OnvioAdmin
asked on
Not allow non-domain computers to access W2K3 file shares regardless of user
The user has rights to access the data on a machine provided to them by us.
They cannot attach a USB drive, burn a CD, or FTP/email out information
without it being flagged/stopped.
So I was asked "What if Joe User brings in his home laptop?"
If a user does, and copies the IP settings from their corporate desktop,
then plugs in their laptop into the same wire and attempts to access a
Windows file share, they are prompted for a username and password. Since they
are a user with valid credentials, they can access the data and
hypothetically copy it and remove it from the building without us knowing.
How can I block a valid user from accessing a file share on a non-AD domain added machine?
They cannot attach a USB drive, burn a CD, or FTP/email out information
without it being flagged/stopped.
So I was asked "What if Joe User brings in his home laptop?"
If a user does, and copies the IP settings from their corporate desktop,
then plugs in their laptop into the same wire and attempts to access a
Windows file share, they are prompted for a username and password. Since they
are a user with valid credentials, they can access the data and
hypothetically copy it and remove it from the building without us knowing.
How can I block a valid user from accessing a file share on a non-AD domain added machine?
As far as I can see, I agree with the above post. Windows will automatically allow any authenticated user to access files and folders over which they have permissions, regardless of the machine they are working at. The behaviour you are seeing would be expected - when the user does not authenticate, they will be prompted for credentials.
You will need some kind of firewall or feature like what is mentioned in the post above. There's no easy way of achieving this, and even if there is you would need some rather complex, complicated permissions which would start getting over restricive on yourself.
-tigermatt
You will need some kind of firewall or feature like what is mentioned in the post above. There's no easy way of achieving this, and even if there is you would need some rather complex, complicated permissions which would start getting over restricive on yourself.
-tigermatt
One possible solution is to use Windows Rights Media. In reality, the only way to completely lock it down is to only allow access from the specific machine and have no printers or outside communicaitons on that machine. If someone can see the informaiton on their screen, they can take a screen shot of it (either from windows or using a third party app). They can then save the screen shots as a different files and do what they want with it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.nsa.gov/snac/os/switch-guide-version1_01.pdf
This way, the user cant plug the computer in and therefore, cant access your resources.