Is it possible access limitation on Computer Accounts?

[mswin2003jp]

The system have share resources.
Is it possible that only some computer can access these resources?
Any domain user who logon from the resource acceptable computer can
access share resources?

I imagine the resources are NAS, or share folders.

 

[Herb Martin]

The system have share resources.
Is it possible that only some computer can access these resources?

Sure, but usually people want to limit USER access rather
than "computer" access to resources.

For user access, the standard answer it so to use permission.

[For computer answer permissions are also possible but this
only affects those things access by the "computer account"
such as GPOs and computer assigned installation files.]

Generally computer access is restricted by IP address which
is NOT perfect but is better than nothing. (IP addresses can
at least in theory be spoofed.)

For true computer restrictions, you can require IPSec for access to
the resource computer (or on certain ports for certain services on
the resources computer.)

Any domain user who logon from the resource acceptable computer can
access share resources?

Use permissions to restrict it to domain users and IPSec
to filter on the "approved computer".

I imagine the resources are NAS, or share folders.

 

[mswin2003jp]

Thanks a lot!
I understand I have to use IPSec to restrict access by computer
accounts.
I imagined that I can limit computerIP access similar to UNIX.
However it is difficult on Windows OS.

 

[Herb Martin]

Thanks a lot!
I understand I have to use IPSec to restrict access by computer
accounts.

In general, yes, if you want to require the COMPUTER account
to authenticate (prove its identity) and use that identity to restrict
or allow access to the target then IPSec is the (only?) way to go.

Simple restrictions on IP address are not as secure since a hacker
might be able to use the IP of another machine or you might even
had the practical consideration of DHCP assigned addresses.

There are two (fully secure) methods to authenticate IPSec:

1) Kerberos

2) Certificates

Use #1 generally for "domain machines" which literally have an
account in your domain (or at least your forest).

Use #2 for machines that are not in your domain (enterprise) or
which aren't even Windows machines, e.g., partner companies
and third party routers are examples of each.

Sometimes you have a choice between #1 and #2 and then #1
is generally less trouble.

I imagined that I can limit computerIP access similar to UNIX.
However it is difficult on Windows OS.

No, it is trivial if all you wish is to limit by IP address.
(Ok such filters are tedious to write.) There are also filters
in RRAS if the resource machine is a Server class system.

IPSec is one filtering scheme that works (you don't have to INVOKE
IPSec with an IPSec policy but instead can choose BLOCK or
PASS using such a filter.)

But for true security that is VERY difficult to bypass then you
want to invoke the full IPSec negotiations and even encrypt the
resulting channel using IPSec.