Solved

Active Directory Remote Users, Internet Access and File, Web, Database Access

Posted on 2007-04-07
6
492 Views
Last Modified: 2008-10-29
Greetings;

I have several questions which I need assistance with concerning Active Directory running on Windows 2003 Server Standard Edition R2. I have only recently installed Active Directory and DNS. I am learning quickly what I can do and not do, I hope (AD is daunting to say the least).

Please refer to the PDF at http://www.bachandbach.com/LAN/LANTopography.pdf for a visual representation of our local network.

Currently, I need mentoring on how to do the following:

1. Control access to the Internet. Since users can login to their computers using their AD user id and password or their local user id and password, the latter does not protect who uses our Internet connection. One solution I can think of is to connect the Comcast modem directly to the 2nd NIC on the server running AD. Would I then be able to exclusively control Internet access from our LAN by doing this or is there a better way to accomplish the same thing?

2. I need to control what remote users (either using Remote Desktop or VPN) have access to with respect to servers, file directories and programs they can execute. Remote users will also need access to some IIS 6.0 web sites and some MS SQL 2005 databases but not all of these. I will need pointers on how to restrict access to those web sites and databases remote user don't need access to.

3. How do I control via AD printers which are connected directly to the router and not locally to one of the servers?


Much thanks on any help you can lend ... David
0
Comment
Question by:David Bach
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 250 total points
ID: 18873696
1)  Why are they logging in locally?  Disable the local accounts.

2)  This is what Remote Access Policies are for.  http://technet2.microsoft.com/WindowsServer/en/library/fc353fbb-4df4-4b36-b14a-20cbbad434941033.mspx?mfr=true

3)  Install them on the server and share them out.  Point the clients to the server share rather than the printer directly.

0
 
LVL 8

Accepted Solution

by:
SanDiegoComputer earned 250 total points
ID: 18877305
Ok, lots of questions here...

1. Controlling Internet access is really the work of a third party application.  Personally I recommend something like the SonicWall TZ170 with the content control option.  It's fairly easy to setup and you can either block everything except for specific sites, block nothing except for specific sites, block entire categories of sites, or block some things for some IP Addresses and nothing for others.  

2. If you are running a domain, you should get rid of the local usernames and passwords and move them to domain accounts.  Much easier to administer in the long run.

3.  Decisions of access to files and applications are best done via security settings on the servers.  If your users must use Remote Desktop or VPN to connect in, and you use a router in front of your network, they will require authenticiation to access your network so that will provide the first layer of defence.  However, you need to examine the shares themselves on your server and verify who has access to what.  Basically, the default for a windows share is Everyone.  You should change that based on who should have access.  If all your users should have access to the \\server\data share, you should set something like domain users to have full control.  If john is a guest and he should NOT have access to that share, you should set him as DENY access.  If you have 2 accounting users and they need access to the \\server\accounting share, you should create a group called Accounting, add both users to the group, add the users to the share with full control, and then have the users log off and back on.  Remember, the users will essentially have access to all the folders within that share.  You can limit access to particular files or folders though by right clicking on the file or folder and then making adjustmetns on the SECURITY tab.  

3.  To set up the printer via the AD is pretty simple.  First, configure the printer as a local printer on the server (Printers folder / Add new printer / Specify the port as a TCPip port / specify the address of the print server / specify the print driver / test it / then Share it).  Use the printer management utility of Windows Server 2003 R2 to deploy it to the users.  You may need to go to Add/Remove programs / Windows Components / and install the printer management add-on if it's not in your administrative tools.  
0
 

Author Comment

by:David Bach
ID: 18889600
Greetings SanDiegoComputer and Netmann66;

Thank you for your responses.

I cannot disable the local accounts. These are guests which have requested to use our network to gain access to the Internet. I would like to force these quests to login to our domain in order to use the Internet. I believe utitilizing the second NIC on our AD server to connect our public IP to would be the best solution. This would transfer the function of the D-Link router to the AD server. I need pointers on how to secure the Internet using AD.

The printers I have added to AD. I even believe I've done it successfully.

The more complicated issue is controlling the access of users who need limited access to resources. I created an OU and defined users within the OU. I added a group security policy by going to AD Users and Computers ==> OU ==> Properties ==> Group Policy ==> New to govern the OU. My first attempt to control access was to dissallow specific .cpl files (Control Panel selections) for this OU by adding Hash rules. After logging on with a test user defined in this OU, the disallowed control panel objects were still accessible by the user. I then added to the same group security policy a path rule specifying %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRoot%System32\*.cpl and disallow hoping to block any control panel from users in the OU. This didn't work.

I changed my focus to file shares. The router directs Remote Desktop logins to a specific machine. I loged in locally to this machine (it is not the AD machine but the 2nd Windows 2003 Server machine) and specifically denied full access to the OU for all 3 physical volume shares (not the volume itself but the shares I defined for the volumes). I then defined a share to a specific directory on one of these 3 volumes and allowed modify access to users of the OU to the new share. I created what I thought was a profile for users of the OU as follows:

net use m: \\RDP_Box\G_Share\My Documents\OU Folder 1 /persistent:yes
net use n: \\RDP_Box\G_Share\My Documents\OU Folder 2 /persistent:yes

I saved this file as a text file and specified the location of the file in the user's profile. I entered various syntax of the path in the Profile tab ==> User profile path as well as Terminal Services Profile tab ==> Terminal Services User's Profile path in the test user's object. This was to no avail. I was not able to make the new shares available to user's of the OU.

Venting: In my 35 years of programming in business applications, operating systems customization and security specialist I feel AD will offer the services I am attempting to put in place. The concepts of security I believe I have a reasonable grasp of. I'm sure it is the syntax I have wrong in attempting to implement what I feel is possible with AD.

Much thanks ... David
0
 
LVL 51

Expert Comment

by:Netman66
ID: 18891271
In order to use Group Policy to control User Configuration settings, the User Account must be in the path of the OU.  Local Accounts aren't in the AD so you cannot control them with a domain-based GPO.  You *could* manage them with a local policy, however you'd have to do this manually and to every PC.

The best solution is to create some Generic Accounts on the domain.  Have the guests sign out an account from reception.  This way, they are logging into the domain and can be managed by policy as you want to do.

As for Printers - just publishing them to the AD isn't going to help control access, it only allows users to find them easily.  The permissions lie on the object (printer) in Printers and Faxes.  To control access in the domain again requires a domain account.  

As for drive mappings - you can add a Logon Script to a GPO under User Config that runs the CMD file.  It must be placed in the Netlogon share (SYSVOL\sysvol\domain\scripts) folder.

0
 
LVL 1

Expert Comment

by:Computer101
ID: 21216381
Forced accept.

Computer101
EE Admin
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question