Jump to content

How to prevent users on unauthorized machines from w2k3 files

Guest Scott

By Guest Scott
in Windows 2003 Server

 Share

Recommended Posts

Guest Scott

Guest Scott

Posted
Posted

I want to prevent a user from accessing the fileshare if they come from an

unauthorized machine.

As of now, if Joe User brings in his personal laptop and plugs it into the

network, and tries to access a Windows 2003 file share, it prompts them for

username/password. If they enter their AD uname/pw, they can gain access.

 

How can I prevent authorized users on unauthorized machines from gaining

access to W2K3 file shares?

  • Replies 16
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Meinolf Weber

Guest Meinolf Weber

Posted
Posted

Re: How to prevent users on unauthorized machines from w2k3 files

 

Hello Scott,

 

You can use Option classes with DHCP:

http://technet2.microsoft.com/windowsserver/en/library/14afbdc1-b75f-4120-bfc4-193816ea4a6d1033.mspx?mfr=true

 

Also a way is, if you have manageble switches that only allows specified

mac addresses.

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

> I want to prevent a user from accessing the fileshare if they come

> from an

> unauthorized machine.

> As of now, if Joe User brings in his personal laptop and plugs it into

> the

> network, and tries to access a Windows 2003 file share, it prompts

> them for

> username/password. If they enter their AD uname/pw, they can gain

> access.

> How can I prevent authorized users on unauthorized machines from

> gaining access to W2K3 file shares?

>

Guest Scott

Guest Scott

Posted
Posted

Re: How to prevent users on unauthorized machines from w2k3 files

 

I don't quite understand how this resolves my issue.

I don't want ANY machine that gets a DHCP address to be verified to access

the file share.

I want ONLY AD bound machines with valid AD username/password to be able to

access the file share.

Thanks,

-Scott

 

"Meinolf Weber" wrote:

> Hello Scott,

>

> You can use Option classes with DHCP:

> http://technet2.microsoft.com/windowsserver/en/library/14afbdc1-b75f-4120-bfc4-193816ea4a6d1033.mspx?mfr=true

>

> Also a way is, if you have manageble switches that only allows specified

> mac addresses.

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> no rights.

> ** Please do NOT email, only reply to Newsgroups

> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

>

> > I want to prevent a user from accessing the fileshare if they come

> > from an

> > unauthorized machine.

> > As of now, if Joe User brings in his personal laptop and plugs it into

> > the

> > network, and tries to access a Windows 2003 file share, it prompts

> > them for

> > username/password. If they enter their AD uname/pw, they can gain

> > access.

> > How can I prevent authorized users on unauthorized machines from

> > gaining access to W2K3 file shares?

> >

>

>

>

Guest Meinolf Weber

Guest Meinolf Weber

Posted
Posted

Re: How to prevent users on unauthorized machines from w2k3 files

 

Hello Scott,

 

This will prevent the machines to get an ip address from your domain dhcp

and access the network.

 

Also you can use IPSec configuration, maybe thats more what you are looking

for:

http://www.microsoft.com/downloads/details.aspx?FamilyId=404FB62F-7CF7-48B5-A820-B881F63BC005&displaylang=en

 

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

> I don't quite understand how this resolves my issue.

> I don't want ANY machine that gets a DHCP address to be verified to

> access

> the file share.

> I want ONLY AD bound machines with valid AD username/password to be

> able to

> access the file share.

> Thanks,

> -Scott

> "Meinolf Weber" wrote:

>

>> Hello Scott,

>>

>> You can use Option classes with DHCP:

>> http://technet2.microsoft.com/windowsserver/en/library/14afbdc1-b75f-

>> 4120-bfc4-193816ea4a6d1033.mspx?mfr=true

>> Also a way is, if you have manageble switches that only allows

>> specified mac addresses.

>>

>> Best regards

>>

>> Meinolf Weber

>> Disclaimer: This posting is provided "AS IS" with no warranties, and

>> confers

>> no rights.

>> ** Please do NOT email, only reply to Newsgroups

>> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

>>> I want to prevent a user from accessing the fileshare if they come

>>> from an

>>> unauthorized machine.

>>> As of now, if Joe User brings in his personal laptop and plugs it

>>> into

>>> the

>>> network, and tries to access a Windows 2003 file share, it prompts

>>> them for

>>> username/password. If they enter their AD uname/pw, they can gain

>>> access.

>>> How can I prevent authorized users on unauthorized machines from

>>> gaining access to W2K3 file shares?

Guest Scott

Guest Scott

Posted
Posted

Re: How to prevent users on unauthorized machines from w2k3 files

 

OK, that is for DHCP then....

What about the user who brings in their personal laptop, plugs it in, and

manually assigns the machine an IP? How can I prevent that machine from

accessing the file share?

 

"Meinolf Weber" wrote:

> Hello Scott,

>

> This will prevent the machines to get an ip address from your domain dhcp

> and access the network.

