Guest Scott Posted November 27, 2007 Posted November 27, 2007 I want to prevent a user from accessing the fileshare if they come from an unauthorized machine. As of now, if Joe User brings in his personal laptop and plugs it into the network, and tries to access a Windows 2003 file share, it prompts them for username/password. If they enter their AD uname/pw, they can gain access. How can I prevent authorized users on unauthorized machines from gaining access to W2K3 file shares?
Guest Meinolf Weber Posted November 27, 2007 Posted November 27, 2007 Re: How to prevent users on unauthorized machines from w2k3 files Hello Scott, You can use Option classes with DHCP: http://technet2.microsoft.com/windowsserver/en/library/14afbdc1-b75f-4120-bfc4-193816ea4a6d1033.mspx?mfr=true Also a way is, if you have manageble switches that only allows specified mac addresses. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm > I want to prevent a user from accessing the fileshare if they come > from an > unauthorized machine. > As of now, if Joe User brings in his personal laptop and plugs it into > the > network, and tries to access a Windows 2003 file share, it prompts > them for > username/password. If they enter their AD uname/pw, they can gain > access. > How can I prevent authorized users on unauthorized machines from > gaining access to W2K3 file shares? >
Guest Scott Posted November 27, 2007 Posted November 27, 2007 Re: How to prevent users on unauthorized machines from w2k3 files I don't quite understand how this resolves my issue. I don't want ANY machine that gets a DHCP address to be verified to access the file share. I want ONLY AD bound machines with valid AD username/password to be able to access the file share. Thanks, -Scott "Meinolf Weber" wrote: > Hello Scott, > > You can use Option classes with DHCP: > http://technet2.microsoft.com/windowsserver/en/library/14afbdc1-b75f-4120-bfc4-193816ea4a6d1033.mspx?mfr=true > > Also a way is, if you have manageble switches that only allows specified > mac addresses. > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm > > > I want to prevent a user from accessing the fileshare if they come > > from an > > unauthorized machine. > > As of now, if Joe User brings in his personal laptop and plugs it into > > the > > network, and tries to access a Windows 2003 file share, it prompts > > them for > > username/password. If they enter their AD uname/pw, they can gain > > access. > > How can I prevent authorized users on unauthorized machines from > > gaining access to W2K3 file shares? > > > > >
Guest Meinolf Weber Posted November 27, 2007 Posted November 27, 2007 Re: How to prevent users on unauthorized machines from w2k3 files Hello Scott, This will prevent the machines to get an ip address from your domain dhcp and access the network. Also you can use IPSec configuration, maybe thats more what you are looking for: http://www.microsoft.com/downloads/details.aspx?FamilyId=404FB62F-7CF7-48B5-A820-B881F63BC005&displaylang=en Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm > I don't quite understand how this resolves my issue. > I don't want ANY machine that gets a DHCP address to be verified to > access > the file share. > I want ONLY AD bound machines with valid AD username/password to be > able to > access the file share. > Thanks, > -Scott > "Meinolf Weber" wrote: > >> Hello Scott, >> >> You can use Option classes with DHCP: >> http://technet2.microsoft.com/windowsserver/en/library/14afbdc1-b75f- >> 4120-bfc4-193816ea4a6d1033.mspx?mfr=true >> Also a way is, if you have manageble switches that only allows >> specified mac addresses. >> >> Best regards >> >> Meinolf Weber >> Disclaimer: This posting is provided "AS IS" with no warranties, and >> confers >> no rights. >> ** Please do NOT email, only reply to Newsgroups >> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm >>> I want to prevent a user from accessing the fileshare if they come >>> from an >>> unauthorized machine. >>> As of now, if Joe User brings in his personal laptop and plugs it >>> into >>> the >>> network, and tries to access a Windows 2003 file share, it prompts >>> them for >>> username/password. If they enter their AD uname/pw, they can gain >>> access. >>> How can I prevent authorized users on unauthorized machines from >>> gaining access to W2K3 file shares?
