File Share Security

[Brian]

Hi,

We have a Windows 2000 AD domain runing on a private
network behind a firewall. The firewall is the DHCP
server, set up to use our DC as its primary source for
DNS and WINS.

Is it possible to use AD to prevent a user from
connecting their personal notebook computers to any of
the ports on our LAN and use their domain credintials to
gain access to our network or Internet connection? Is it
possible to do this without using smart card
authentication or setting up a PKI?

Thanks

 

[Subrahmanya Bhandarkar [MSFT]]

By Default Adding new computer to the domain only administrator and account
operator can perform. So Domain users cannot bring just laptop and plug to
LAN and use the network resource with out administrator permission.


Subbu
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Steven L Umbach]

I have to disagree with that. In a Windows 2000 domain default installation a domain
user can add up to ten workstations to the domain as specified by the user right "add
workstations to the domain" in Domain Controller Security Policy under user rights.
Perhaps you were thinking of user accounts.

In a default installation a user can also log onto their laptop as a local user with
the same logon name/password as their domain account and they will get access to
domain resources that their user account has permissions to UNLESS default security
settings have been changed to enable ipsec reqire policy, smb signing [digitally sign
communications] is required and laptop does not have it configured, or possibly lan
manager authentication level has been increased to a setting not compatible with the
laptop. Only ipsec require policy using default kerberos machine authentication would
be the sure way to bar communications from non domain computers as far as operating
system restrictions. --- Steve

 

[Steven L Umbach]

This is a copy of my reply to another post from a user asking basically the same
question. Unless you are using ISA and a firewall client, preventing a user from
gaining access to the internet would require the type of switch I mentioned below. A
user does not need any sort of authentication to access the internet otherwise - just
the IP address of the default gateway assuming that the firewall does not block
access due to IP address filtering rules. --- Steve

*****************************************************************

Use ipsec require policy on those servers. Note that domain controllers must be
exempt from ipsec policies for domain member computers - ipsec is not supported for
traffic between domain controllers and domain members. A computer with ipsec require
policy using default kerberos machine authentication will not allow traffic from any
non domain computer or any domain computer that either does not support ipsec
[W9X/NT4.0], does not have at least a client/respond policy applied to it, or is
otherwise excluded possibly by IP address. Otherwise look into using switches that
can control access by mac address or 802.1X authentication which would also require a
Certificate Authority to issue machine certificates and a radius/IAS server on the
network. --- Steve

http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
http://support.microsoft.com/?kbid=254949

 

[Brian]

Steve,

Thank you very much. This is helpful information. I'm
more concerned with non-domain computer access to file
shares with the user using domain user account creditials
to access those shares than Internet access.

On one of our small, 10 client, completely private non-
Internet networks we managed to reduce risk by setting up
a RAS server in front of the data server. The PPTP VPN
conncetion was preset for each user, the password was
saved and the user didn't know the password. However, the
connection was very slow, even when using the "No
compression" option. This is a 100% gigabit netwwork
(including the multihomed RAS server) and the throughput
was only half of what a standard 100TX conncetion would
provide, so we abandoned the RAS.

I've only experimented with setting up a RADIIUS server
one time; can I use one of those with some type of IPsec
policy that you mentioned earlier without taking such a
huge performance hit? I'll read the links you provided.

Thanks again,
Brian

-----Original Message-----
I have to disagree with that. In a Windows 2000 domain default installation a domain
user can add up to ten workstations to the domain as

specified by the user right "add

workstations to the domain" in Domain Controller

Security Policy under user rights.

Perhaps you were thinking of user accounts.

In a default installation a user can also log onto their laptop as a local user with
the same logon name/password as their domain account and they will get access to
domain resources that their user account has permissions to UNLESS default security
settings have been changed to enable ipsec reqire

policy, smb signing [digitally sign

communications] is required and laptop does not have it configured, or possibly lan
manager authentication level has been increased to a

setting not compatible with the

laptop. Only ipsec require policy using default kerberos machine authentication would
be the sure way to bar communications from non domain computers as far as operating
system restrictions. --- Steve


"Subrahmanya Bhandarkar [MSFT]" <v-

(e-mail address removed)> wrote in message

 

[Steven L Umbach]

Hi Brian.

If it is a W2K or Windows 2003 domain and all the computers that need access
to the server [and it is not a domain controller] are W2K/XP Pro you can use
ipsec and do not need a radius/IAS server which would be needed with 802.1X
authentication switches. Kerberos would be ther default machine
authentication though you can use certificates.

You could assign a client/respond policy to the client computers and a
secure server/require policy to the server being sure to exempt the domain
controller by their IP addresses in the require policy. Then only a
domain computer in the forest would be able to access that server. By
default ipsec uses ESP for confidentiality and will have somewhat of a
performance hit but should still perform well on the network you described.
If confidentiality of data is not necessary you can use AH [authenticated
header] which will have less of a performance hit or use nics that can
process ipsec at their level. Keep in mind that by default regular users can
add a workstation to a domain up to ten times which can be a security risk.
That can be disabled in Domain Controller Security Policy/user right - add
workstation to the domain. You can remove authenticated users and add domain
admins. The link below is for Windows 2003 ipsec, but I find it very good
and almost all applies to W2K. --- Steve

http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deploy
guide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/de
ployguide/en-us/DNSBJ_IPS_OVERVIEW.asp
http://tinyurl.com/2v8na -- same link as above, shorter.
http://www.dlink.com/products/?pid=87 -- an under $500 switch with mac
filtering and 802.1X port authentication [have not tried it myself yet]

Steve,

Thank you very much. This is helpful information. I'm
more concerned with non-domain computer access to file
shares with the user using domain user account creditials
to access those shares than Internet access.

On one of our small, 10 client, completely private non-
Internet networks we managed to reduce risk by setting up
a RAS server in front of the data server. The PPTP VPN
conncetion was preset for each user, the password was
saved and the user didn't know the password. However, the
connection was very slow, even when using the "No
compression" option. This is a 100% gigabit netwwork
(including the multihomed RAS server) and the throughput
was only half of what a standard 100TX conncetion would
provide, so we abandoned the RAS.

I've only experimented with setting up a RADIIUS server
one time; can I use one of those with some type of IPsec
policy that you mentioned earlier without taking such a
huge performance hit? I'll read the links you provided.

Thanks again,
Brian

-----Original Message-----
I have to disagree with that. In a Windows 2000 domain default installation a domain
user can add up to ten workstations to the domain as

specified by the user right "add

workstations to the domain" in Domain Controller

Security Policy under user rights.

Perhaps you were thinking of user accounts.

In a default installation a user can also log onto their laptop as a local user with
the same logon name/password as their domain account and they will get access to
domain resources that their user account has permissions to UNLESS default security
settings have been changed to enable ipsec reqire

policy, smb signing [digitally sign

communications] is required and laptop does not have it configured, or possibly lan
manager authentication level has been increased to a

setting not compatible with the

laptop. Only ipsec require policy using default kerberos machine authentication would
be the sure way to bar communications from non domain computers as far as operating
system restrictions. --- Steve


"Subrahmanya Bhandarkar [MSFT]" <v-

(e-mail address removed)> wrote in message

.