?
Solved

Server access for Domain Computers only?

Posted on 2007-04-10
8
Medium Priority
?
202 Views
Last Modified: 2008-05-31
I have a Windows 2003 domain with two servers (both are also domain controllers) and about thirty Windows XP Pro client machines.

What I want to do is only allow SMB access to the servers if the computer connecting is part of the domain.  As an example:

If I bring my laptop in from home (not part of the domain) and choose "Start" and "Run" and type:  \\myfullyqualified.server.dns, I will get a login prompt.  If I log with valid network credentials, I get into the server.  I want to prohibit this so that people MUST log in from computers which are in the domain.

I doubt this is very hard but I can't figure out the key words to search on.
0
Comment
Question by:NerdyMike
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 26

Expert Comment

by:Pber
ID: 18883877
I don't think you can change that.  This is part of the behaviour of the Server Service running on the server.
0
 

Author Comment

by:NerdyMike
ID: 18883918
There's always a way.  :-P

I know one solution would be to assign the domain computers specific IP addresses and setup firewall rules on the server to only allow communication on the SMB ports to those IP address.  Not quite as secure but it would stop MOST people.

But there must be a way to do this properly....

Thanks for the reply.
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 2000 total points
ID: 18883936
The security measure that you're describing is called "Server & Domain Isolation", and is deployed using IPSec policies within AD. Unfortunately I can't point you to a 3-page tutorial that will take you through it, as it's a bit more involved than the usual click-click-click-done! procedure that you find with a lot of Windows settings. When deployed correctly, however, it will disallow connections to the servers/workstations that you designate from any PC that is not a member of the AD domain in question.

Take a look at the white papers and case studies found at http://www.microsoft.com/sdisolation to help get you started.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18883951
The firewall solution that you proposed is a "quick-and-dirty" workaround, but would be dreadfully hard to manage for larger numbers of workstations or if you use DHCP in your environment.  But it might prove a reasonable band-aid until you can get SDIsolation going.
0
 
LVL 26

Expert Comment

by:Pber
ID: 18884081
I would be careful about deploying ipsec on a grand scale.  IPsec can be very good, but can also cause lots of grief.  We tried deploying ipsec just to secure communications between clients and servers and for the most part it works, there are some apps that just don't like it.  Some internet web sites could no longer be accessed (the 99.99% worked fine), the problem cleared when ipsec was turned off.  Various alerts from network management agents stopped, once again problem cleared when ipsec was turned off.

Not that I want to scare you away from ipsec, it can be lots of headaches as well.

Another way to do what you want is NAC.
http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html
http://www.microsoft.com/technet/network/nap/default.mspx

It can isolate non compliant machines (i.e. non domain machines) and not allow them on the network at all.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18884113
Sure, IPSec can cause lots of grief if it's not configured correctly, but so can anything else in IT.

The OP asked what the proper way is to ensure that only domain-connected machines can connect to a particular server, and without branching out into third-party technologies (NAC is hardly a picnic to deploy in and of itself), Server & Domain Isolation is the recommended solution.
0
 
LVL 15

Expert Comment

by:czcdct
ID: 18884142
Pber,
The guy has got two DCs and 30 workstations. IPSec in that environment is in no way described as a Grand Scale.
I think 99.99% of websites working will be more than good enough for the guy an exactly what monitoring applications do you think the guy has? What, do you reckon he's got like HP OpenView deployed or something?

Come on. Your advice would be excellent if he had dozens of servers and hundreds of workstations. Let's keep the answers targetted to the level it was asked at. If you're watching NerdyMike, please bear the relevance of the answer when assigning your points.
0
 
LVL 26

Expert Comment

by:Pber
ID: 18884541
We seem to be getting a little defensive here...

Laura,
I agree, Your solution is probably the best in this situation.

czcdct,
As I mentioned, I'm not trying to scare him away from ipsec, it just can be lots of headaches.  I guess the grand scale comment was a little off in his situation.  The issue with ipsec that I was trying to point out is that it's usually some little small things that don't work and it can be tough to isolate and troubleshoot because 99% of things work and it's the 1% that can take a tremendous amount of time to figure out if you get on the wrong track.  At least I'm offering different solutions and not jumping into threads that I've provided no input other than attempting to flame other contributors.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question