Restricting Authentication

[Guest]

We have an internet based user attempting to logon to our domain using
account names which they may have obtained from a former employee. Is there
a way to restrict logon in a mixed 2000/2003 domain by allowing logons only
from machines that are members of the domain - or within a certain subnet?
Any ideas or suggestions are appreicated.

 

[Steven L Umbach]

If the user is using a static IP address then block it at your firewall and
your firewall should be able to give you that information by correlating
failed logon attempts to the firewall logs by time [make sure they are in
synch]. How is this happening - via VPN or RDP?? Since he can attempt to
logon I assume you have the need to allow your users to access and
authenticate to your network from the internet? One solution may be to use
L2TP only VPN for access though that will require that users computers have
certificates to authenticate to the VPN server. --- Steve

 

[Roger Abell [MVP]]

Although putting it into play should not be a knee-jerk reaction,
since you mentioned letting only login from machines that are
members of a domain, you could consider using IPsec for
domain isolation.
http://microsoft.com/ipsec