>

> Also you can use IPSec configuration, maybe thats more what you are looking

> for:

> http://www.microsoft.com/downloads/details.aspx?FamilyId=404FB62F-7CF7-48B5-A820-B881F63BC005&displaylang=en

>

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> no rights.

> ** Please do NOT email, only reply to Newsgroups

> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

>

> > I don't quite understand how this resolves my issue.

> > I don't want ANY machine that gets a DHCP address to be verified to

> > access

> > the file share.

> > I want ONLY AD bound machines with valid AD username/password to be

> > able to

> > access the file share.

> > Thanks,

> > -Scott

> > "Meinolf Weber" wrote:

> >

> >> Hello Scott,

> >>

> >> You can use Option classes with DHCP:

> >> http://technet2.microsoft.com/windowsserver/en/library/14afbdc1-b75f-

> >> 4120-bfc4-193816ea4a6d1033.mspx?mfr=true

> >> Also a way is, if you have manageble switches that only allows

> >> specified mac addresses.

> >>

> >> Best regards

> >>

> >> Meinolf Weber

> >> Disclaimer: This posting is provided "AS IS" with no warranties, and

> >> confers

> >> no rights.

> >> ** Please do NOT email, only reply to Newsgroups

> >> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

> >>> I want to prevent a user from accessing the fileshare if they come

> >>> from an

> >>> unauthorized machine.

> >>> As of now, if Joe User brings in his personal laptop and plugs it

> >>> into

> >>> the

> >>> network, and tries to access a Windows 2003 file share, it prompts

> >>> them for

> >>> username/password. If they enter their AD uname/pw, they can gain

> >>> access.

> >>> How can I prevent authorized users on unauthorized machines from

> >>> gaining access to W2K3 file shares?

>

>

>

Guest 6stemD

Guest 6stemD

Posted
Posted

Re: How to prevent users on unauthorized machines from w2k3 files

 

Hi Scott,

 

I thinks the best security for deny access for a personal computer or other

computer is to use a manageable Switch with level 2 security minimum, now

there is lot of switch with the function "smart web manageable switch" like

Netgear or Dlink (very low cost) and you can put all the mac adress of the

computers and printers bla bla bla of your network. So when a user go to the

office with his personal computer and plug the network cable, he can't access

of the network or internet or files because is MAC adress was not in the

Switch. You can olso use this security for Wifi Access point.

 

Have Fun

--

best regard

 

 

"Scott" wrote:

> OK, that is for DHCP then....

> What about the user who brings in their personal laptop, plugs it in, and

> manually assigns the machine an IP? How can I prevent that machine from

> accessing the file share?

>

> "Meinolf Weber" wrote:

>

> > Hello Scott,

> >

> > This will prevent the machines to get an ip address from your domain dhcp

> > and access the network.

> >

> > Also you can use IPSec configuration, maybe thats more what you are looking

> > for:

> > http://www.microsoft.com/downloads/details.aspx?FamilyId=404FB62F-7CF7-48B5-A820-B881F63BC005&displaylang=en

> >

> >

> > Best regards

> >

> > Meinolf Weber

> > Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> > no rights.

> > ** Please do NOT email, only reply to Newsgroups

> > ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

> >

> > > I don't quite understand how this resolves my issue.

> > > I don't want ANY machine that gets a DHCP address to be verified to

> > > access

> > > the file share.

> > > I want ONLY AD bound machines with valid AD username/password to be

> > > able to

> > > access the file share.

> > > Thanks,

> > > -Scott

> > > "Meinolf Weber" wrote:

> > >

> > >> Hello Scott,

> > >>

> > >> You can use Option classes with DHCP:

> > >> http://technet2.microsoft.com/windowsserver/en/library/14afbdc1-b75f-

> > >> 4120-bfc4-193816ea4a6d1033.mspx?mfr=true

> > >> Also a way is, if you have manageble switches that only allows

> > >> specified mac addresses.

> > >>

> > >> Best regards

> > >>

> > >> Meinolf Weber

> > >> Disclaimer: This posting is provided "AS IS" with no warranties, and

> > >> confers

> > >> no rights.

> > >> ** Please do NOT email, only reply to Newsgroups

> > >> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

> > >>> I want to prevent a user from accessing the fileshare if they come

> > >>> from an

> > >>> unauthorized machine.

> > >>> As of now, if Joe User brings in his personal laptop and plugs it

> > >>> into

> > >>> the

> > >>> network, and tries to access a Windows 2003 file share, it prompts

> > >>> them for

> > >>> username/password. If they enter their AD uname/pw, they can gain

> > >>> access.

> > >>> How can I prevent authorized users on unauthorized machines from

> > >>> gaining access to W2K3 file shares?

> >

> >

> >

Guest SBS Rocker

Guest SBS Rocker

Posted
Posted

Re: How to prevent users on unauthorized machines from w2k3 files

 

I'm trying to understand you're reasoning behind this request. If you grant

a user access to a fileshare then what is your reasoning behind whether or

not they use a company pc or their laptop? Can't be security because you

have granted them access. Perhaps you're afraid of a virus outbreak not

knowing if their personal laptop has the proper virus protection but then

again why you ask about how to prevent them from accessing a fileshare? Just

curious and not trying to offend or disrespect your request.

