Keep non-domain computers out of folders on SBS2003

they get the access that their username is allowed, weather or not they are on a domain computer.  authentication = access

On the domain, create a security group and add users who will need access to the folder. Then on the folder, remove "everyone" and other groups that may be added and add the security group you created, then set permissions accordingly.

when they enter their username and password, they'll still have access regardless if they're on a domain computer, a non-member laptop, a macintosh, or anything

For 2003, you should download and install access based enumeration, this way if they don't have access to the folder then they wont even see it.
You can also restrict access using only domain users group, this way if they are not a domain user they wont have access.
http://www.microsoft.com/downloads/details.aspx?FamilyID=04A563D9-78D9-4342-A485-B030AC442084&displaylang=en 

@bryon - I didn't catch that at first, LOL, he is saying the computer is not joined to the domain, but the users are using domain credentials. Yep that'll cause a problem. Still download and install ABE though and setup the security groups.

the only way i can think to get this done is... like this.... but it's a lot of work...

1. set all workstations to static ip addresses, OR set them as reservations in dhcp, so they always get the same ip addresses
2. set the dhcp scope so that visitor machines get for example dot 200 thru dot 250
3. in the windows firewall of the server (yuck) allow netbios/fileprintersharing for the advanced exception of ONLY dot one thru dot 199, for example.

that way, anything not in the advanced-allow list of the server's windows firewall, will get denied the ability to even talk to the server by netbios / shares.

I would think the security groups would work, if you set it up based on user name and the apply ntfs permissions on folders with those security groups. Say create a security group called Visitors and put the users in there and remove them from other groups. Then only give that security group access to the folders they need. That should work, just fine? I would still install ABE.

Wow.  7 answers and no solutions.

ANY user can connect ANY computer and authenticate with their username and password.  We are looking for a way to STOP them from doing that based on the fact the the computer is not a member of the domain.

The non-domain computer needs to talk to a license server and nothing else.  it should have no access to user files on the server.

So, we need a way to strict access to the server based on the following conditions:

1. User has a valid username and password that they use for full access off a domain computer.
2. Same user will be connecting a non-domain computer and could enter that same username and passsword.
3. We need to keep the non-domain computer using same username and password from getting to files on the server.

Have you tried to add the domain computer account and the domain user account in the security tab? And allow access. Remove everything else. Therefore, only if domain user and domain computer, it will connect to that folder.

If that computer account isnt connecting, it should deny access.


folder properties > Security > add > (then object types) > Put the tick in computers, then add allowed computers

TO: SnowWolf.  

Have you tried this?  Does it really do what I want?

@snowwolf - the problem is that these computers are not joined to the domain only the user account, based on previous comments.

iccaveman:  sorry but the ACCESS to the server follows the provided USERNAME and associated password... not the computer.

the only way to make it not reachable is to block the entire non-domain computer from accessing the server at all, which is outside of your scope of desire.

if they provide a valid username and password, they get their access, period.

bryon44035v3:  How would you block all non-domain computers?

in my comment #30546731 above is how i would, in combination with securing physical access to the servers, switches and ethernet jacks

I would either use the security groups as was mentioned before or put them on a separate lan.
My question is why even have them authenticate to the domain if you don't want them to have access to the domain?

i wish there were a security group like "non domain computers", you could simply set DENY on stuff for that, deny always overrides allow... but.. there's no such group.  no "and everything else goes here"

@bryon - yep understood, I was thinking that putting the users in their own security group and restricting ntfs permissions would do the trick. Maybe not, but my thinking was it shouldn't be no different than a user connecting through a vpn from home and restricting the user access, please elaborate if I'm missing something, which of course is always possible :-).

well, if "joe" has access to "shared"... and he connects from a domain computer, great, there's your stuff joe.
if he connects via a vpn, with "joe" as the username, he still sees shared.
if he connects from a copy machine with "joe" as the username, he still sees shared.
if he connects from any SMB-enabled device at all, with "joe" as the username, he still sees shared.

if you restrict "joe" so he cannot access "shared" via ntfs permissions, he cannot get to shared from any of the above (including normal domain office computers)

now - for the vpn, if you specify the vpn to hand out a certain range of known ip addresses, you can specify DENY on those ip addresses... same with a known range of dhcp addresses.

bottom line ends up being, to keep your stuff secured from visitors, put visitors on their own network.

Which is why a separate lan would work :^), like I do with people who I only want to give internet access to.

problem is, he wants them to be able to access a licensing server on one of the domain servers, which i assume runs by fileshares and not a tcpip service we could firewall down for

It appears that there is no solution

objection:

there were solutions to keeping non domain computers off the domain servers.

the requirement was to keep non domain computers off domain servers (shares) WHILE still allowing access for licensing software, based on authenticating with a DOMAIN USERNAME and password.  

that isn't possible because you get the access for which you authenticate.  if you authenticate as a user WHO HAS ACCESS to file shares, you will see those file shares, period.  

just because you didnt get the answer you wanted, doesn't mean you should just give up and accept your own non-answer.  a lot of people put in a lot of effort here, the answer is, you cant.

if you were willing to modify your requirements, we can work with that... but based on your stated objective, it's not possible

you either keep them all separated physically (vlans), or you let them use different usernames such as visitor.

there is no way to say "domain\user has access to all these things but only if he's on a domain workstation"

So, you agree, there is no solution to the problem?

I suspect the Symantec firewall would do what I want, but I am not willing to install it and all the problems that come with it. Nobody has offered a solution to the problem I posted.  There were a lot of interesting ideas, some interesting discussions, but no solution to the problem I needed solved.

If it is the policy of this web site to award points when no solution is provided, then points need to be awarded.  Someone else will need to determine how many points to award and who to award them to.  I will not object to whatever decision is made on how to award points.  If others disagee and want to object, they can.  I am done with this question.

What part of:

"If it is the policy of this web site to award points when no solution is provided, then points need to be awarded.  Someone else will need to determine how many points to award and who to award them to.  I will not object to whatever decision is made on how to award points.  If others disagee and want to object, they can.  I am done with this question."

don't you understand?