Preventing users from connecting to shares NOT on the domain..

  • Thread starter Thread starter Javier J
  • Start date Start date
J

Javier J

Hi!!

I'm pretty sure that there has to be a simple way of doing this.

What I want to know is HOW I should configure a computer's settings so
that it will only be able to access Network shares on other computers
that are part of the domain, but NOT on "stand-alone" PCs and the like...

In that way, the "security problem" is just limited to the computers on
the domain.

Thanks a lot.

Javier Jarava
 
Hi Javier,

If you want to prevent your computers from talking to computers that are not
part of your domain, create an IPSec policy that would require
authentication where you would use Kerberos as authenticating protocol.
Computers that are not members of domain will not be able to authenticate
and your clients will not want to talk to them.

Your clients would need to be Windows 2000 or newer Microsoft operating
system.

Step-by-Step Guide to Internet Protocol Security (IPSec)
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp

Assigning IPSec policy
http://www.microsoft.com/resources/...xp/all/proddocs/en-us/sag_ipsecpolassign.mspx
 
Hi!!!

I'll give you a little more detail about what I am looking trying to do:

- The domain is a Windows 2000 Domain, with W2000 Pro Client computers
and some WXP Pro. There is no "signing" of digital traffic going on.

There is a number (abotut 50) client PCs that have to be specially
hardened. Those are all located on the same OU, so if any changes can be
done at the OU leve, that'd be a bonus. From the (admitedly slight) idea
I have about it, Kerberos settings are domain-wide, but domain-wide
changes are out of the question at the moment.

I can make almost any change to the Computers in the OU, but the Domain
is out of my reach (at least, at the moment)

I've done some testing using the GPOs that MS provides with the "Group
Policy Common Scenarios" docs and acompanying supporting information.
I'm using a "mix-and-match" version of the AppStation Scenario for the
computers on the OU.

The computers in the OU _should_ be able to access any of the servers on
the Domain (ie., it's not possible to make a choice that limits them to
a single server), but that might be possible to change.

From looking into the GPO settings on the sample OUs, I've seen
settings about "digital sign" and "encrypt" communications, so I was
wondering if there is some combination of settings that requires that
all SMB traffic be two-way signed. From my understanding of the matter,
that'd mean both computers are members of the same domain...

Thanks a lot for the promtp response...
 
Hi,

Another question for you. Are servers on same subnet as clients? It would be
a benefit it they were not.

Yes Kerberos is domain wide but IPSec policy can be OU, Site or Domain (just
like policies). So you can require IPSec for only a group of PCs (PCs that
are in same OU). If you require this computers to communicate with other
computers (servers) in domain while this servers are not in same domain some
small changes would be required on OU where servers are located. This change
would tell the servers to respond to IPSec requests. This would not be
required if the servers are in their own subnet...

Feel free to post back with any additional questions that you might have. I
will do my best to answer them, but that might not be before some time
tomorrow. I have some work to do and get some sleep...
 
Hi!

The servers might be located on the same subnet of some of the clients.
Not sure about that, would have to check the precise topology.

The idea is:
These 30+ Client PCs should _only_ be able to access resources on
computers located on the Domain.

IIRC, all the servers are located on the same OU, but as for their IP
addresses, I don't know if they're on the OU or not.

To be more precise, the setup is as follows:

+ AD
- Users: Most users are placed on the default container
|
- OU=Restricted: Ou where we've placed the "secure" client PCs and
related users.

THe OU has two GPOs, one for "Machine" and one for user. The "Machine"
GPO is set to apply to all Authenticad Users. The "User" GPO _only_ is
applied to the members of a "Restricted" group.

The users of the "Restricted" group "suffer" a desktop as locked down as
I've managed to get (Redirected Folders, Roaming User Profiles deleted
on logoff, no "All Users" programs and folders, etc). The _ideal_ setup
would be one where the "restricted" can't connect to any non-domain PC,
while a "normal" user doesn't have to suffer any more restrictions than
necessary...

The rest of the users/PCs on the domain should still be running "as is",
that's why I'm looking for policies / changes that can be implemented
per-OU.

Is this possible with the solution you suggest?

Thanks a lot

Javier J
 
Since IPsec policy is a computer policy I do not believe
that you can deliver that in a way that is sensitve to whether
the current login is a member of this "Restricted" group of
users that suffer the desktop restriction. If you apply an
IPsec policy to this OU it will have effect at bootup of a
machine in that OU and for all logins.
 
Hi,

I believe this would work under few conditions.

First condition would be to set "Require Security" policy to "Restricted
OU". As Roger mentioned this would be a computer policy and would apply to
all computers in this OU. I am guessing that "Require Security" policy would
also need some modifications to exclude domain controllers, DHCP server,
etc. These computers could be excluded by IP address, but you would have to
edit the policy...
If you want your clients from "Restricted OU" to communicate with rest of
the domain you will have to put the other computers in separate OU and set
"Respond Only" policy to this OU.

Getting this right may not be an easy task. Best advice I can give you is to
setup a small lab and test the settings out. If you have any questions, feel
free to post back.
 
You could use an ipsec policy, though ipsec is computer specific. You could
put the computers you want to restrict access to only domain computers into
their own OU [if not already] and assign an ipsec "require" policy to those
computers. They will then only be ably to communicate with domain computers
that have a corresponding ipsec policy of at least "client/respond" ipsec
policy. Note that domain controllers must be exempt from any ipsec policies
that would try to engage ipsec negotiation [esp/ah] with them from domain
members. The easiest way would be to add the domain controllers static IP
addresses to any pertinent ipsec policy with a rule for permit filter
action. If you want to try ipsec be SURE to test out on a couple of
computers first. Though not as a secure solution you could also use ipsec
policy "filtering" rule to block access to certain IP destination addresses
which would require that the blocked computers have static IP addresses to
be effective. See the link below for more info on ipsec filtering. -- Steve

http://www.securityfocus.com/infocus/1559
 
Back
Top