Solved

Server access for Domain Computers only?

Posted on 2007-04-10
8
195 Views
Last Modified: 2008-05-31
I have a Windows 2003 domain with two servers (both are also domain controllers) and about thirty Windows XP Pro client machines.

What I want to do is only allow SMB access to the servers if the computer connecting is part of the domain.  As an example:

If I bring my laptop in from home (not part of the domain) and choose "Start" and "Run" and type:  \\myfullyqualified.server.dns, I will get a login prompt.  If I log with valid network credentials, I get into the server.  I want to prohibit this so that people MUST log in from computers which are in the domain.

I doubt this is very hard but I can't figure out the key words to search on.
0
Comment
Question by:NerdyMike
8 Comments
 
LVL 26

Expert Comment

by:Pber
Comment Utility
I don't think you can change that.  This is part of the behaviour of the Server Service running on the server.
0
 

Author Comment

by:NerdyMike
Comment Utility
There's always a way.  :-P

I know one solution would be to assign the domain computers specific IP addresses and setup firewall rules on the server to only allow communication on the SMB ports to those IP address.  Not quite as secure but it would stop MOST people.

But there must be a way to do this properly....

Thanks for the reply.
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
Comment Utility
The security measure that you're describing is called "Server & Domain Isolation", and is deployed using IPSec policies within AD. Unfortunately I can't point you to a 3-page tutorial that will take you through it, as it's a bit more involved than the usual click-click-click-done! procedure that you find with a lot of Windows settings. When deployed correctly, however, it will disallow connections to the servers/workstations that you designate from any PC that is not a member of the AD domain in question.

Take a look at the white papers and case studies found at http://www.microsoft.com/sdisolation to help get you started.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
Comment Utility
The firewall solution that you proposed is a "quick-and-dirty" workaround, but would be dreadfully hard to manage for larger numbers of workstations or if you use DHCP in your environment.  But it might prove a reasonable band-aid until you can get SDIsolation going.
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 26

Expert Comment

by:Pber
Comment Utility
I would be careful about deploying ipsec on a grand scale.  IPsec can be very good, but can also cause lots of grief.  We tried deploying ipsec just to secure communications between clients and servers and for the most part it works, there are some apps that just don't like it.  Some internet web sites could no longer be accessed (the 99.99% worked fine), the problem cleared when ipsec was turned off.  Various alerts from network management agents stopped, once again problem cleared when ipsec was turned off.

Not that I want to scare you away from ipsec, it can be lots of headaches as well.

Another way to do what you want is NAC.
http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html
http://www.microsoft.com/technet/network/nap/default.mspx

It can isolate non compliant machines (i.e. non domain machines) and not allow them on the network at all.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
Comment Utility
Sure, IPSec can cause lots of grief if it's not configured correctly, but so can anything else in IT.

The OP asked what the proper way is to ensure that only domain-connected machines can connect to a particular server, and without branching out into third-party technologies (NAC is hardly a picnic to deploy in and of itself), Server & Domain Isolation is the recommended solution.
0
 
LVL 15

Expert Comment

by:czcdct
Comment Utility
Pber,
The guy has got two DCs and 30 workstations. IPSec in that environment is in no way described as a Grand Scale.
I think 99.99% of websites working will be more than good enough for the guy an exactly what monitoring applications do you think the guy has? What, do you reckon he's got like HP OpenView deployed or something?

Come on. Your advice would be excellent if he had dozens of servers and hundreds of workstations. Let's keep the answers targetted to the level it was asked at. If you're watching NerdyMike, please bear the relevance of the answer when assigning your points.
0
 
LVL 26

Expert Comment

by:Pber
Comment Utility
We seem to be getting a little defensive here...

Laura,
I agree, Your solution is probably the best in this situation.

czcdct,
As I mentioned, I'm not trying to scare him away from ipsec, it just can be lots of headaches.  I guess the grand scale comment was a little off in his situation.  The issue with ipsec that I was trying to point out is that it's usually some little small things that don't work and it can be tough to isolate and troubleshoot because 99% of things work and it's the 1% that can take a tremendous amount of time to figure out if you get on the wrong track.  At least I'm offering different solutions and not jumping into threads that I've provided no input other than attempting to flame other contributors.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now