Guest Scott Posted November 27, 2007 Posted November 27, 2007 Re: How to prevent users on unauthorized machines from w2k3 files OK, that is for DHCP then.... What about the user who brings in their personal laptop, plugs it in, and manually assigns the machine an IP? How can I prevent that machine from accessing the file share? "Meinolf Weber" wrote: > Hello Scott, > > This will prevent the machines to get an ip address from your domain dhcp > and access the network. > > Also you can use IPSec configuration, maybe thats more what you are looking > for: > http://www.microsoft.com/downloads/details.aspx?FamilyId=404FB62F-7CF7-48B5-A820-B881F63BC005&displaylang=en > > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm > > > I don't quite understand how this resolves my issue. > > I don't want ANY machine that gets a DHCP address to be verified to > > access > > the file share. > > I want ONLY AD bound machines with valid AD username/password to be > > able to > > access the file share. > > Thanks, > > -Scott > > "Meinolf Weber" wrote: > > > >> Hello Scott, > >> > >> You can use Option classes with DHCP: > >> http://technet2.microsoft.com/windowsserver/en/library/14afbdc1-b75f- > >> 4120-bfc4-193816ea4a6d1033.mspx?mfr=true > >> Also a way is, if you have manageble switches that only allows > >> specified mac addresses. > >> > >> Best regards > >> > >> Meinolf Weber > >> Disclaimer: This posting is provided "AS IS" with no warranties, and > >> confers > >> no rights. > >> ** Please do NOT email, only reply to Newsgroups > >> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm > >>> I want to prevent a user from accessing the fileshare if they come > >>> from an > >>> unauthorized machine. > >>> As of now, if Joe User brings in his personal laptop and plugs it > >>> into > >>> the > >>> network, and tries to access a Windows 2003 file share, it prompts > >>> them for > >>> username/password. If they enter their AD uname/pw, they can gain > >>> access. > >>> How can I prevent authorized users on unauthorized machines from > >>> gaining access to W2K3 file shares? > > >
Guest 6stemD Posted November 27, 2007 Posted November 27, 2007 Re: How to prevent users on unauthorized machines from w2k3 files Hi Scott, I thinks the best security for deny access for a personal computer or other computer is to use a manageable Switch with level 2 security minimum, now there is lot of switch with the function "smart web manageable switch" like Netgear or Dlink (very low cost) and you can put all the mac adress of the computers and printers bla bla bla of your network. So when a user go to the office with his personal computer and plug the network cable, he can't access of the network or internet or files because is MAC adress was not in the Switch. You can olso use this security for Wifi Access point. Have Fun -- best regard "Scott" wrote: > OK, that is for DHCP then.... > What about the user who brings in their personal laptop, plugs it in, and > manually assigns the machine an IP? How can I prevent that machine from > accessing the file share? > > "Meinolf Weber" wrote: > > > Hello Scott, > > > > This will prevent the machines to get an ip address from your domain dhcp > > and access the network. > > > > Also you can use IPSec configuration, maybe thats more what you are looking > > for: > > http://www.microsoft.com/downloads/details.aspx?FamilyId=404FB62F-7CF7-48B5-A820-B881F63BC005&displaylang=en > > > > > > Best regards > > > > Meinolf Weber > > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > > no rights. > > ** Please do NOT email, only reply to Newsgroups > > ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm > > > > > I don't quite understand how this resolves my issue. > > > I don't want ANY machine that gets a DHCP address to be verified to > > > access > > > the file share. > > > I want ONLY AD bound machines with valid AD username/password to be > > > able to > > > access the file share. > > > Thanks, > > > -Scott > > > "Meinolf Weber" wrote: > > > > > >> Hello Scott, > > >> > > >> You can use Option classes with DHCP: > > >> http://technet2.microsoft.com/windowsserver/en/library/14afbdc1-b75f- > > >> 4120-bfc4-193816ea4a6d1033.mspx?mfr=true > > >> Also a way is, if you have manageble switches that only allows > > >> specified mac addresses. > > >> > > >> Best regards > > >> > > >> Meinolf Weber > > >> Disclaimer: This posting is provided "AS IS" with no warranties, and > > >> confers > > >> no rights. > > >> ** Please do NOT email, only reply to Newsgroups > > >> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm > > >>> I want to prevent a user from accessing the fileshare if they come > > >>> from an > > >>> unauthorized machine. > > >>> As of now, if Joe User brings in his personal laptop and plugs it > > >>> into > > >>> the > > >>> network, and tries to access a Windows 2003 file share, it prompts > > >>> them for > > >>> username/password. If they enter their AD uname/pw, they can gain > > >>> access. > > >>> How can I prevent authorized users on unauthorized machines from > > >>> gaining access to W2K3 file shares? > > > > > >