 

 

"Scott" <Scott@discussions.microsoft.com> wrote in message

news:91A2806E-F36D-46BA-BF24-7FEF5CBE2A59@microsoft.com...

> OK, that is for DHCP then....

> What about the user who brings in their personal laptop, plugs it in, and

> manually assigns the machine an IP? How can I prevent that machine from

> accessing the file share?

>

> "Meinolf Weber" wrote:

>

>> Hello Scott,

>>

>> This will prevent the machines to get an ip address from your domain dhcp

>> and access the network.

>>

>> Also you can use IPSec configuration, maybe thats more what you are

>> looking

>> for:

>> http://www.microsoft.com/downloads/details.aspx?FamilyId=404FB62F-7CF7-48B5-A820-B881F63BC005&displaylang=en

>>

>>

>> Best regards

>>

>> Meinolf Weber

>> Disclaimer: This posting is provided "AS IS" with no warranties, and

>> confers

>> no rights.

>> ** Please do NOT email, only reply to Newsgroups

>> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

>>

>> > I don't quite understand how this resolves my issue.

>> > I don't want ANY machine that gets a DHCP address to be verified to

>> > access

>> > the file share.

>> > I want ONLY AD bound machines with valid AD username/password to be

>> > able to

>> > access the file share.

>> > Thanks,

>> > -Scott

>> > "Meinolf Weber" wrote:

>> >

>> >> Hello Scott,

>> >>

>> >> You can use Option classes with DHCP:

>> >> http://technet2.microsoft.com/windowsserver/en/library/14afbdc1-b75f-

>> >> 4120-bfc4-193816ea4a6d1033.mspx?mfr=true

>> >> Also a way is, if you have manageble switches that only allows

>> >> specified mac addresses.

>> >>

>> >> Best regards

>> >>

>> >> Meinolf Weber

>> >> Disclaimer: This posting is provided "AS IS" with no warranties, and

>> >> confers

>> >> no rights.

>> >> ** Please do NOT email, only reply to Newsgroups

>> >> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

>> >>> I want to prevent a user from accessing the fileshare if they come

>> >>> from an

>> >>> unauthorized machine.

>> >>> As of now, if Joe User brings in his personal laptop and plugs it

>> >>> into

>> >>> the

>> >>> network, and tries to access a Windows 2003 file share, it prompts

>> >>> them for

>> >>> username/password. If they enter their AD uname/pw, they can gain

>> >>> access.

>> >>> How can I prevent authorized users on unauthorized machines from

>> >>> gaining access to W2K3 file shares?

>>

>>

>>

Guest Scott

Guest Scott

Posted
Posted

Re: How to prevent users on unauthorized machines from w2k3 files

 

Not with 100+ MACs.....

 

"6stemD" wrote:

> Hi Scott,

>

> I thinks the best security for deny access for a personal computer or other

> computer is to use a manageable Switch with level 2 security minimum, now

> there is lot of switch with the function "smart web manageable switch" like

> Netgear or Dlink (very low cost) and you can put all the mac adress of the

> computers and printers bla bla bla of your network. So when a user go to the

> office with his personal computer and plug the network cable, he can't access

> of the network or internet or files because is MAC adress was not in the

> Switch. You can olso use this security for Wifi Access point.

>

> Have Fun

> --

> best regard

>

>

> "Scott" wrote:

>

> > OK, that is for DHCP then....

> > What about the user who brings in their personal laptop, plugs it in, and

> > manually assigns the machine an IP? How can I prevent that machine from

> > accessing the file share?

> >

> > "Meinolf Weber" wrote:

> >

> > > Hello Scott,

> > >

> > > This will prevent the machines to get an ip address from your domain dhcp

> > > and access the network.

> > >

> > > Also you can use IPSec configuration, maybe thats more what you are looking

> > > for:

> > > http://www.microsoft.com/downloads/details.aspx?FamilyId=404FB62F-7CF7-48B5-A820-B881F63BC005&displaylang=en

> > >

> > >

> > > Best regards

> > >

> > > Meinolf Weber

> > > Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> > > no rights.

> > > ** Please do NOT email, only reply to Newsgroups

> > > ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

> > >

> > > > I don't quite understand how this resolves my issue.

> > > > I don't want ANY machine that gets a DHCP address to be verified to

> > > > access

> > > > the file share.

> > > > I want ONLY AD bound machines with valid AD username/password to be

> > > > able to

> > > > access the file share.

> > > > Thanks,

> > > > -Scott

> > > > "Meinolf Weber" wrote:

> > > >

> > > >> Hello Scott,

> > > >>

> > > >> You can use Option classes with DHCP:

> > > >> http://technet2.microsoft.com/windowsserver/en/library/14afbdc1-b75f-

> > > >> 4120-bfc4-193816ea4a6d1033.mspx?mfr=true

> > > >> Also a way is, if you have manageble switches that only allows

> > > >> specified mac addresses.

