windows 2000 security

[s_hcl]

Presently we have a workgroup enviornment with 25 systems on win2k
proff and win xp proff.A Linux firewall is setup for interent access
with Iptables and nating.
Hence all theusers have internet access.Some policy changes are needed
and I want do a setup with the following groups and the security
features needed are as below.

Groups

Research
Development
Support
Mktg
Finance

1)No group should be able to access the resources of each other ,except
the users in its respective group.

2)Internet access only for support and mktg.
3)Other groups to have mail access only ,but no internet access(How
should i go about this ,was thinking of installing Mdaemon mail server)

4)Each group will probably have its own file server
5)A person from one group may have permission to access resources og
other groups.
6)VPN access (client access) to connect to vpn server.
7)CAn igo in for a firewall based router which will have also have a
VPn module at the internet gateway.

I had thought of 2 solutions ,one pertaining to creating a single
windows 2000/2003 domain enviornment and second using Vlan.I m not sure
which one will work,hence kindly go thru and let me know if any other
method is avialble to achieve the following.


If i go in for a vlan enviornment ,and use a single Layer 3 switching
device ,is it possible for me to access a particular group if required
..

If i go in for an Ad enviornment on fifferent subnets ,will i be able
to access resources of other subnet if needed.
or
If i just create a vlan in a workgroup enviornment ,is it ok.

 

[Herb Martin]

Presently we have a workgroup enviornment with 25 systems on win2k
proff and win xp proff.A Linux firewall is setup for interent access
with Iptables and nating.

This environment is not related to Active Directory
unless you are asking if you should switch to a DOMAIN
environment. (In most cases the answer to this would be

Hence all theusers have internet access.Some policy changes are needed
and I want do a setup with the following groups and the security
features needed are as below.

Groups

Will need to be setup on each Server or resource computer
since you have no domain.

1)No group should be able to access the resources of each other ,except
the users in its respective group.

Then ONLY grant the particular group access (e.g., avoid
granting ANY access to Everyone or Authenticated Users etc.)

2)Internet access only for support and mktg.

You cannot do this by group unless you install (something like)
ISA (the product formerly known as Proxy Server).

You can do it by IP using typical hardware firewalls and
either software or hardware filters.

3)Other groups to have mail access only ,but no internet access(How
should i go about this ,was thinking of installing Mdaemon mail server)

Not a big issue if you provide authentication on your
Email server AND find a way to prevent Internet access.

4)Each group will probably have its own file server

You really need a domain to simplify all this then.

5)A person from one group may have permission to access resources og
other groups.

You disallowed this above, but it isn't hard to supplement,
just make additional groups for such "out of group" privileges,
add the allowed users, and grant access.

(I suggested an extra group because you had already said you
didn't want entire 'other' groups to access resources, but if that
is not an issue you can just use the existing groups.)

6)VPN access (client access) to connect to vpn server.

Not a big deal -- easier to control access if you switch to
a domain.

7)CAn igo in for a firewall based router which will have also have a
VPn module at the internet gateway.

Windows Servers can be a big win for both outbound Internet access
(if you BUY ISA server) AND for putting permissions on inbound
VPN connections.

If you don't want to do that you can purchase hardware VPN solutions
which can use RADIUS and combine this with the INCLUDED
Windows IAS Server (IAS== MS RADIUS Server) to centralize
authentication and make it compatible across many vendors and
operating systems.

I had thought of 2 solutions ,one pertaining to creating a single
windows 2000/2003 domain enviornment and second using Vlan.I m not sure
which one will work,hence kindly go thru and let me know if any other
method is avialble to achieve the following.

You likely should implement the Domain no matter what other
solutions you pursue.

If i go in for a vlan enviornment ,and use a single Layer 3 switching
device ,is it possible for me to access a particular group if required

It is doubtful you will find much support for Groups unless
you are using RADIUS and that will usually only be for a
"access allowed/disallowed" situation.

And notice that without a domain, all Groups will be SERVER
SPECIFIC (even the same group NAME on different servers
will be different groups.)

