Logon rights

  • Thread starter Thread starter Andrew
  • Start date Start date
A

Andrew

Hello all,

I would like to setup 3 computers in my LAN only for login in
to our Domain. Since those computers are exposed to WAN through
PCAnywhere I don't want those computers to browse the network
or access the internet over the LAN. I could able to stop the
access the internet through my proxy but, couldn't stop
browsing the network. Just I am using the group Domain user for
those accounts. Is there any way I can acheive this while login
to DOMAIN.

Looking for some advice from the experts.

Thanks
 
You can use ipsec filtering policy on those machines which will act like a built in
firewall. Start with a mirrored block all IP rule. Then add a mirrored rule including
a filter list with permitted exceptions. You would have to add an entry for "all" for
the domain controllers by their IP address and any other lan computers they need
access to by their IP address if any. Then an entry will need to be made to allow
PCAnyhwere connection by making an entry to the list for the appropriate inbound port
from the appropriate source. Those computers may still be able to see the browse list
in My Network Places since a domain controller may supply them with the browse list,
but they will only be able to access those computers they are allowed to in the
permitted list in the ipsec rule. You could also try to disable netbios over tcp/ip
on those computers via tcp/ip properties/advanced/wins. See the link below for an
example of using ipsec filtering. --- Steve

http://www.securityfocus.com/infocus/1559
 
Thanks a lot.

-----Original Message-----
You can use ipsec filtering policy on those machines which will act like a built in
firewall. Start with a mirrored block all IP rule. Then add a mirrored rule including
a filter list with permitted exceptions. You would have to add an entry for "all" for
the domain controllers by their IP address and any other lan computers they need
access to by their IP address if any. Then an entry will need to be made to allow
PCAnyhwere connection by making an entry to the list for the appropriate inbound port
from the appropriate source. Those computers may still be able to see the browse list
in My Network Places since a domain controller may supply them with the browse list,
but they will only be able to access those computers they are allowed to in the
permitted list in the ipsec rule. You could also try to disable netbios over tcp/ip
on those computers via tcp/ip properties/advanced/wins. See the link below for an
example of using ipsec filtering. --- Steve

http://www.securityfocus.com/infocus/1559




.
Click to expand...
 
Back
Top