> > > >>

> > > >> Best regards

> > > >>

> > > >> Meinolf Weber

> > > >> Disclaimer: This posting is provided "AS IS" with no warranties, and

> > > >> confers

> > > >> no rights.

> > > >> ** Please do NOT email, only reply to Newsgroups

> > > >> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

> > > >>> I want to prevent a user from accessing the fileshare if they come

> > > >>> from an

> > > >>> unauthorized machine.

> > > >>> As of now, if Joe User brings in his personal laptop and plugs it

> > > >>> into

> > > >>> the

> > > >>> network, and tries to access a Windows 2003 file share, it prompts

> > > >>> them for

> > > >>> username/password. If they enter their AD uname/pw, they can gain

> > > >>> access.

> > > >>> How can I prevent authorized users on unauthorized machines from

> > > >>> gaining access to W2K3 file shares?

> > >

> > >

> > >

Guest Scott

Guest Scott

Posted
Posted

Re: How to prevent users on unauthorized machines from w2k3 files

 

Not offended at all!

The user has rights to access the data on a machine provided to them by us.

They cannot attach a USB drive, burn a CD, or FTP/email out information

without it being flagged/stopped.

 

So I was asked "What if Joe User brings in his home laptop?"

If a user does, and copies the IP settings from their corporate desktop,

then plugs in their laptop into the same wire and attempts to access a

Windows file share, they are prompted for a username and password. Since they

are a user with valid credentials, they can access the data and

hypothetically copy it and remove it from the building without us knowing.

 

Is that clearer?

-Scott

 

 

"SBS Rocker" wrote:

> I'm trying to understand you're reasoning behind this request. If you grant

> a user access to a fileshare then what is your reasoning behind whether or

> not they use a company pc or their laptop? Can't be security because you

> have granted them access. Perhaps you're afraid of a virus outbreak not

> knowing if their personal laptop has the proper virus protection but then

> again why you ask about how to prevent them from accessing a fileshare? Just

> curious and not trying to offend or disrespect your request.

>

>

> "Scott" <Scott@discussions.microsoft.com> wrote in message

> news:91A2806E-F36D-46BA-BF24-7FEF5CBE2A59@microsoft.com...

> > OK, that is for DHCP then....

> > What about the user who brings in their personal laptop, plugs it in, and

> > manually assigns the machine an IP? How can I prevent that machine from

> > accessing the file share?

> >

> > "Meinolf Weber" wrote:

> >

> >> Hello Scott,

> >>

> >> This will prevent the machines to get an ip address from your domain dhcp

> >> and access the network.

> >>

> >> Also you can use IPSec configuration, maybe thats more what you are

> >> looking

> >> for:

> >> http://www.microsoft.com/downloads/details.aspx?FamilyId=404FB62F-7CF7-48B5-A820-B881F63BC005&displaylang=en

> >>

> >>

> >> Best regards

> >>

> >> Meinolf Weber

> >> Disclaimer: This posting is provided "AS IS" with no warranties, and

> >> confers

> >> no rights.

> >> ** Please do NOT email, only reply to Newsgroups

> >> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

> >>

> >> > I don't quite understand how this resolves my issue.

> >> > I don't want ANY machine that gets a DHCP address to be verified to

> >> > access

> >> > the file share.

> >> > I want ONLY AD bound machines with valid AD username/password to be

> >> > able to

> >> > access the file share.

> >> > Thanks,

> >> > -Scott

> >> > "Meinolf Weber" wrote:

> >> >

> >> >> Hello Scott,

> >> >>

> >> >> You can use Option classes with DHCP:

> >> >> http://technet2.microsoft.com/windowsserver/en/library/14afbdc1-b75f-

> >> >> 4120-bfc4-193816ea4a6d1033.mspx?mfr=true

> >> >> Also a way is, if you have manageble switches that only allows

> >> >> specified mac addresses.

> >> >>

> >> >> Best regards

> >> >>

> >> >> Meinolf Weber

> >> >> Disclaimer: This posting is provided "AS IS" with no warranties, and

> >> >> confers

> >> >> no rights.

> >> >> ** Please do NOT email, only reply to Newsgroups

> >> >> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

> >> >>> I want to prevent a user from accessing the fileshare if they come

> >> >>> from an

> >> >>> unauthorized machine.

> >> >>> As of now, if Joe User brings in his personal laptop and plugs it

> >> >>> into

> >> >>> the

> >> >>> network, and tries to access a Windows 2003 file share, it prompts

> >> >>> them for

> >> >>> username/password. If they enter their AD uname/pw, they can gain

> >> >>> access.

> >> >>> How can I prevent authorized users on unauthorized machines from

> >> >>> gaining access to W2K3 file shares?

> >>

> >>

> >>

>

>

>

Guest Meinolf Weber

Guest Meinolf Weber

Posted
Posted

Re: How to prevent users on unauthorized machines from w2k3 files

 

Hello Scott,

 

Then i think IPSec is really your solution, it secures the communication

inside your domain between the servers and clients that have the right configuration.

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

> Not offended at all!