Guest SBS Rocker Posted November 27, 2007 Posted November 27, 2007 Re: How to prevent users on unauthorized machines from w2k3 files I'm trying to understand you're reasoning behind this request. If you grant a user access to a fileshare then what is your reasoning behind whether or not they use a company pc or their laptop? Can't be security because you have granted them access. Perhaps you're afraid of a virus outbreak not knowing if their personal laptop has the proper virus protection but then again why you ask about how to prevent them from accessing a fileshare? Just curious and not trying to offend or disrespect your request. "Scott" <Scott@discussions.microsoft.com> wrote in message news:91A2806E-F36D-46BA-BF24-7FEF5CBE2A59@microsoft.com... > OK, that is for DHCP then.... > What about the user who brings in their personal laptop, plugs it in, and > manually assigns the machine an IP? How can I prevent that machine from > accessing the file share? > > "Meinolf Weber" wrote: > >> Hello Scott, >> >> This will prevent the machines to get an ip address from your domain dhcp >> and access the network. >> >> Also you can use IPSec configuration, maybe thats more what you are >> looking >> for: >> http://www.microsoft.com/downloads/details.aspx?FamilyId=404FB62F-7CF7-48B5-A820-B881F63BC005&displaylang=en >> >> >> Best regards >> >> Meinolf Weber >> Disclaimer: This posting is provided "AS IS" with no warranties, and >> confers >> no rights. >> ** Please do NOT email, only reply to Newsgroups >> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm >> >> > I don't quite understand how this resolves my issue. >> > I don't want ANY machine that gets a DHCP address to be verified to >> > access >> > the file share. >> > I want ONLY AD bound machines with valid AD username/password to be >> > able to >> > access the file share. >> > Thanks, >> > -Scott >> > "Meinolf Weber" wrote: >> > >> >> Hello Scott, >> >> >> >> You can use Option classes with DHCP: >> >> http://technet2.microsoft.com/windowsserver/en/library/14afbdc1-b75f- >> >> 4120-bfc4-193816ea4a6d1033.mspx?mfr=true >> >> Also a way is, if you have manageble switches that only allows >> >> specified mac addresses. >> >> >> >> Best regards >> >> >> >> Meinolf Weber >> >> Disclaimer: This posting is provided "AS IS" with no warranties, and >> >> confers >> >> no rights. >> >> ** Please do NOT email, only reply to Newsgroups >> >> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm >> >>> I want to prevent a user from accessing the fileshare if they come >> >>> from an >> >>> unauthorized machine. >> >>> As of now, if Joe User brings in his personal laptop and plugs it >> >>> into >> >>> the >> >>> network, and tries to access a Windows 2003 file share, it prompts >> >>> them for >> >>> username/password. If they enter their AD uname/pw, they can gain >> >>> access. >> >>> How can I prevent authorized users on unauthorized machines from >> >>> gaining access to W2K3 file shares? >> >> >>
Guest Scott Posted November 27, 2007 Posted November 27, 2007 Re: How to prevent users on unauthorized machines from w2k3 files Not with 100+ MACs..... "6stemD" wrote: > Hi Scott, > > I thinks the best security for deny access for a personal computer or other > computer is to use a manageable Switch with level 2 security minimum, now > there is lot of switch with the function "smart web manageable switch" like > Netgear or Dlink (very low cost) and you can put all the mac adress of the > computers and printers bla bla bla of your network. So when a user go to the > office with his personal computer and plug the network cable, he can't access > of the network or internet or files because is MAC adress was not in the > Switch. You can olso use this security for Wifi Access point. > > Have Fun > -- > best regard > > > "Scott" wrote: > > > OK, that is for DHCP then.... > > What about the user who brings in their personal laptop, plugs it in, and > > manually assigns the machine an IP? How can I prevent that machine from > > accessing the file share? > > > > "Meinolf Weber" wrote: > > > > > Hello Scott, > > > > > > This will prevent the machines to get an ip address from your domain dhcp > > > and access the network. > > > > > > Also you can use IPSec configuration, maybe thats more what you are looking > > > for: > > > http://www.microsoft.com/downloads/details.aspx?FamilyId=404FB62F-7CF7-48B5-A820-B881F63BC005&displaylang=en > > > > > > > > > Best regards > > > > > > Meinolf Weber > > > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > > > no rights. > > > ** Please do NOT email, only reply to Newsgroups > > > ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm > > > > > > > I don't quite understand how this resolves my issue. > > > > I don't want ANY machine that gets a DHCP address to be verified to > > > > access > > > > the file share. > > > > I want ONLY AD bound machines with valid AD username/password to be > > > > able to > > > > access the file share. > > > > Thanks, > > > > -Scott > > > > "Meinolf Weber" wrote: > > > > > > > >> Hello Scott, > > > >> > > > >> You can use Option classes with DHCP: > > > >> http://technet2.microsoft.com/windowsserver/en/library/14afbdc1-b75f- > > > >> 4120-bfc4-193816ea4a6d1033.mspx?mfr=true > > > >> Also a way is, if you have manageble switches that only allows > > > >> specified mac addresses. > > > >> > > > >> Best regards > > > >> > > > >> Meinolf Weber > > > >> Disclaimer: This posting is provided "AS IS" with no warranties, and > > > >> confers > > > >> no rights. > > > >> ** Please do NOT email, only reply to Newsgroups > > > >> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm > > > >>> I want to prevent a user from accessing the fileshare if they come > > > >>> from an > > > >>> unauthorized machine. > > > >>> As of now, if Joe User brings in his personal laptop and plugs it > > > >>> into > > > >>> the > > > >>> network, and tries to access a Windows 2003 file share, it prompts > > > >>> them for > > > >>> username/password. If they enter their AD uname/pw, they can gain > > > >>> access. > > > >>> How can I prevent authorized users on unauthorized machines from > > > >>> gaining access to W2K3 file shares? > > > > > > > > >
Guest Scott Posted November 27, 2007 Posted November 27, 2007 Re: How to prevent users on unauthorized machines from w2k3 files Not offended at all! The user has rights to access the data on a machine provided to them by us. They cannot attach a USB drive, burn a CD, or FTP/email out information without it being flagged/stopped. So I was asked "What if Joe User brings in his home laptop?" If a user does, and copies the IP settings from their corporate desktop, then plugs in their laptop into the same wire and attempts to access a Windows file share, they are prompted for a username and password. Since they are a user with valid credentials, they can access the data and hypothetically copy it and remove it from the building without us knowing. Is that clearer? -Scott "SBS Rocker" wrote: > I'm trying to understand you're reasoning behind this request. If you grant > a user access to a fileshare then what is your reasoning behind whether or > not they use a company pc or their laptop? Can't be security because you > have granted them access. Perhaps you're afraid of a virus outbreak not > knowing if their personal laptop has the proper virus protection but then > again why you ask about how to prevent them from accessing a fileshare? Just > curious and not trying to offend or disrespect your request. > > > "Scott" <Scott@discussions.microsoft.com> wrote in message > news:91A2806E-F36D-46BA-BF24-7FEF5CBE2A59@microsoft.com... > > OK, that is for DHCP then.... > > What about the user who brings in their personal laptop, plugs it in, and > > manually assigns the machine an IP? How can I prevent that machine from > > accessing the file share? > > > > "Meinolf Weber" wrote: > > > >> Hello Scott, > >> > >> This will prevent the machines to get an ip address from your domain dhcp > >> and access the network. > >> > >> Also you can use IPSec configuration, maybe thats more what you are > >> looking > >> for: > >> http://www.microsoft.com/downloads/details.aspx?FamilyId=404FB62F-7CF7-48B5-A820-B881F63BC005&displaylang=en > >> > >> > >> Best regards > >> > >> Meinolf Weber > >> Disclaimer: This posting is provided "AS IS" with no warranties, and > >> confers > >> no rights. > >> ** Please do NOT email, only reply to Newsgroups > >> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm > >> > >> > I don't quite understand how this resolves my issue. > >> > I don't want ANY machine that gets a DHCP address to be verified to > >> > access > >> > the file share. > >> > I want ONLY AD bound machines with valid AD username/password to be > >> > able to > >> > access the file share. > >> > Thanks, > >> > -Scott > >> > "Meinolf Weber" wrote: > >> > > >> >> Hello Scott, > >> >> > >> >> You can use Option classes with DHCP: > >> >> http://technet2.microsoft.com/windowsserver/en/library/14afbdc1-b75f- > >> >> 4120-bfc4-193816ea4a6d1033.mspx?mfr=true > >> >> Also a way is, if you have manageble switches that only allows > >> >> specified mac addresses. > >> >> > >> >> Best regards > >> >> > >> >> Meinolf Weber > >> >> Disclaimer: This posting is provided "AS IS" with no warranties, and > >> >> confers > >> >> no rights. > >> >> ** Please do NOT email, only reply to Newsgroups > >> >> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm > >> >>> I want to prevent a user from accessing the fileshare if they come > >> >>> from an > >> >>> unauthorized machine. > >> >>> As of now, if Joe User brings in his personal laptop and plugs it > >> >>> into > >> >>> the > >> >>> network, and tries to access a Windows 2003 file share, it prompts > >> >>> them for > >> >>> username/password. If they enter their AD uname/pw, they can gain > >> >>> access. > >> >>> How can I prevent authorized users on unauthorized machines from > >> >>> gaining access to W2K3 file shares? > >> > >> > >> > > >
