[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Server access for Domain Computers only?

Posted on 2007-04-10
8
Medium Priority
?
203 Views
Last Modified: 2008-05-31
I have a Windows 2003 domain with two servers (both are also domain controllers) and about thirty Windows XP Pro client machines.

What I want to do is only allow SMB access to the servers if the computer connecting is part of the domain.  As an example:

If I bring my laptop in from home (not part of the domain) and choose "Start" and "Run" and type:  \\myfullyqualified.server.dns, I will get a login prompt.  If I log with valid network credentials, I get into the server.  I want to prohibit this so that people MUST log in from computers which are in the domain.

I doubt this is very hard but I can't figure out the key words to search on.
0
Comment
Question by:NerdyMike
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 26

Expert Comment

by:Pber
ID: 18883877
I don't think you can change that.  This is part of the behaviour of the Server Service running on the server.
0
 

Author Comment

by:NerdyMike
ID: 18883918
There's always a way.  :-P

I know one solution would be to assign the domain computers specific IP addresses and setup firewall rules on the server to only allow communication on the SMB ports to those IP address.  Not quite as secure but it would stop MOST people.

But there must be a way to do this properly....

Thanks for the reply.
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 2000 total points
ID: 18883936
The security measure that you're describing is called "Server & Domain Isolation", and is deployed using IPSec policies within AD. Unfortunately I can't point you to a 3-page tutorial that will take you through it, as it's a bit more involved than the usual click-click-click-done! procedure that you find with a lot of Windows settings. When deployed correctly, however, it will disallow connections to the servers/workstations that you designate from any PC that is not a member of the AD domain in question.

Take a look at the white papers and case studies found at http://www.microsoft.com/sdisolation to help get you started.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18883951
The firewall solution that you proposed is a "quick-and-dirty" workaround, but would be dreadfully hard to manage for larger numbers of workstations or if you use DHCP in your environment.  But it might prove a reasonable band-aid until you can get SDIsolation going.
0
 
LVL 26

Expert Comment

by:Pber
ID: 18884081
I would be careful about deploying ipsec on a grand scale.  IPsec can be very good, but can also cause lots of grief.  We tried deploying ipsec just to secure communications between clients and servers and for the most part it works, there are some apps that just don't like it.  Some internet web sites could no longer be accessed (the 99.99% worked fine), the problem cleared when ipsec was turned off.  Various alerts from network management agents stopped, once again problem cleared when ipsec was turned off.

Not that I want to scare you away from ipsec, it can be lots of headaches as well.

Another way to do what you want is NAC.
http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html
http://www.microsoft.com/technet/network/nap/default.mspx

It can isolate non compliant machines (i.e. non domain machines) and not allow them on the network at all.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18884113
Sure, IPSec can cause lots of grief if it's not configured correctly, but so can anything else in IT.

The OP asked what the proper way is to ensure that only domain-connected machines can connect to a particular server, and without branching out into third-party technologies (NAC is hardly a picnic to deploy in and of itself), Server & Domain Isolation is the recommended solution.
0
 
LVL 15

Expert Comment

by:czcdct
ID: 18884142
Pber,
The guy has got two DCs and 30 workstations. IPSec in that environment is in no way described as a Grand Scale.
I think 99.99% of websites working will be more than good enough for the guy an exactly what monitoring applications do you think the guy has? What, do you reckon he's got like HP OpenView deployed or something?

Come on. Your advice would be excellent if he had dozens of servers and hundreds of workstations. Let's keep the answers targetted to the level it was asked at. If you're watching NerdyMike, please bear the relevance of the answer when assigning your points.
0
 
LVL 26

Expert Comment

by:Pber
ID: 18884541
We seem to be getting a little defensive here...

Laura,
I agree, Your solution is probably the best in this situation.

czcdct,
As I mentioned, I'm not trying to scare him away from ipsec, it just can be lots of headaches.  I guess the grand scale comment was a little off in his situation.  The issue with ipsec that I was trying to point out is that it's usually some little small things that don't work and it can be tough to isolate and troubleshoot because 99% of things work and it's the 1% that can take a tremendous amount of time to figure out if you get on the wrong track.  At least I'm offering different solutions and not jumping into threads that I've provided no input other than attempting to flame other contributors.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question