Keep non-domain computers out of folders on SBS2003

Client wants to restrict access to folders on the server from computers that are NOT a member of the domain.  Right now users can attach to the domain with their personal computers using  their user name and password and have access to all folders just like if they logged into the server on a domain computer.  We want them to still be able to attach to the domain, but be able to restrict their access to some folders if the computer they are on is not on the domain.
iccavemanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

B HCommented:
they get the access that their username is allowed, weather or not they are on a domain computer.  authentication = access
SnowWolfCommented:
On the domain, create a security group and add users who will need access to the folder. Then on the folder, remove "everyone" and other groups that may be added and add the security group you created, then set permissions accordingly.
B HCommented:
when they enter their username and password, they'll still have access regardless if they're on a domain computer, a non-member laptop, a macintosh, or anything
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

ConchCrawlCommented:
For 2003, you should download and install access based enumeration, this way if they don't have access to the folder then they wont even see it.
You can also restrict access using only domain users group, this way if they are not a domain user they wont have access.
http://www.microsoft.com/downloads/details.aspx?FamilyID=04A563D9-78D9-4342-A485-B030AC442084&displaylang=en 
ConchCrawlCommented:
@bryon - I didn't catch that at first, LOL, he is saying the computer is not joined to the domain, but the users are using domain credentials. Yep that'll cause a problem. Still download and install ABE though and setup the security groups.
B HCommented:
the only way i can think to get this done is... like this.... but it's a lot of work...

1. set all workstations to static ip addresses, OR set them as reservations in dhcp, so they always get the same ip addresses
2. set the dhcp scope so that visitor machines get for example dot 200 thru dot 250
3. in the windows firewall of the server (yuck) allow netbios/fileprintersharing for the advanced exception of ONLY dot one thru dot 199, for example.

that way, anything not in the advanced-allow list of the server's windows firewall, will get denied the ability to even talk to the server by netbios / shares.
ConchCrawlCommented:
I would think the security groups would work, if you set it up based on user name and the apply ntfs permissions on folders with those security groups. Say create a security group called Visitors and put the users in there and remove them from other groups. Then only give that security group access to the folders they need. That should work, just fine? I would still install ABE.
iccavemanAuthor Commented:
Wow.  7 answers and no solutions.

ANY user can connect ANY computer and authenticate with their username and password.  We are looking for a way to STOP them from doing that based on the fact the the computer is not a member of the domain.

The non-domain computer needs to talk to a license server and nothing else.  it should have no access to user files on the server.

So, we need a way to strict access to the server based on the following conditions:

1. User has a valid username and password that they use for full access off a domain computer.
2. Same user will be connecting a non-domain computer and could enter that same username and passsword.
3. We need to keep the non-domain computer using same username and password from getting to files on the server.
SnowWolfCommented:
Have you tried to add the domain computer account and the domain user account in the security tab? And allow access. Remove everything else. Therefore, only if domain user and domain computer, it will connect to that folder.

If that computer account isnt connecting, it should deny access.


folder properties > Security > add > (then object types) > Put the tick in computers, then add allowed computers
iccavemanAuthor Commented:
TO: SnowWolf.  

Have you tried this?  Does it really do what I want?
ConchCrawlCommented:
@snowwolf - the problem is that these computers are not joined to the domain only the user account, based on previous comments.
B HCommented:
iccaveman:  sorry but the ACCESS to the server follows the provided USERNAME and associated password... not the computer.

the only way to make it not reachable is to block the entire non-domain computer from accessing the server at all, which is outside of your scope of desire.

if they provide a valid username and password, they get their access, period.
iccavemanAuthor Commented:
bryon44035v3:  How would you block all non-domain computers?
B HCommented:
in my comment #30546731 above is how i would, in combination with securing physical access to the servers, switches and ethernet jacks
ConchCrawlCommented:
I would either use the security groups as was mentioned before or put them on a separate lan.
My question is why even have them authenticate to the domain if you don't want them to have access to the domain?
B HCommented:
i wish there were a security group like "non domain computers", you could simply set DENY on stuff for that, deny always overrides allow... but.. there's no such group.  no "and everything else goes here"
ConchCrawlCommented:
@bryon - yep understood, I was thinking that putting the users in their own security group and restricting ntfs permissions would do the trick. Maybe not, but my thinking was it shouldn't be no different than a user connecting through a vpn from home and restricting the user access, please elaborate if I'm missing something, which of course is always possible :-).
B HCommented:
well, if "joe" has access to "shared"... and he connects from a domain computer, great, there's your stuff joe.
if he connects via a vpn, with "joe" as the username, he still sees shared.
if he connects from a copy machine with "joe" as the username, he still sees shared.
if he connects from any SMB-enabled device at all, with "joe" as the username, he still sees shared.

if you restrict "joe" so he cannot access "shared" via ntfs permissions, he cannot get to shared from any of the above (including normal domain office computers)

now - for the vpn, if you specify the vpn to hand out a certain range of known ip addresses, you can specify DENY on those ip addresses... same with a known range of dhcp addresses.

bottom line ends up being, to keep your stuff secured from visitors, put visitors on their own network.
ConchCrawlCommented:
Which is why a separate lan would work :^), like I do with people who I only want to give internet access to.
B HCommented:
problem is, he wants them to be able to access a licensing server on one of the domain servers, which i assume runs by fileshares and not a tcpip service we could firewall down for
iccavemanAuthor Commented:
It appears that there is no solution
B HCommented:
objection:

there were solutions to keeping non domain computers off the domain servers.

the requirement was to keep non domain computers off domain servers (shares) WHILE still allowing access for licensing software, based on authenticating with a DOMAIN USERNAME and password.  

that isn't possible because you get the access for which you authenticate.  if you authenticate as a user WHO HAS ACCESS to file shares, you will see those file shares, period.  

just because you didnt get the answer you wanted, doesn't mean you should just give up and accept your own non-answer.  a lot of people put in a lot of effort here, the answer is, you cant.

if you were willing to modify your requirements, we can work with that... but based on your stated objective, it's not possible

you either keep them all separated physically (vlans), or you let them use different usernames such as visitor.

there is no way to say "domain\user has access to all these things but only if he's on a domain workstation"
iccavemanAuthor Commented:
So, you agree, there is no solution to the problem?
B HCommented:
the solution to your question is, you cant.

the symptoms you experience and in this case call 'the problem', are by design of windows file sharing.  if you authenticate, you get what your authenticated username is allowed to get.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
iccavemanAuthor Commented:
I suspect the Symantec firewall would do what I want, but I am not willing to install it and all the problems that come with it. Nobody has offered a solution to the problem I posted.  There were a lot of interesting ideas, some interesting discussions, but no solution to the problem I needed solved.

If it is the policy of this web site to award points when no solution is provided, then points need to be awarded.  Someone else will need to determine how many points to award and who to award them to.  I will not object to whatever decision is made on how to award points.  If others disagee and want to object, they can.  I am done with this question.
iccavemanAuthor Commented:
What part of:

"If it is the policy of this web site to award points when no solution is provided, then points need to be awarded.  Someone else will need to determine how many points to award and who to award them to.  I will not object to whatever decision is made on how to award points.  If others disagee and want to object, they can.  I am done with this question."

don't you understand?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.