Guest Meinolf Weber Posted November 27, 2007 Posted November 27, 2007 Re: How to prevent users on unauthorized machines from w2k3 files Hello Scott, Then i think IPSec is really your solution, it secures the communication inside your domain between the servers and clients that have the right configuration. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm > Not offended at all! > The user has rights to access the data on a machine provided to them > by us. > They cannot attach a USB drive, burn a CD, or FTP/email out > information > without it being flagged/stopped. > So I was asked "What if Joe User brings in his home laptop?" If a user > does, and copies the IP settings from their corporate desktop, then > plugs in their laptop into the same wire and attempts to access a > Windows file share, they are prompted for a username and password. > Since they are a user with valid credentials, they can access the data > and hypothetically copy it and remove it from the building without us > knowing. > > Is that clearer? > -Scott > "SBS Rocker" wrote: > >> I'm trying to understand you're reasoning behind this request. If you >> grant a user access to a fileshare then what is your reasoning behind >> whether or not they use a company pc or their laptop? Can't be >> security because you have granted them access. Perhaps you're afraid >> of a virus outbreak not knowing if their personal laptop has the >> proper virus protection but then again why you ask about how to >> prevent them from accessing a fileshare? Just curious and not trying >> to offend or disrespect your request. >> >> "Scott" <Scott@discussions.microsoft.com> wrote in message >> news:91A2806E-F36D-46BA-BF24-7FEF5CBE2A59@microsoft.com... >> >>> OK, that is for DHCP then.... >>> What about the user who brings in their personal laptop, plugs it >>> in, and >>> manually assigns the machine an IP? How can I prevent that machine >>> from >>> accessing the file share? >>> "Meinolf Weber" wrote: >>> >>>> Hello Scott, >>>> >>>> This will prevent the machines to get an ip address from your >>>> domain dhcp and access the network. >>>> >>>> Also you can use IPSec configuration, maybe thats more what you are >>>> >>>> looking >>>> >>>> for: >>>> >>>> http://www.microsoft.com/downloads/details.aspx?FamilyId=404FB62F-7 >>>> CF7-48B5-A820-B881F63BC005&displaylang=en >>>> >>>> Best regards >>>> >>>> Meinolf Weber >>>> Disclaimer: This posting is provided "AS IS" with no warranties, >>>> and >>>> confers >>>> no rights. >>>> ** Please do NOT email, only reply to Newsgroups >>>> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm >>>>> I don't quite understand how this resolves my issue. >>>>> I don't want ANY machine that gets a DHCP address to be verified >>>>> to >>>>> access >>>>> the file share. >>>>> I want ONLY AD bound machines with valid AD username/password to >>>>> be >>>>> able to >>>>> access the file share. >>>>> Thanks, >>>>> -Scott >>>>> "Meinolf Weber" wrote: >>>>>> Hello Scott, >>>>>> >>>>>> You can use Option classes with DHCP: >>>>>> http://technet2.microsoft.com/windowsserver/en/library/14afbdc1-b >>>>>> 75f- >>>>>> 4120-bfc4-193816ea4a6d1033.mspx?mfr=true >>>>>> Also a way is, if you have manageble switches that only allows >>>>>> specified mac addresses. >>>>>> Best regards >>>>>> >>>>>> Meinolf Weber >>>>>> Disclaimer: This posting is provided "AS IS" with no warranties, >>>>>> and >>>>>> confers >>>>>> no rights. >>>>>> ** Please do NOT email, only reply to Newsgroups >>>>>> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm >>>>>>> I want to prevent a user from accessing the fileshare if they >>>>>>> come >>>>>>> from an >>>>>>> unauthorized machine. >>>>>>> As of now, if Joe User brings in his personal laptop and plugs >>>>>>> it >>>>>>> into >>>>>>> the >>>>>>> network, and tries to access a Windows 2003 file share, it >>>>>>> prompts >>>>>>> them for >>>>>>> username/password. If they enter their AD uname/pw, they can >>>>>>> gain >>>>>>> access. >>>>>>> How can I prevent authorized users on unauthorized machines from >>>>>>> gaining access to W2K3 file shares?
