[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Blocking computer from domain

Posted on 2011-05-11
14
Medium Priority
?
269 Views
Last Modified: 2012-05-11
Is there any way, using domain tools, to block a specific computer on our domain from having any access to resources on our network while at the same time allowing the rest of the network access to this computer?  The reason for this would be to prevent any type of malicious activity on that computer from affecting the rest of our network.  The domain is a Server 2003 and the computer in question is also a Server 2003 OS.
0
Comment
Question by:rivkamak
  • 6
  • 3
  • 2
  • +3
14 Comments
 
LVL 4

Expert Comment

by:every1isevil2
ID: 35742459
there is multiple ways of doing this.  

put the server in the a subdomain and create a 1 way trust.  sub.domain.com till trust domain.com but domain.com will not trust sub.domain.com
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/6337e21c-4aa0-47d3-825d-d7c26f3de463/

or you can create a new tree root with the other server and setup 1 way transitive trust
http://technet.microsoft.com/en-us/library/cc739693(WS.10).aspx
0
 
LVL 8

Expert Comment

by:spiderwilk007
ID: 35742474
I would just do this using ACL's on the switch port of the computer in question or set a rule in the firewall to allow only one way traffic to hte specific IP address. What kind of switches/firewall do you use?
0
 
LVL 43

Expert Comment

by:Adam Brown
ID: 35743932
Probably the best way to do this with Group Policy is to configure some firewall rules to block outgoing traffic on your LAN from that computer, but allow incoming traffic. http://technet.microsoft.com/en-us/library/bb490626.aspx has some information on how to accomplish this.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35748027


is anyone logging into or using this computer ?  if not, then you setup login restrictions or better yet disable the computer account.  I have worked in one of most secure environments in the world and what we did when someone went on travel for longer than a month was to disable their computer account that way one one could even login to the computer.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35748226
Well I think the  idea itself at its "root" is the wrong approach.  "Computers" shouldn't be the focus,...it should be Users.  It is humans that you have to prevent access to some things,...not computers

You can monkey around with OUs, trusts, GPOs,...just name your favorite AD "toy" to play with,..and it won't matter.  You can take a machine that is not even a domain member at all to begin with, which isn't going to be effected by any of those AD "toys" I mentioned and access practically anything you want if you have the right user credentials.

You have to control access at the user level to begin with and not worry about "which machine" they are using,...or you are going to have to separate the machine at the network level (mainly Layer3&4) from the "protected" resources.
0
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35748248



I have worked on the most secure Enterprise network in the world with over 700,000 users. We used the practice that I mentioned earlier since the network's inception when we only had 200 users so I think my point is vaild given the circumstances. I agree that there are other ways.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35748251
longer than a month was to disable their computer account that way one one could even login to the computer.

That one is pretty easy to get around.  You log into the machine with a Local Account, then any Domain Resources will cause a popup asking for credentials.  You give it domain level credentials that satisfies it and you will have access.

As far as getting on the local machine itself,...you just unplug the network cable,...log in with the cached domain account,...plug the network cable back in.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35748263
I'm not trying to diminish your security measures,...I'm dealing with the specific situation the OP is in.
0
 

Author Comment

by:rivkamak
ID: 35748723
The reason I am trying to do this setup is because I want this server in question to be our FTP server.  Therefore, I want our local users to have access to the folders on the FTP server and I obviously want outside users to have access to the FTP folders.  At the same time I am trying to protect the rest of our network from the possibility of someone dropping something into this computer.  That is why I want the one way access and that is we I am looking to do things based on the computer not the user.  We have a Sonicwall NSA 2400 as our firewall.
0
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35748831




If he wants total isolation of the resource but wants to limit who has access to it then the only logical way to do that is to create a a seperate resource forest and enable selective authentication so that only certain people can access the resource which would be the server OS.   What types of resources are on the server computer that people need have access to ?   is this resource a file server? print server? I think we need to understand what it is we are  restricting access to. I think it would make it more clear as to what would be more appropiate.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35749010
Ok. Good, that does help clarify things.