> The user has rights to access the data on a machine provided to them

> by us.

> They cannot attach a USB drive, burn a CD, or FTP/email out

> information

> without it being flagged/stopped.

> So I was asked "What if Joe User brings in his home laptop?" If a user

> does, and copies the IP settings from their corporate desktop, then

> plugs in their laptop into the same wire and attempts to access a

> Windows file share, they are prompted for a username and password.

> Since they are a user with valid credentials, they can access the data

> and hypothetically copy it and remove it from the building without us

> knowing.

>

> Is that clearer?

> -Scott

> "SBS Rocker" wrote:

>

>> I'm trying to understand you're reasoning behind this request. If you

>> grant a user access to a fileshare then what is your reasoning behind

>> whether or not they use a company pc or their laptop? Can't be

>> security because you have granted them access. Perhaps you're afraid

>> of a virus outbreak not knowing if their personal laptop has the

>> proper virus protection but then again why you ask about how to

>> prevent them from accessing a fileshare? Just curious and not trying

>> to offend or disrespect your request.

>>

>> "Scott" <Scott@discussions.microsoft.com> wrote in message

>> news:91A2806E-F36D-46BA-BF24-7FEF5CBE2A59@microsoft.com...

>>

>>> OK, that is for DHCP then....

>>> What about the user who brings in their personal laptop, plugs it

>>> in, and

>>> manually assigns the machine an IP? How can I prevent that machine

>>> from

>>> accessing the file share?

>>> "Meinolf Weber" wrote:

>>>

>>>> Hello Scott,

>>>>

>>>> This will prevent the machines to get an ip address from your

>>>> domain dhcp and access the network.

>>>>

>>>> Also you can use IPSec configuration, maybe thats more what you are

>>>>

>>>> looking

>>>>

>>>> for:

>>>>

>>>> http://www.microsoft.com/downloads/details.aspx?FamilyId=404FB62F-7

>>>> CF7-48B5-A820-B881F63BC005&displaylang=en

>>>>

>>>> Best regards

>>>>

>>>> Meinolf Weber

>>>> Disclaimer: This posting is provided "AS IS" with no warranties,

>>>> and

>>>> confers

>>>> no rights.

>>>> ** Please do NOT email, only reply to Newsgroups

>>>> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

>>>>> I don't quite understand how this resolves my issue.

>>>>> I don't want ANY machine that gets a DHCP address to be verified

>>>>> to

>>>>> access

>>>>> the file share.

>>>>> I want ONLY AD bound machines with valid AD username/password to

>>>>> be

>>>>> able to

>>>>> access the file share.

>>>>> Thanks,

>>>>> -Scott

>>>>> "Meinolf Weber" wrote:

>>>>>> Hello Scott,

>>>>>>

>>>>>> You can use Option classes with DHCP:

>>>>>> http://technet2.microsoft.com/windowsserver/en/library/14afbdc1-b

>>>>>> 75f-

>>>>>> 4120-bfc4-193816ea4a6d1033.mspx?mfr=true

>>>>>> Also a way is, if you have manageble switches that only allows

>>>>>> specified mac addresses.

>>>>>> Best regards

>>>>>>

>>>>>> Meinolf Weber

>>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,

>>>>>> and

>>>>>> confers

>>>>>> no rights.

>>>>>> ** Please do NOT email, only reply to Newsgroups

>>>>>> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

>>>>>>> I want to prevent a user from accessing the fileshare if they

>>>>>>> come

>>>>>>> from an

>>>>>>> unauthorized machine.

>>>>>>> As of now, if Joe User brings in his personal laptop and plugs

>>>>>>> it

>>>>>>> into

>>>>>>> the

>>>>>>> network, and tries to access a Windows 2003 file share, it

>>>>>>> prompts

>>>>>>> them for

>>>>>>> username/password. If they enter their AD uname/pw, they can

>>>>>>> gain

>>>>>>> access.

>>>>>>> How can I prevent authorized users on unauthorized machines from

>>>>>>> gaining access to W2K3 file shares?

Guest SBS Rocker

Guest SBS Rocker

Posted
Posted

Re: How to prevent users on unauthorized machines from w2k3 files

 

Much clearer because I was thinking what is to stop them from burning,

emailing or attaching a USB device to copy the data and taking it home. You

explained it very well. Not that I have any resolutions for you other than

I've worked in companies where it was against "policies" for an employee to

bring their personal laptop to work without written permission from their

manager and the consequences we're severe if they were caught.

 

"Scott" <Scott@discussions.microsoft.com> wrote in message

news:90F8F9C8-D660-47E2-AB88-F5F5EEA2FF92@microsoft.com...

> Not offended at all!

> The user has rights to access the data on a machine provided to them by

> us.

> They cannot attach a USB drive, burn a CD, or FTP/email out information

> without it being flagged/stopped.

>

> So I was asked "What if Joe User brings in his home laptop?"