If i go in for an Ad enviornment on fifferent subnets ,will i be able
to access resources of other subnet if needed.
or

Access across subnets is not a significant issue (you only
have to setup your name resolution and routing in a reasonably
correct manner.)

If i just create a vlan in a workgroup enviornment ,is it ok.

I doubt that will give you the features you require, but you still
may need other hardware or software to get everything you
mentioned.

 

[Jmnts]

1st I'd like to say that for Administration purposes you should have a
Domain, and you should consider ISA server in your domain.
http://www.microsoft.com/windowsserver2003/evaluation/whyupgrade/top10best.mspx
http://www.microsoft.com/isaserver/default.mspx

Now the problem:

Presently we have a workgroup enviornment with 25 systems on win2k
proff and win xp proff.A Linux firewall is setup for interent access
with Iptables and nating.
Hence all theusers have internet access.Some policy changes are needed
and I want do a setup with the following groups and the security
features needed are as below.

Groups

Research
Development
Support
Mktg
Finance

1)No group should be able to access the resources of each other, except the
users in its respective group.

-You can configure this locally in every machine (Keep in mind that every Xp
machine accepts 10 connections maximum at the time).
Machines in a workgroup envoirment only knows his local SAM. Which means
that in order to give restricted access to resources you can't give everyone
access, and you must only give access to certain users or groups that exist
in the local machine. Which means that you must provide to the users that
User account and respective Pw. (Not to functional, in a domain environment
the Dc process all this). You have a option in windows xp that permits you
to save credentials in future access to that shared resource.

To troubleshoot maximum connections achived check:
http://support.microsoft.com/kb/328459/


2) Internet access only for support and mktg.

-Ok make the appropriate configuration.

3) Other groups to have mail access only ,but no internet access(How should
i go about this ,was thinking of installing Mdaemon mail server)

-I believe that you could make this type of restriction using your existent
FW, denying based IP Address vs Ports allowed.
You can also use Local Gpo to do this. The trick is to fullish the O.S, to
achieve that you configure a wrong proxy server ex: http:"localproxy.com" on
the internet properties in the local computers, then deny changes to the
proxy configuration textbox..

a - Config the wrong proxy: User Config / Win Settings / Internet Explorer
Maintenance / Connection / Proxy Settings

b - Make the Proxy config per machine rather per user: Computer Config /
Admin Templates /Win Components / I.E /Make proxy settings per machine.

c - Do not allow changes: User Config / Admin Templates / Win components /
Internet Explorer / Disable changing proxy settings.

(Of course if the users a local Admins... Then they can change all that.)


4)Each group will probably have its own file server

-I still don't get why you don't have a Dc.

5)A person from one group may have permission to access resources og other
groups. Already discussed.

6)VPN access (client access) to connect to vpn server.

-No problem. (If you have Windows RRas Server you should consider L2TP/IPSec
(more secure, don't use pre-shared key authentication), needs CA, computer
certificate, once again you must have a local User and Password)
For more Information:
Virtual Private Networking with Windows Server 2003: Deploying Remote Access
VPNs
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndeplr.mspx
Step-by-Step Guide for Setting Up VPN-based Remote Access in a Test Lab
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/rmotevpn.mspx
Basic L2TP/IPSec Troubleshooting in Windows XP
http://support.microsoft.com/?kbid=314831



7)CAn igo in for a firewall based router which will have also have a VPn
module at the internet gateway.
I had thought of 2 solutions ,one pertaining to creating a single windows
2000/2003 domain enviornment and second using Vlan.I m not sure which one
will work,hence kindly go thru and let me know if any other method is
avialble to achieve the following.
If i go in for a vlan enviornment ,and use a single Layer 3 switching device
,is it possible for me to access a particular group if required.
If i go in for an Ad enviornment on fifferent subnets ,will i be able to
access resources of other subnet if needed. or If i just create a vlan in a
workgroup enviornment ,is it ok.

As long as both sides can reach each oher the only problem that you'll have
is resources authentication. Should consider an Ad environment with, even if
you can't Afford ISA server, you can take advantage of RADIUS authentication
as long as your FW/Nat device supports RADIUS.