Here's the way I approach FTP,...you are free to ignore me and do what you want,...but this is what I do:

Have a separate drive or partition for the contents of the "FTP Site".  The most common thing that happens with them is they are attack by "robot" applications that bomb them with dictionary words for both the username and the password and also test for anonymous/guest write access. Once they gain write access they basically use you for storage of "warez", porn, etc,... and bury them in deep folder structures using folder names that are "illegal" in Windows (but the FTP Service still recognizes).  This keeps you from being able to delete them.  So having a dedicated Partition or Drive allows you to fix the situation by backing up or moving the "good" files,...reformat the partition,...and put the files back.  If you use a quality Backup Product then it will retain the NTFS Permissions to save you from rebuilding them.

For the accounts that access the FTP storage it is safer to use Local Accounts on the FTP Server (meaning it cannot be a DC). Make sure they are using long complex passwords that are not subject to dictionary attacks (meaning they are not "real" words), and it is not a bad idea to do the same with the account names,...remember there is no law that says accounts names cannot be random numbers and letters just like the passwords.

If you are forced to use Domain Accounts then make sure they use very long and complex passwords.  The length defends against brute force attacks and the complexity defends against dictionary attacks (aka "guessing")

The FTP Service is not a remote control or a remote administration tool,...so pretty much no matter what someone does to the FTP Service,...it is not going to give them access to the rest of the domain's machines.  Even if they were to find a way to get in under the OS through the FTP Service the machine Domain Membership (or lack there of) with whatever AD obstacles you try to throw in is not going to matter at that level.

People often worry about FTP's lack of credentials encryption (clear text),...but that is not such a big problem.  A hacker has to either get access to the FTP Logs on the FTP Server (where you can directly read them) or has to physically get into a position to run a sniffer on the traffic, which is very difficult to do and next to impossible on a Switched network.  On a Switched network he would have to gain credentials for your switches first,..telnet into them,...and set the Monitored Port (while knowing which switch port the FTP Server is plugged into) and the Monitoring Port that he has physical access to plug a listening device into.  Or he would have to be inside your ISP's facility and have similar obstacles to overcome there.   That is the difference between hacking in TV and Hollywood Movies and hacking in the real world.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35749099
If he wants total isolation of the resource but wants to limit who has access to it then the only logical way to do that is to create a a seperate resource forest and enable selective authentication so that only certain people can access the resource which would be the server OS.

Looks like we are writing and posting at the same time  :-)

Yea, that would provide limits but you still won't be able to deal with accessing from machines/devices that aren't domain members to start with,...such as Linux on a Laptop,..or a MAC (which is just linux now anyway),...or heck with visualization it can be a VM running off a thumb drive where you plug it into any machine nearby and "go for it",...or a BartPE CD with the right network drivers on it..
0
 

Author Comment

by:rivkamak
ID: 35749299
I was thinking of using an external USB drive.  Besides for its features would using an FTP server software such as WinFTP be better for this application from a security standpoint than the native windows FTP server?
0
 
LVL 29

Accepted Solution

by:
pwindell earned 1000 total points
ID: 35749399
There is nothing wrong with the Windows Native FTP Service.   Using the thumb drive is a good idea but the FTP Service might "flip out" if the thumbdrive is not there 100% of the time or if the thumbdrive's drive letter changes.

We use a thumbdrive with FTP to accept video and graphic material from Client (we're a TV station,...http://www.wandtv.com) but I do it with a Linksys NAS that has the USB slots in the back of it and has it's own built in FTP Service.  Then if anything gets trashed it is just a thumb drive or at worst the NAS,..but the LAN is safe.  

BTW - the NAS can and does operate on a Windows Network but is not a "domain member" and runs with local internal accounts that you create in it.

Linksys NAS200
http://www.linksysbycisco.com/APAC/en/products/NAS200
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question