> If a user does, and copies the IP settings from their corporate desktop,

> then plugs in their laptop into the same wire and attempts to access a

> Windows file share, they are prompted for a username and password. Since

> they

> are a user with valid credentials, they can access the data and

> hypothetically copy it and remove it from the building without us knowing.

>

> Is that clearer?

> -Scott

>

>

> "SBS Rocker" wrote:

>

>> I'm trying to understand you're reasoning behind this request. If you

>> grant

>> a user access to a fileshare then what is your reasoning behind whether

>> or

>> not they use a company pc or their laptop? Can't be security because you

>> have granted them access. Perhaps you're afraid of a virus outbreak not

>> knowing if their personal laptop has the proper virus protection but then

>> again why you ask about how to prevent them from accessing a fileshare?

>> Just

>> curious and not trying to offend or disrespect your request.

>>

>>

>> "Scott" <Scott@discussions.microsoft.com> wrote in message

>> news:91A2806E-F36D-46BA-BF24-7FEF5CBE2A59@microsoft.com...

>> > OK, that is for DHCP then....

>> > What about the user who brings in their personal laptop, plugs it in,

>> > and

>> > manually assigns the machine an IP? How can I prevent that machine from

>> > accessing the file share?

>> >

>> > "Meinolf Weber" wrote:

>> >

>> >> Hello Scott,

>> >>

>> >> This will prevent the machines to get an ip address from your domain

>> >> dhcp

>> >> and access the network.

>> >>

>> >> Also you can use IPSec configuration, maybe thats more what you are

>> >> looking

>> >> for:

>> >> http://www.microsoft.com/downloads/details.aspx?FamilyId=404FB62F-7CF7-48B5-A820-B881F63BC005&displaylang=en

>> >>

>> >>

>> >> Best regards

>> >>

>> >> Meinolf Weber

>> >> Disclaimer: This posting is provided "AS IS" with no warranties, and

>> >> confers

>> >> no rights.

>> >> ** Please do NOT email, only reply to Newsgroups

>> >> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

>> >>

>> >> > I don't quite understand how this resolves my issue.

>> >> > I don't want ANY machine that gets a DHCP address to be verified to

>> >> > access

>> >> > the file share.

>> >> > I want ONLY AD bound machines with valid AD username/password to be

>> >> > able to

>> >> > access the file share.

>> >> > Thanks,

>> >> > -Scott

>> >> > "Meinolf Weber" wrote:

>> >> >

>> >> >> Hello Scott,

>> >> >>

>> >> >> You can use Option classes with DHCP:

>> >> >> http://technet2.microsoft.com/windowsserver/en/library/14afbdc1-b75f-

>> >> >> 4120-bfc4-193816ea4a6d1033.mspx?mfr=true

>> >> >> Also a way is, if you have manageble switches that only allows

>> >> >> specified mac addresses.

>> >> >>

>> >> >> Best regards

>> >> >>

>> >> >> Meinolf Weber

>> >> >> Disclaimer: This posting is provided "AS IS" with no warranties,

>> >> >> and

>> >> >> confers

>> >> >> no rights.

>> >> >> ** Please do NOT email, only reply to Newsgroups

>> >> >> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

>> >> >>> I want to prevent a user from accessing the fileshare if they come

>> >> >>> from an

>> >> >>> unauthorized machine.

>> >> >>> As of now, if Joe User brings in his personal laptop and plugs it

>> >> >>> into

>> >> >>> the

>> >> >>> network, and tries to access a Windows 2003 file share, it prompts

>> >> >>> them for

>> >> >>> username/password. If they enter their AD uname/pw, they can gain

>> >> >>> access.

>> >> >>> How can I prevent authorized users on unauthorized machines from

>> >> >>> gaining access to W2K3 file shares?

>> >>

>> >>

>> >>

>>

>>

>>

Guest 6stemD

Guest 6stemD

Posted
Posted

Re: How to prevent users on unauthorized machines from w2k3 files

 

OK Scott,

But if you wan't very strong security in your network, i think you can use a

diferrente method to logon on your network. You can use a policy with a

certificate autoenrollment at logon, so the personal laptop of the user can't

have the certificate and he can't use the files shares? Or you can use ISA

Server manage the security of the network, there a lot of policy to check if

the pc in the network was a business pc or a personal...

Or you can use a radius server and certificate, i use this policy to limit

the user and computer to access a wifi network, but i think you can use olso

this method for the computer in network strucure.

it's very hard and strong i you wan't use a secure network but not

impossible.

--

best regard

 

 

"Scott" wrote:

> Not with 100+ MACs.....

>

> "6stemD" wrote:

>

> > Hi Scott,

> >

> > I thinks the best security for deny access for a personal computer or other

> > computer is to use a manageable Switch with level 2 security minimum, now

> > there is lot of switch with the function "smart web manageable switch" like

> > Netgear or Dlink (very low cost) and you can put all the mac adress of the

> > computers and printers bla bla bla of your network. So when a user go to the

> > office with his personal computer and plug the network cable, he can't access

> > of the network or internet or files because is MAC adress was not in the

> > Switch. You can olso use this security for Wifi Access point.

