Solved

Not allow non-domain computers to access W2K3 file shares regardless of user

Posted on 2007-11-28
4
778 Views
Last Modified: 2008-05-31
The user has rights to access the data on a machine provided to them by us.
They cannot attach a USB drive, burn a CD, or FTP/email out information
without it being flagged/stopped.

So I was asked "What if Joe User brings in his home laptop?"
If a user does, and copies the IP settings from their corporate desktop,
then plugs in their laptop into the same wire and attempts to access a
Windows file share, they are prompted for a username and password. Since they
are a user with valid credentials, they can access the data and
hypothetically copy it and remove it from the building without us knowing.

How can I block a valid user from accessing a file share on a non-AD domain added machine?
0
Comment
Question by:OnvioAdmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 11

Expert Comment

by:Renato Montenegro Rustice
ID: 20367160
I dont thing you will achieve that using only AD. You need some switch features like Cisco's Port Security:

http://www.nsa.gov/snac/os/switch-guide-version1_01.pdf

This way, the user cant plug the computer in and therefore, cant access your resources.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 20367390
As far as I can see, I agree with the above post. Windows will automatically allow any authenticated user to access files and folders over which they have permissions, regardless of the machine they are working at. The behaviour you are seeing would be expected - when the user does not authenticate, they will be prompted for credentials.

You will need some kind of firewall or feature like what is mentioned in the post above. There's no easy way of achieving this, and even if there is you would need some rather complex, complicated permissions which would start getting over restricive on yourself.

-tigermatt
0
 
LVL 4

Expert Comment

by:Joediggity2
ID: 20367444
One possible solution is to use Windows Rights Media.  In reality, the only way to completely lock it down is to only allow access from the specific machine and have no printers or outside communicaitons on that machine.  If someone can see the informaiton on their screen, they can take a screen shot of it (either from windows or using a third party app).  They can then save the screen shots as a different files and do what they want with it.
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 20367659
You can accomplish this using a combination of Active Directory and an internal PKI by deploying Server and Domain Isolation - only domain-joined computers are issues a particular type of PKI certificate, and if a computer does not possess said it is not allowed to connect to one or more servers that you specify.  SDI is non-trivial to deploy and needs to be fully tested in a lab setting so that you are not inadvertently locking out legitimate users from accessing the resources they need: http://www.microsoft.com/technet/security/guidance/architectureanddesign/ipsec/default.mspx
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question