Guest SBS Rocker Posted November 27, 2007 Posted November 27, 2007 Re: How to prevent users on unauthorized machines from w2k3 files Much clearer because I was thinking what is to stop them from burning, emailing or attaching a USB device to copy the data and taking it home. You explained it very well. Not that I have any resolutions for you other than I've worked in companies where it was against "policies" for an employee to bring their personal laptop to work without written permission from their manager and the consequences we're severe if they were caught. "Scott" <Scott@discussions.microsoft.com> wrote in message news:90F8F9C8-D660-47E2-AB88-F5F5EEA2FF92@microsoft.com... > Not offended at all! > The user has rights to access the data on a machine provided to them by > us. > They cannot attach a USB drive, burn a CD, or FTP/email out information > without it being flagged/stopped. > > So I was asked "What if Joe User brings in his home laptop?" > If a user does, and copies the IP settings from their corporate desktop, > then plugs in their laptop into the same wire and attempts to access a > Windows file share, they are prompted for a username and password. Since > they > are a user with valid credentials, they can access the data and > hypothetically copy it and remove it from the building without us knowing. > > Is that clearer? > -Scott > > > "SBS Rocker" wrote: > >> I'm trying to understand you're reasoning behind this request. If you >> grant >> a user access to a fileshare then what is your reasoning behind whether >> or >> not they use a company pc or their laptop? Can't be security because you >> have granted them access. Perhaps you're afraid of a virus outbreak not >> knowing if their personal laptop has the proper virus protection but then >> again why you ask about how to prevent them from accessing a fileshare? >> Just >> curious and not trying to offend or disrespect your request. >> >> >> "Scott" <Scott@discussions.microsoft.com> wrote in message >> news:91A2806E-F36D-46BA-BF24-7FEF5CBE2A59@microsoft.com... >> > OK, that is for DHCP then.... >> > What about the user who brings in their personal laptop, plugs it in, >> > and >> > manually assigns the machine an IP? How can I prevent that machine from >> > accessing the file share? >> > >> > "Meinolf Weber" wrote: >> > >> >> Hello Scott, >> >> >> >> This will prevent the machines to get an ip address from your domain >> >> dhcp >> >> and access the network. >> >> >> >> Also you can use IPSec configuration, maybe thats more what you are >> >> looking >> >> for: >> >> http://www.microsoft.com/downloads/details.aspx?FamilyId=404FB62F-7CF7-48B5-A820-B881F63BC005&displaylang=en >> >> >> >> >> >> Best regards >> >> >> >> Meinolf Weber >> >> Disclaimer: This posting is provided "AS IS" with no warranties, and >> >> confers >> >> no rights. >> >> ** Please do NOT email, only reply to Newsgroups >> >> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm >> >> >> >> > I don't quite understand how this resolves my issue. >> >> > I don't want ANY machine that gets a DHCP address to be verified to >> >> > access >> >> > the file share. >> >> > I want ONLY AD bound machines with valid AD username/password to be >> >> > able to >> >> > access the file share. >> >> > Thanks, >> >> > -Scott >> >> > "Meinolf Weber" wrote: >> >> > >> >> >> Hello Scott, >> >> >> >> >> >> You can use Option classes with DHCP: >> >> >> http://technet2.microsoft.com/windowsserver/en/library/14afbdc1-b75f- >> >> >> 4120-bfc4-193816ea4a6d1033.mspx?mfr=true >> >> >> Also a way is, if you have manageble switches that only allows >> >> >> specified mac addresses. >> >> >> >> >> >> Best regards >> >> >> >> >> >> Meinolf Weber >> >> >> Disclaimer: This posting is provided "AS IS" with no warranties, >> >> >> and >> >> >> confers >> >> >> no rights. >> >> >> ** Please do NOT email, only reply to Newsgroups >> >> >> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm >> >> >>> I want to prevent a user from accessing the fileshare if they come >> >> >>> from an >> >> >>> unauthorized machine. >> >> >>> As of now, if Joe User brings in his personal laptop and plugs it >> >> >>> into >> >> >>> the >> >> >>> network, and tries to access a Windows 2003 file share, it prompts >> >> >>> them for >> >> >>> username/password. If they enter their AD uname/pw, they can gain >> >> >>> access. >> >> >>> How can I prevent authorized users on unauthorized machines from >> >> >>> gaining access to W2K3 file shares? >> >> >> >> >> >> >> >> >>
