?
Solved

Security impact of joining a domain

Posted on 2002-03-04
4
Medium Priority
?
135 Views
Last Modified: 2010-04-14
Hello,

I want to join a Windows 2000 Pro client to a corporate domain (unsure if it is a NT or Win2k domain).

After doing this, will the owners of the domain have any type of priviliged access back into my client machine? More importantly, how can this priviliged access be limited?

Background:
A client machine at Company A needs to vpn and login to a domain at Company B. I need to make sure Company B can't compromise the client in Company A, and use it as a launchpad into Company A's network.

I need to do this very soon.

Thanks,
CubeDweller
0
Comment
Question by:cubedweller
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6841112
Domain administrators will have full administrator rights on your machine. I think you cannot prevent or limit this. However, you can use ACL's to explicitly disallow file access on critical files. If you remove the binding to the file and printer sharing and don't offer any other method of the admins accessing your computer, you will not be affected by their administration possibilities since they cannot get onto your computer.

Note that for a VPN connection there is no need to join their domain. In fact, the VPN is only a network connection. Please specify a little more precisely.
0
 
LVL 7

Accepted Solution

by:
franka earned 1200 total points
ID: 6843037
Use the Usermanager (musrmgr.exe) on the client and
simply remove the global group "domain Admin." from the client's local group "administrators" and do the same with "domain users" and "domain guests" in the local groups.
0
 

Author Comment

by:cubedweller
ID: 6843144
franka & AvonWyss,

Both of you gave good, workable answers. Franka's was a little more on target, since I am trying to protect the computer, and not just particular files.

Also, since franka locked the question with a "proposed answer" (please stop doing that) instead of leaving a "comment", it seems I need to award the points to him.

Thanks,
CubeDweller
0
 
LVL 7

Expert Comment

by:franka
ID: 6843931
sorry, I didn't want to lock it, but my answer simply fits 100%.

Avonwyss is unfortunately not right when saying:
"I think you cannot prevent or limit this"

0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question