were not.

    Yes Kerberos is domain wide but IPSec policy can be OU, Site or Domain (just
    like policies). So you can require IPSec for only a group of PCs (PCs that
    are in same OU). If you require this computers to communicate with other
    computers (servers) in domain while this servers are not in same domain some
    small changes would be required on OU where servers are located. This change
    would tell the servers to respond to IPSec requests. This would not be
    required if the servers are in their own subnet...

    Feel free to post back with any additional questions that you might have. I
    will do my best to answer them, but that might not be before some time
    tomorrow. I have some work to do and get some sleep...

    --
    Mike
    Microsoft MVP - Windows Security

    "Javier J" <no.mail@please.no> wrote in message
    news:%23t6PXfm$EHA.608@TK2MSFTNGP15.phx.gbl...
    > Hi!!!
    >
    > I'll give you a little more detail about what I am looking trying to do:
    >
    > - The domain is a Windows 2000 Domain, with W2000 Pro Client computers and
    > some WXP Pro. There is no "signing" of digital traffic going on.
    >
    > There is a number (abotut 50) client PCs that have to be specially
    > hardened. Those are all located on the same OU, so if any changes can be
    > done at the OU leve, that'd be a bonus. From the (admitedly slight) idea I
    > have about it, Kerberos settings are domain-wide, but domain-wide changes
    > are out of the question at the moment.
    >
    > I can make almost any change to the Computers in the OU, but the Domain is
    > out of my reach (at least, at the moment)
    >
    > I've done some testing using the GPOs that MS provides with the "Group
    > Policy Common Scenarios" docs and acompanying supporting information. I'm
    > using a "mix-and-match" version of the AppStation Scenario for the
    > computers on the OU.
    >
    > The computers in the OU _should_ be able to access any of the servers on
    > the Domain (ie., it's not possible to make a choice that limits them to a
    > single server), but that might be possible to change.
    >
    > From looking into the GPO settings on the sample OUs, I've seen settings
    > about "digital sign" and "encrypt" communications, so I was wondering if
    > there is some combination of settings that requires that all SMB traffic
    > be two-way signed. From my understanding of the matter, that'd mean both
    > computers are members of the same domain...
    >
    > Thanks a lot for the promtp response...
    >
    > Miha Pihler [MVP] wrote:
    >> Hi Javier,
    >>
    >> If you want to prevent your computers from talking to computers that are
    >> not part of your domain, create an IPSec policy that would require
    >> authentication where you would use Kerberos as authenticating protocol.
    >> Computers that are not members of domain will not be able to authenticate
    >> and your clients will not want to talk to them.
    >>
    >> Your clients would need to be Windows 2000 or newer Microsoft operating
    >> system.
    >>
    >> Step-by-Step Guide to Internet Protocol Security (IPSec)
    >> http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
    >>
    >> Assigning IPSec policy
    >> http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsecpolassign.mspx
    >>
  4. Archived from groups: microsoft.public.win2000.security,microsoft.public.win2000.networking (More info?)

    Hi!

    The servers might be located on the same subnet of some of the clients.
    Not sure about that, would have to check the precise topology.

    The idea is:
    These 30+ Client PCs should _only_ be able to access resources on
    computers located on the Domain.

    IIRC, all the servers are located on the same OU, but as for their IP
    addresses, I don't know if they're on the OU or not.

    To be more precise, the setup is as follows:

    + AD
    - Users: Most users are placed on the default container
    |
    - OU=Restricted: Ou where we've placed the "secure" client PCs and
    related users.

    THe OU has two GPOs, one for "Machine" and one for user. The "Machine"
    GPO is set to apply to all Authenticad Users. The "User" GPO _only_ is
    applied to the members of a "Restricted" group.

    The users of the "Restricted" group "suffer" a desktop as locked down as
    I've managed to get (Redirected Folders, Roaming User Profiles deleted
    on logoff, no "All Users" programs and folders, etc). The _ideal_ setup
    would be one where the "restricted" can't connect to any non-domain PC,
    while a "normal" user doesn't have to suffer any more restrictions than
    necessary...

    The rest of the users/PCs on the domain should still be running "as is",
    that's why I'm looking for policies / changes that can be implemented
    per-OU.

    Is this possible with the solution you suggest?

    Thanks a lot

    Javier J

    Miha Pihler [MVP] wrote:
    > Hi,
    >
    > Another question for you. Are servers on same subnet as clients? It would be
    > a benefit it they were not.
    >
    > Yes Kerberos is domain wide but IPSec policy can be OU, Site or Domain (just
    > like policies). So you can require IPSec for only a group of PCs (PCs that
    > are in same OU). If you require this computers to communicate with other
    > computers (servers) in domain while this servers are not in same domain some
    > small changes would be required on OU where servers are located. This change
    > would tell the servers to respond to IPSec requests. This would not be
    > required if the servers are in their own subnet...
    >
    > Feel free to post back with any additional questions that you might have. I
    > will do my best to answer them, but that might not be before some time
    > tomorrow. I have some work to do and get some sleep...
    >
  5. Archived from groups: microsoft.public.win2000.security,microsoft.public.win2000.networking (More info?)