> >

> > Have Fun

> > --

> > best regard

> >

> >

> > "Scott" wrote:

> >

> > > OK, that is for DHCP then....

> > > What about the user who brings in their personal laptop, plugs it in, and

> > > manually assigns the machine an IP? How can I prevent that machine from

> > > accessing the file share?

> > >

> > > "Meinolf Weber" wrote:

> > >

> > > > Hello Scott,

> > > >

> > > > This will prevent the machines to get an ip address from your domain dhcp

> > > > and access the network.

> > > >

> > > > Also you can use IPSec configuration, maybe thats more what you are looking

> > > > for:

> > > > http://www.microsoft.com/downloads/details.aspx?FamilyId=404FB62F-7CF7-48B5-A820-B881F63BC005&displaylang=en

> > > >

> > > >

> > > > Best regards

> > > >

> > > > Meinolf Weber

> > > > Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> > > > no rights.

> > > > ** Please do NOT email, only reply to Newsgroups

> > > > ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

> > > >

> > > > > I don't quite understand how this resolves my issue.

> > > > > I don't want ANY machine that gets a DHCP address to be verified to

> > > > > access

> > > > > the file share.

> > > > > I want ONLY AD bound machines with valid AD username/password to be

> > > > > able to

> > > > > access the file share.

> > > > > Thanks,

> > > > > -Scott

> > > > > "Meinolf Weber" wrote:

> > > > >

> > > > >> Hello Scott,

> > > > >>

> > > > >> You can use Option classes with DHCP:

> > > > >> http://technet2.microsoft.com/windowsserver/en/library/14afbdc1-b75f-

> > > > >> 4120-bfc4-193816ea4a6d1033.mspx?mfr=true

> > > > >> Also a way is, if you have manageble switches that only allows

> > > > >> specified mac addresses.

> > > > >>

> > > > >> Best regards

> > > > >>

> > > > >> Meinolf Weber

> > > > >> Disclaimer: This posting is provided "AS IS" with no warranties, and

> > > > >> confers

> > > > >> no rights.

> > > > >> ** Please do NOT email, only reply to Newsgroups

> > > > >> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

> > > > >>> I want to prevent a user from accessing the fileshare if they come

> > > > >>> from an

> > > > >>> unauthorized machine.

> > > > >>> As of now, if Joe User brings in his personal laptop and plugs it

> > > > >>> into

> > > > >>> the

> > > > >>> network, and tries to access a Windows 2003 file share, it prompts

> > > > >>> them for

> > > > >>> username/password. If they enter their AD uname/pw, they can gain

> > > > >>> access.

> > > > >>> How can I prevent authorized users on unauthorized machines from

> > > > >>> gaining access to W2K3 file shares?

> > > >

> > > >

> > > >

Guest NoConsequence

Guest NoConsequence

Posted
Posted

Re: How to prevent users on unauthorized machines from w2k3 files

 

On Tue, 27 Nov 2007 13:24:01 -0800, Scott

<Scott@discussions.microsoft.com> wrote:

>I want to prevent a user from accessing the fileshare if they come from an

>unauthorized machine.

>As of now, if Joe User brings in his personal laptop and plugs it into the

>network, and tries to access a Windows 2003 file share, it prompts them for

>username/password. If they enter their AD uname/pw, they can gain access.

>

>How can I prevent authorized users on unauthorized machines from gaining

>access to W2K3 file shares?

 

I don't understand how they are getting logged onto your network using

their personal laptop to start with. It sounds as though you are in a

domain based LAN...

 

Their computer should not be joined to the domain, and you CAN set up

the domain so that it will not allow non-domain computers to access

the LAN and any resources therein. I've never been on a corporate

network where I could bring in my personal equipment and do this -

well, not entirely true, I COULD as a SysAdmin, but ordinary users

could not. I watched them try, fail, then call me for help only to

tell them why it wouldn't work and why we wouldn't allow them to do

it.

 

So it CAN be stopped - you just need to read up on how to do it.

Guest Scott

Guest Scott

Posted
Posted

Re: How to prevent users on unauthorized machines from w2k3 files

 

I CAN read up -- I just can't find definitive articles with the steps!

Right now, non-domain machines will pop up a login box for the user when

attempting to access a file share. That is what I want to stop.

 

Do you have any articles? Can you point me to where I can read about this?

 

Thanks,

-Scott

 

"NoConsequence" wrote:

> On Tue, 27 Nov 2007 13:24:01 -0800, Scott

> <Scott@discussions.microsoft.com> wrote:

>

> >I want to prevent a user from accessing the fileshare if they come from an

> >unauthorized machine.

> >As of now, if Joe User brings in his personal laptop and plugs it into the

> >network, and tries to access a Windows 2003 file share, it prompts them for

> >username/password. If they enter their AD uname/pw, they can gain access.

> >

> >How can I prevent authorized users on unauthorized machines from gaining

> >access to W2K3 file shares?

>

> I don't understand how they are getting logged onto your network using

> their personal laptop to start with. It sounds as though you are in a

> domain based LAN...

