Server access for Domain Computers only?

Posted on 2007-04-10
Medium Priority
Last Modified: 2008-05-31
I have a Windows 2003 domain with two servers (both are also domain controllers) and about thirty Windows XP Pro client machines.

What I want to do is only allow SMB access to the servers if the computer connecting is part of the domain.  As an example:

If I bring my laptop in from home (not part of the domain) and choose "Start" and "Run" and type:  \\myfullyqualified.server.dns, I will get a login prompt.  If I log with valid network credentials, I get into the server.  I want to prohibit this so that people MUST log in from computers which are in the domain.

I doubt this is very hard but I can't figure out the key words to search on.
Question by:NerdyMike
LVL 27

Expert Comment

ID: 18883877
I don't think you can change that.  This is part of the behaviour of the Server Service running on the server.

Author Comment

ID: 18883918
There's always a way.  :-P

I know one solution would be to assign the domain computers specific IP addresses and setup firewall rules on the server to only allow communication on the SMB ports to those IP address.  Not quite as secure but it would stop MOST people.

But there must be a way to do this properly....

Thanks for the reply.
LVL 30

Accepted Solution

LauraEHunterMVP earned 2000 total points
ID: 18883936
The security measure that you're describing is called "Server & Domain Isolation", and is deployed using IPSec policies within AD. Unfortunately I can't point you to a 3-page tutorial that will take you through it, as it's a bit more involved than the usual click-click-click-done! procedure that you find with a lot of Windows settings. When deployed correctly, however, it will disallow connections to the servers/workstations that you designate from any PC that is not a member of the AD domain in question.

Take a look at the white papers and case studies found at http://www.microsoft.com/sdisolation to help get you started.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

LVL 30

Expert Comment

ID: 18883951
The firewall solution that you proposed is a "quick-and-dirty" workaround, but would be dreadfully hard to manage for larger numbers of workstations or if you use DHCP in your environment.  But it might prove a reasonable band-aid until you can get SDIsolation going.
LVL 27

Expert Comment

ID: 18884081
I would be careful about deploying ipsec on a grand scale.  IPsec can be very good, but can also cause lots of grief.  We tried deploying ipsec just to secure communications between clients and servers and for the most part it works, there are some apps that just don't like it.  Some internet web sites could no longer be accessed (the 99.99% worked fine), the problem cleared when ipsec was turned off.  Various alerts from network management agents stopped, once again problem cleared when ipsec was turned off.

Not that I want to scare you away from ipsec, it can be lots of headaches as well.

Another way to do what you want is NAC.

It can isolate non compliant machines (i.e. non domain machines) and not allow them on the network at all.
LVL 30

Expert Comment

ID: 18884113
Sure, IPSec can cause lots of grief if it's not configured correctly, but so can anything else in IT.

The OP asked what the proper way is to ensure that only domain-connected machines can connect to a particular server, and without branching out into third-party technologies (NAC is hardly a picnic to deploy in and of itself), Server & Domain Isolation is the recommended solution.
LVL 15

Expert Comment

ID: 18884142
The guy has got two DCs and 30 workstations. IPSec in that environment is in no way described as a Grand Scale.
I think 99.99% of websites working will be more than good enough for the guy an exactly what monitoring applications do you think the guy has? What, do you reckon he's got like HP OpenView deployed or something?

Come on. Your advice would be excellent if he had dozens of servers and hundreds of workstations. Let's keep the answers targetted to the level it was asked at. If you're watching NerdyMike, please bear the relevance of the answer when assigning your points.
LVL 27

Expert Comment

ID: 18884541
We seem to be getting a little defensive here...

I agree, Your solution is probably the best in this situation.

As I mentioned, I'm not trying to scare him away from ipsec, it just can be lots of headaches.  I guess the grand scale comment was a little off in his situation.  The issue with ipsec that I was trying to point out is that it's usually some little small things that don't work and it can be tough to isolate and troubleshoot because 99% of things work and it's the 1% that can take a tremendous amount of time to figure out if you get on the wrong track.  At least I'm offering different solutions and not jumping into threads that I've provided no input other than attempting to flame other contributors.

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question