Guest 6stemD Posted November 27, 2007 Posted November 27, 2007 Re: How to prevent users on unauthorized machines from w2k3 files OK Scott, But if you wan't very strong security in your network, i think you can use a diferrente method to logon on your network. You can use a policy with a certificate autoenrollment at logon, so the personal laptop of the user can't have the certificate and he can't use the files shares? Or you can use ISA Server manage the security of the network, there a lot of policy to check if the pc in the network was a business pc or a personal... Or you can use a radius server and certificate, i use this policy to limit the user and computer to access a wifi network, but i think you can use olso this method for the computer in network strucure. it's very hard and strong i you wan't use a secure network but not impossible. -- best regard "Scott" wrote: > Not with 100+ MACs..... > > "6stemD" wrote: > > > Hi Scott, > > > > I thinks the best security for deny access for a personal computer or other > > computer is to use a manageable Switch with level 2 security minimum, now > > there is lot of switch with the function "smart web manageable switch" like > > Netgear or Dlink (very low cost) and you can put all the mac adress of the > > computers and printers bla bla bla of your network. So when a user go to the > > office with his personal computer and plug the network cable, he can't access > > of the network or internet or files because is MAC adress was not in the > > Switch. You can olso use this security for Wifi Access point. > > > > Have Fun > > -- > > best regard > > > > > > "Scott" wrote: > > > > > OK, that is for DHCP then.... > > > What about the user who brings in their personal laptop, plugs it in, and > > > manually assigns the machine an IP? How can I prevent that machine from > > > accessing the file share? > > > > > > "Meinolf Weber" wrote: > > > > > > > Hello Scott, > > > > > > > > This will prevent the machines to get an ip address from your domain dhcp > > > > and access the network. > > > > > > > > Also you can use IPSec configuration, maybe thats more what you are looking > > > > for: > > > > http://www.microsoft.com/downloads/details.aspx?FamilyId=404FB62F-7CF7-48B5-A820-B881F63BC005&displaylang=en > > > > > > > > > > > > Best regards > > > > > > > > Meinolf Weber > > > > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > > > > no rights. > > > > ** Please do NOT email, only reply to Newsgroups > > > > ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm > > > > > > > > > I don't quite understand how this resolves my issue. > > > > > I don't want ANY machine that gets a DHCP address to be verified to > > > > > access > > > > > the file share. > > > > > I want ONLY AD bound machines with valid AD username/password to be > > > > > able to > > > > > access the file share. > > > > > Thanks, > > > > > -Scott > > > > > "Meinolf Weber" wrote: > > > > > > > > > >> Hello Scott, > > > > >> > > > > >> You can use Option classes with DHCP: > > > > >> http://technet2.microsoft.com/windowsserver/en/library/14afbdc1-b75f- > > > > >> 4120-bfc4-193816ea4a6d1033.mspx?mfr=true > > > > >> Also a way is, if you have manageble switches that only allows > > > > >> specified mac addresses. > > > > >> > > > > >> Best regards > > > > >> > > > > >> Meinolf Weber > > > > >> Disclaimer: This posting is provided "AS IS" with no warranties, and > > > > >> confers > > > > >> no rights. > > > > >> ** Please do NOT email, only reply to Newsgroups > > > > >> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm > > > > >>> I want to prevent a user from accessing the fileshare if they come > > > > >>> from an > > > > >>> unauthorized machine. > > > > >>> As of now, if Joe User brings in his personal laptop and plugs it > > > > >>> into > > > > >>> the > > > > >>> network, and tries to access a Windows 2003 file share, it prompts > > > > >>> them for > > > > >>> username/password. If they enter their AD uname/pw, they can gain > > > > >>> access. > > > > >>> How can I prevent authorized users on unauthorized machines from > > > > >>> gaining access to W2K3 file shares? > > > > > > > > > > > >
Guest NoConsequence Posted November 28, 2007 Posted November 28, 2007 Re: How to prevent users on unauthorized machines from w2k3 files On Tue, 27 Nov 2007 13:24:01 -0800, Scott <Scott@discussions.microsoft.com> wrote: >I want to prevent a user from accessing the fileshare if they come from an >unauthorized machine. >As of now, if Joe User brings in his personal laptop and plugs it into the >network, and tries to access a Windows 2003 file share, it prompts them for >username/password. If they enter their AD uname/pw, they can gain access. > >How can I prevent authorized users on unauthorized machines from gaining >access to W2K3 file shares? I don't understand how they are getting logged onto your network using their personal laptop to start with. It sounds as though you are in a domain based LAN... Their computer should not be joined to the domain, and you CAN set up the domain so that it will not allow non-domain computers to access the LAN and any resources therein. I've never been on a corporate network where I could bring in my personal equipment and do this - well, not entirely true, I COULD as a SysAdmin, but ordinary users could not. I watched them try, fail, then call me for help only to tell them why it wouldn't work and why we wouldn't allow them to do it. So it CAN be stopped - you just need to read up on how to do it.