    Since IPsec policy is a computer policy I do not believe
    that you can deliver that in a way that is sensitve to whether
    the current login is a member of this "Restricted" group of
    users that suffer the desktop restriction. If you apply an
    IPsec policy to this OU it will have effect at bootup of a
    machine in that OU and for all logins.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Javier J" <no.mail@please.no> wrote in message
    news:uAhzqhw$EHA.3256@TK2MSFTNGP11.phx.gbl...
    > Hi!
    >
    > The servers might be located on the same subnet of some of the clients.
    > Not sure about that, would have to check the precise topology.
    >
    > The idea is:
    > These 30+ Client PCs should _only_ be able to access resources on
    > computers located on the Domain.
    >
    > IIRC, all the servers are located on the same OU, but as for their IP
    > addresses, I don't know if they're on the OU or not.
    >
    > To be more precise, the setup is as follows:
    >
    > + AD
    > - Users: Most users are placed on the default container
    > |
    > - OU=Restricted: Ou where we've placed the "secure" client PCs and
    > related users.
    >
    > THe OU has two GPOs, one for "Machine" and one for user. The "Machine"
    > GPO is set to apply to all Authenticad Users. The "User" GPO _only_ is
    > applied to the members of a "Restricted" group.
    >
    > The users of the "Restricted" group "suffer" a desktop as locked down as
    > I've managed to get (Redirected Folders, Roaming User Profiles deleted
    > on logoff, no "All Users" programs and folders, etc). The _ideal_ setup
    > would be one where the "restricted" can't connect to any non-domain PC,
    > while a "normal" user doesn't have to suffer any more restrictions than
    > necessary...
    >
    > The rest of the users/PCs on the domain should still be running "as is",
    > that's why I'm looking for policies / changes that can be implemented
    > per-OU.
    >
    > Is this possible with the solution you suggest?
    >
    > Thanks a lot
    >
    > Javier J
    >
    > Miha Pihler [MVP] wrote:
    > > Hi,
    > >
    > > Another question for you. Are servers on same subnet as clients? It
    would be
    > > a benefit it they were not.
    > >
    > > Yes Kerberos is domain wide but IPSec policy can be OU, Site or Domain
    (just
    > > like policies). So you can require IPSec for only a group of PCs (PCs
    that
    > > are in same OU). If you require this computers to communicate with other
    > > computers (servers) in domain while this servers are not in same domain
    some
    > > small changes would be required on OU where servers are located. This
    change
    > > would tell the servers to respond to IPSec requests. This would not be
    > > required if the servers are in their own subnet...
    > >
    > > Feel free to post back with any additional questions that you might
    have. I
    > > will do my best to answer them, but that might not be before some time
    > > tomorrow. I have some work to do and get some sleep...
    > >
  6. Archived from groups: microsoft.public.win2000.security,microsoft.public.win2000.networking (More info?)

    You could use an ipsec policy, though ipsec is computer specific. You could
    put the computers you want to restrict access to only domain computers into
    their own OU [if not already] and assign an ipsec "require" policy to those
    computers. They will then only be ably to communicate with domain computers
    that have a corresponding ipsec policy of at least "client/respond" ipsec
    policy. Note that domain controllers must be exempt from any ipsec policies
    that would try to engage ipsec negotiation [esp/ah] with them from domain
    members. The easiest way would be to add the domain controllers static IP
    addresses to any pertinent ipsec policy with a rule for permit filter
    action. If you want to try ipsec be SURE to test out on a couple of
    computers first. Though not as a secure solution you could also use ipsec
    policy "filtering" rule to block access to certain IP destination addresses
    which would require that the blocked computers have static IP addresses to
    be effective. See the link below for more info on ipsec filtering. -- Steve

