Prevent Domain Logon or Access

  • Thread starter Thread starter Zane
  • Start date Start date
Z

Zane

Do you guys have any advise or recommended "tricks" to prevent anyone from
using network/domain resources UNLESS they authenticate with a DOMAIN based
client machine? Basically, I do not want anyone accessing domain resources
into our network with HOME laptops (not part of domain).

Preferred way is NOT to use PKI. I know PKI could accomplish this, I was
thinking more of using login scripts for someway of accomplishing this.
Since NON-domain based machines can not execute login scripts.

Any ideas? Thanks.
 
Zane said:
Do you guys have any advise or recommended "tricks" to prevent anyone from
using network/domain resources UNLESS they authenticate with a DOMAIN based
client machine? Basically, I do not want anyone accessing domain resources
into our network with HOME laptops (not part of domain).

Preferred way is NOT to use PKI. I know PKI could accomplish this, I was
thinking more of using login scripts for someway of accomplishing this.
Since NON-domain based machines can not execute login scripts.
Click to expand...

Well, that was going to be my suggestion.

You could probably still do it with IPSec, by using just the
Kerberos authentication mechanisms which isn't really based
on PKI -- but you might have had that in mind when you said
"no PKI".

No requirement for encryption is necessary if you just make
all of your servers REQUIRE "signed packets" and use Kerberos
(or even Preshared secret) to authenticate and set all clients
to RESPOND (or even Require for internal IP address ranges.)

You will need to exclude outside IPs from the IPSec policy for
clients if you wish them to visit the Internet or 'travel well.'

You might look into SMB signing to see if there is some
trick that can disallow NON-authenticated machines.
(I don't know of one but I would look there.)

You could try some scheme with secure hubs/routers where
the machines must authenticate with PEAP, 802.1x or some
such. (You will probably end up back at PKI, but WinXP
and Win2003 support user or machine based authentication
for such connections.)

If you think, or hear, of something better please post it.
 
Back
Top