how to exclude connections from servers not in the domain ?

  • Thread starter Thread starter new ms
  • Start date Start date
N

new ms

I have a server that is a member of an Active Directory domain. How do I
deny connections (or logon sessions) to my server from any computers
that are not members of my domain (i.e. either are members of other
domains, or are not members of any domain at all)?

Note that this is a question about computers, not about users.

Specifically, I want to prevent the scenario where a user has a userid
and password valid in the domain but is connecting from a computer that
has not joined the domain.

NM
 
Use ipsec require policy on those servers. Note that domain controllers must be
exempt from ipsec policies for domain member computers - ipsec is not supported for
traffic between domain controllers and domain members. A computer with ipsec require
policy using default kerberos machine authentication will not allow traffic from any
non domain computer or any domain computer that either does not support ipsec
[W9X/NT4.0], does not have at least a client/respond policy applied to it, or is
otherwise excluded possibly by IP address. Otherwise look into using switches that
can control access by mac address or 802.1X authentication which would also require a
Certificate Authority to issue machine certificates and a radius/IAS server on the
network. --- Steve

http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
http://support.microsoft.com/?kbid=254949
 
I have an article in TechNet archives that discusses this specific solution.

http://www.microsoft.com/technet/archive/community/columns/security/askus/aus1201.mspx

--
Steve
(e-mail address removed)



Steven L Umbach said:
Use ipsec require policy on those servers. Note that domain controllers
must be
exempt from ipsec policies for domain member computers - ipsec is not
supported for
traffic between domain controllers and domain members. A computer with
ipsec require
policy using default kerberos machine authentication will not allow
traffic from any
non domain computer or any domain computer that either does not support
ipsec
[W9X/NT4.0], does not have at least a client/respond policy applied to it,
or is
otherwise excluded possibly by IP address. Otherwise look into using
switches that
can control access by mac address or 802.1X authentication which would
also require a
Certificate Authority to issue machine certificates and a radius/IAS
server on the
network. --- Steve

http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
http://support.microsoft.com/?kbid=254949

new ms said:
I have a server that is a member of an Active Directory domain. How do I
deny connections (or logon sessions) to my server from any computers
that are not members of my domain (i.e. either are members of other
domains, or are not members of any domain at all)?

Note that this is a question about computers, not about users.

Specifically, I want to prevent the scenario where a user has a userid
and password valid in the domain but is connecting from a computer that
has not joined the domain.

NM
Click to expand...
Click to expand...
 
Back
Top