Restrict Access to Domain Servers from Workgroup Computers

[Trevor Hillary]

Is it possible to restrict the access to resources on domain servers from
workstation computers even if the the user has a valid User ID and password?
It looks as though the use of IPSec is a possibility but the customer would
like to selecively allow non domain workstations access to resources
possibly using certificates. Note that this is based on the client
workstation not related to who is logged in.

 

[Roger Abell [MVP]]

Is it possible to restrict the access to resources on domain servers from
workstation computers even if the the user has a valid User ID and
password? It looks as though the use of IPSec is a possibility but the
customer would like to selecively allow non domain workstations access to
resources possibly using certificates. Note that this is based on the
client workstation not related to who is logged in.

No, that is not a directly supportable scenario.
When you mention use of IPsec you identify the one current way
to do what you are after. Since you say anyone on the the allowed
machines you would need to
1. have the shares on a server where it is OK for all access to be
disallowed to machines not allowed to access the shares (i.e.
IPsec will control all access to the sharing machine, not just
access to the shares)
2a. have Guest access enabled on the sharing machine (so that all
accounts on the allowed machines have transparent access)
or
2b. have NTFS permissions on the shares that allow all domain
accounts (and then everyone will have to provide credentials
when connecting from an allowed machine)
3. have ability to identify the allowed machines for IPsec (just
doing this based on IPs is not very strong and unworkable if
client machines use DHCP).
Alternatives are certs or preshared key.

It is item 1 that usually makes this unworkable as a solution, since
it basically dedicates the server to this purpose.