>

> Their computer should not be joined to the domain, and you CAN set up

> the domain so that it will not allow non-domain computers to access

> the LAN and any resources therein. I've never been on a corporate

> network where I could bring in my personal equipment and do this -

> well, not entirely true, I COULD as a SysAdmin, but ordinary users

> could not. I watched them try, fail, then call me for help only to

> tell them why it wouldn't work and why we wouldn't allow them to do

> it.

>

> So it CAN be stopped - you just need to read up on how to do it.

>

>

Guest 6stemD

Guest 6stemD

Posted
Posted

Re: How to prevent users on unauthorized machines from w2k3 files

 

All Right Scott,

I think if you don't want the access of your domaine to a non domain

computer like the personal computer of your user, you try to work on the

autentication method.

I think you can use the Kerberos V5 autentication and IPSEC.

Search this atricles on the online technet library. I find lots of topics,

but sorry all are in french (it's my country)

Try to visit this page:

 

http://technet2.microsoft.com/windowsserver/en/library/f330f9c6-c1e6-41c2-8295-8427332995f61033.mspx?mfr=true

 

I think the method with certificat with not to hard to implement on the

network.

I use this method for my client to prevent the user who can acces to the

wifi collection.

 

If i find another topics or method i contact you in this post.

 

Good luck.

The way to the best security network was very long...

 

 

 

--

best regard

 

 

"Scott" wrote:

> I CAN read up -- I just can't find definitive articles with the steps!

> Right now, non-domain machines will pop up a login box for the user when

> attempting to access a file share. That is what I want to stop.

>

> Do you have any articles? Can you point me to where I can read about this?

>

> Thanks,

> -Scott

>

> "NoConsequence" wrote:

>

> > On Tue, 27 Nov 2007 13:24:01 -0800, Scott

> > <Scott@discussions.microsoft.com> wrote:

> >

> > >I want to prevent a user from accessing the fileshare if they come from an

> > >unauthorized machine.

> > >As of now, if Joe User brings in his personal laptop and plugs it into the

> > >network, and tries to access a Windows 2003 file share, it prompts them for

> > >username/password. If they enter their AD uname/pw, they can gain access.

> > >

> > >How can I prevent authorized users on unauthorized machines from gaining

> > >access to W2K3 file shares?

> >

> > I don't understand how they are getting logged onto your network using

> > their personal laptop to start with. It sounds as though you are in a

> > domain based LAN...

> >

> > Their computer should not be joined to the domain, and you CAN set up

> > the domain so that it will not allow non-domain computers to access

> > the LAN and any resources therein. I've never been on a corporate

> > network where I could bring in my personal equipment and do this -

> > well, not entirely true, I COULD as a SysAdmin, but ordinary users

> > could not. I watched them try, fail, then call me for help only to

> > tell them why it wouldn't work and why we wouldn't allow them to do

> > it.

> >

> > So it CAN be stopped - you just need to read up on how to do it.

> >

> >

Guest Iain

Guest Iain

Posted
Posted

RE: How to prevent users on unauthorized machines from w2k3 files

 

I am interested in this request and will trial this answer myself over the

weekend but here's an idea.

 

In the properties - share - permissions of the share folder we often apply

groups or users access ... why not remove all groups and users ( except

yourself & Administrator ) and add the computers container instead? Its just

an idea .. try making a new share and appling this security policy? The

security tab after the share tab takes care of who can access the folder but

the sharing tab takes care of who can see the share and have access... my

thought is .. computer first then user.

 

Dont kno if its worth a try.

--

Iain Marshall

MCSE MCSA MCPs MCP

 

 

"Scott" wrote:

> I want to prevent a user from accessing the fileshare if they come from an

> unauthorized machine.

> As of now, if Joe User brings in his personal laptop and plugs it into the

> network, and tries to access a Windows 2003 file share, it prompts them for

> username/password. If they enter their AD uname/pw, they can gain access.

>

> How can I prevent authorized users on unauthorized machines from gaining

> access to W2K3 file shares?

Guest nospam

Guest nospam

Posted
Posted

Re: How to prevent users on unauthorized machines from w2k3 files

 

=?Utf-8?B?U2NvdHQ=?= <Scott@discussions.microsoft.com> wrote in

news:F9061B3F-BA2F-48B3-897D-08CEA3DD41C6@microsoft.com:

> I want to prevent a user from accessing the fileshare if they come

> from an unauthorized machine.

> As of now, if Joe User brings in his personal laptop and plugs it into

> the network, and tries to access a Windows 2003 file share, it prompts

> them for username/password. If they enter their AD uname/pw, they can

> gain access.

>

> How can I prevent authorized users on unauthorized machines from

> gaining access to W2K3 file shares?

>

 

You should go even further than that - an unauthorized machine should not

be given an IP number by your DHCP server. I don't use a Windows server

for the DHCP server, so I can't tell you how to do this on a Windows

server.

If possible, put the personal laptops into a separate VLAN so they cannot

access your servers at all.

 Share
Go to topic listing
×
×
  • Create New...