[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 206
  • Last Modified:

Server access for Domain Computers only?

I have a Windows 2003 domain with two servers (both are also domain controllers) and about thirty Windows XP Pro client machines.

What I want to do is only allow SMB access to the servers if the computer connecting is part of the domain.  As an example:

If I bring my laptop in from home (not part of the domain) and choose "Start" and "Run" and type:  \\myfullyqualified.server.dns, I will get a login prompt.  If I log with valid network credentials, I get into the server.  I want to prohibit this so that people MUST log in from computers which are in the domain.

I doubt this is very hard but I can't figure out the key words to search on.
0
NerdyMike
Asked:
NerdyMike
1 Solution
 
PberSolutions ArchitectCommented:
I don't think you can change that.  This is part of the behaviour of the Server Service running on the server.
0
 
NerdyMikeAuthor Commented:
There's always a way.  :-P

I know one solution would be to assign the domain computers specific IP addresses and setup firewall rules on the server to only allow communication on the SMB ports to those IP address.  Not quite as secure but it would stop MOST people.

But there must be a way to do this properly....

Thanks for the reply.
0
 
LauraEHunterMVPCommented:
The security measure that you're describing is called "Server & Domain Isolation", and is deployed using IPSec policies within AD. Unfortunately I can't point you to a 3-page tutorial that will take you through it, as it's a bit more involved than the usual click-click-click-done! procedure that you find with a lot of Windows settings. When deployed correctly, however, it will disallow connections to the servers/workstations that you designate from any PC that is not a member of the AD domain in question.

Take a look at the white papers and case studies found at http://www.microsoft.com/sdisolation to help get you started.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LauraEHunterMVPCommented:
The firewall solution that you proposed is a "quick-and-dirty" workaround, but would be dreadfully hard to manage for larger numbers of workstations or if you use DHCP in your environment.  But it might prove a reasonable band-aid until you can get SDIsolation going.
0
 
PberSolutions ArchitectCommented:
I would be careful about deploying ipsec on a grand scale.  IPsec can be very good, but can also cause lots of grief.  We tried deploying ipsec just to secure communications between clients and servers and for the most part it works, there are some apps that just don't like it.  Some internet web sites could no longer be accessed (the 99.99% worked fine), the problem cleared when ipsec was turned off.  Various alerts from network management agents stopped, once again problem cleared when ipsec was turned off.

Not that I want to scare you away from ipsec, it can be lots of headaches as well.

Another way to do what you want is NAC.
http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html
http://www.microsoft.com/technet/network/nap/default.mspx

It can isolate non compliant machines (i.e. non domain machines) and not allow them on the network at all.
0
 
LauraEHunterMVPCommented:
Sure, IPSec can cause lots of grief if it's not configured correctly, but so can anything else in IT.

The OP asked what the proper way is to ensure that only domain-connected machines can connect to a particular server, and without branching out into third-party technologies (NAC is hardly a picnic to deploy in and of itself), Server & Domain Isolation is the recommended solution.
0
 
czcdctCommented:
Pber,
The guy has got two DCs and 30 workstations. IPSec in that environment is in no way described as a Grand Scale.
I think 99.99% of websites working will be more than good enough for the guy an exactly what monitoring applications do you think the guy has? What, do you reckon he's got like HP OpenView deployed or something?

Come on. Your advice would be excellent if he had dozens of servers and hundreds of workstations. Let's keep the answers targetted to the level it was asked at. If you're watching NerdyMike, please bear the relevance of the answer when assigning your points.
0
 
PberSolutions ArchitectCommented:
We seem to be getting a little defensive here...

Laura,
I agree, Your solution is probably the best in this situation.

czcdct,
As I mentioned, I'm not trying to scare him away from ipsec, it just can be lots of headaches.  I guess the grand scale comment was a little off in his situation.  The issue with ipsec that I was trying to point out is that it's usually some little small things that don't work and it can be tough to isolate and troubleshoot because 99% of things work and it's the 1% that can take a tremendous amount of time to figure out if you get on the wrong track.  At least I'm offering different solutions and not jumping into threads that I've provided no input other than attempting to flame other contributors.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now