    http://www.securityfocus.com/infocus/1559

    "Javier J" <no.mail@please.no> wrote in message
    news:uAhzqhw$EHA.3256@TK2MSFTNGP11.phx.gbl...
    > Hi!
    >
    > The servers might be located on the same subnet of some of the clients.
    > Not sure about that, would have to check the precise topology.
    >
    > The idea is:
    > These 30+ Client PCs should _only_ be able to access resources on
    > computers located on the Domain.
    >
    > IIRC, all the servers are located on the same OU, but as for their IP
    > addresses, I don't know if they're on the OU or not.
    >
    > To be more precise, the setup is as follows:
    >
    > + AD
    > - Users: Most users are placed on the default container
    > |
    > - OU=Restricted: Ou where we've placed the "secure" client PCs and
    > related users.
    >
    > THe OU has two GPOs, one for "Machine" and one for user. The "Machine" GPO
    > is set to apply to all Authenticad Users. The "User" GPO _only_ is applied
    > to the members of a "Restricted" group.
    >
    > The users of the "Restricted" group "suffer" a desktop as locked down as
    > I've managed to get (Redirected Folders, Roaming User Profiles deleted on
    > logoff, no "All Users" programs and folders, etc). The _ideal_ setup would
    > be one where the "restricted" can't connect to any non-domain PC, while a
    > "normal" user doesn't have to suffer any more restrictions than
    > necessary...
    >
    > The rest of the users/PCs on the domain should still be running "as is",
    > that's why I'm looking for policies / changes that can be implemented
    > per-OU.
    >
    > Is this possible with the solution you suggest?
    >
    > Thanks a lot
    >
    > Javier J
    >
    > Miha Pihler [MVP] wrote:
    >> Hi,
    >>
    >> Another question for you. Are servers on same subnet as clients? It would
    >> be a benefit it they were not.
    >>
    >> Yes Kerberos is domain wide but IPSec policy can be OU, Site or Domain
    >> (just like policies). So you can require IPSec for only a group of PCs
    >> (PCs that are in same OU). If you require this computers to communicate
    >> with other computers (servers) in domain while this servers are not in
    >> same domain some small changes would be required on OU where servers are
    >> located. This change would tell the servers to respond to IPSec requests.
    >> This would not be required if the servers are in their own subnet...
    >>
    >> Feel free to post back with any additional questions that you might have.
    >> I will do my best to answer them, but that might not be before some time
    >> tomorrow. I have some work to do and get some sleep...
    >>
  7. Archived from groups: microsoft.public.win2000.security,microsoft.public.win2000.networking (More info?)

    Hi,

    I believe this would work under few conditions.

    First condition would be to set "Require Security" policy to "Restricted
    OU". As Roger mentioned this would be a computer policy and would apply to
    all computers in this OU. I am guessing that "Require Security" policy would
    also need some modifications to exclude domain controllers, DHCP server,
    etc. These computers could be excluded by IP address, but you would have to
    edit the policy...
    If you want your clients from "Restricted OU" to communicate with rest of
    the domain you will have to put the other computers in separate OU and set
    "Respond Only" policy to this OU.

    Getting this right may not be an easy task. Best advice I can give you is to
    setup a small lab and test the settings out. If you have any questions, feel
    free to post back.

    --
    Mike
    Microsoft MVP - Windows Security

    "Javier J" <no.mail@please.no> wrote in message
    news:uAhzqhw$EHA.3256@TK2MSFTNGP11.phx.gbl...
    > Hi!
    >
    > The servers might be located on the same subnet of some of the clients.
    > Not sure about that, would have to check the precise topology.
    >
    > The idea is:
    > These 30+ Client PCs should _only_ be able to access resources on
    > computers located on the Domain.
    >
    > IIRC, all the servers are located on the same OU, but as for their IP
    > addresses, I don't know if they're on the OU or not.
    >
    > To be more precise, the setup is as follows:
    >
    > + AD
    > - Users: Most users are placed on the default container
    > |
    > - OU=Restricted: Ou where we've placed the "secure" client PCs and
    > related users.
    >
    > THe OU has two GPOs, one for "Machine" and one for user. The "Machine" GPO
    > is set to apply to all Authenticad Users. The "User" GPO _only_ is applied
    > to the members of a "Restricted" group.
    >
    > The users of the "Restricted" group "suffer" a desktop as locked down as
    > I've managed to get (Redirected Folders, Roaming User Profiles deleted on
    > logoff, no "All Users" programs and folders, etc). The _ideal_ setup would
    > be one where the "restricted" can't connect to any non-domain PC, while a
    > "normal" user doesn't have to suffer any more restrictions than
    > necessary...
    >
    > The rest of the users/PCs on the domain should still be running "as is",
    > that's why I'm looking for policies / changes that can be implemented
    > per-OU.
    >
    > Is this possible with the solution you suggest?
    >
    > Thanks a lot
    >
    > Javier J
    >
    > Miha Pihler [MVP] wrote:
    >> Hi,
    >>
    >> Another question for you. Are servers on same subnet as clients? It would
    >> be a benefit it they were not.
    >>
    >> Yes Kerberos is domain wide but IPSec policy can be OU, Site or Domain
    >> (just like policies). So you can require IPSec for only a group of PCs
    >> (PCs that are in same OU). If you require this computers to communicate
    >> with other computers (servers) in domain while this servers are not in
    >> same domain some small changes would be required on OU where servers are
    >> located. This change would tell the servers to respond to IPSec requests.
    >> This would not be required if the servers are in their own subnet...
    >>
    >> Feel free to post back with any additional questions that you might have.
    >> I will do my best to answer them, but that might not be before some time
    >> tomorrow. I have some work to do and get some sleep...
    >>
Ask a new question

Read More

Security Microsoft Windows