Guest Scott Posted November 28, 2007 Posted November 28, 2007 Re: How to prevent users on unauthorized machines from w2k3 files I CAN read up -- I just can't find definitive articles with the steps! Right now, non-domain machines will pop up a login box for the user when attempting to access a file share. That is what I want to stop. Do you have any articles? Can you point me to where I can read about this? Thanks, -Scott "NoConsequence" wrote: > On Tue, 27 Nov 2007 13:24:01 -0800, Scott > <Scott@discussions.microsoft.com> wrote: > > >I want to prevent a user from accessing the fileshare if they come from an > >unauthorized machine. > >As of now, if Joe User brings in his personal laptop and plugs it into the > >network, and tries to access a Windows 2003 file share, it prompts them for > >username/password. If they enter their AD uname/pw, they can gain access. > > > >How can I prevent authorized users on unauthorized machines from gaining > >access to W2K3 file shares? > > I don't understand how they are getting logged onto your network using > their personal laptop to start with. It sounds as though you are in a > domain based LAN... > > Their computer should not be joined to the domain, and you CAN set up > the domain so that it will not allow non-domain computers to access > the LAN and any resources therein. I've never been on a corporate > network where I could bring in my personal equipment and do this - > well, not entirely true, I COULD as a SysAdmin, but ordinary users > could not. I watched them try, fail, then call me for help only to > tell them why it wouldn't work and why we wouldn't allow them to do > it. > > So it CAN be stopped - you just need to read up on how to do it. > >
Guest 6stemD Posted November 29, 2007 Posted November 29, 2007 Re: How to prevent users on unauthorized machines from w2k3 files All Right Scott, I think if you don't want the access of your domaine to a non domain computer like the personal computer of your user, you try to work on the autentication method. I think you can use the Kerberos V5 autentication and IPSEC. Search this atricles on the online technet library. I find lots of topics, but sorry all are in french (it's my country) Try to visit this page: http://technet2.microsoft.com/windowsserver/en/library/f330f9c6-c1e6-41c2-8295-8427332995f61033.mspx?mfr=true I think the method with certificat with not to hard to implement on the network. I use this method for my client to prevent the user who can acces to the wifi collection. If i find another topics or method i contact you in this post. Good luck. The way to the best security network was very long... -- best regard "Scott" wrote: > I CAN read up -- I just can't find definitive articles with the steps! > Right now, non-domain machines will pop up a login box for the user when > attempting to access a file share. That is what I want to stop. > > Do you have any articles? Can you point me to where I can read about this? > > Thanks, > -Scott > > "NoConsequence" wrote: > > > On Tue, 27 Nov 2007 13:24:01 -0800, Scott > > <Scott@discussions.microsoft.com> wrote: > > > > >I want to prevent a user from accessing the fileshare if they come from an > > >unauthorized machine. > > >As of now, if Joe User brings in his personal laptop and plugs it into the > > >network, and tries to access a Windows 2003 file share, it prompts them for > > >username/password. If they enter their AD uname/pw, they can gain access. > > > > > >How can I prevent authorized users on unauthorized machines from gaining > > >access to W2K3 file shares? > > > > I don't understand how they are getting logged onto your network using > > their personal laptop to start with. It sounds as though you are in a > > domain based LAN... > > > > Their computer should not be joined to the domain, and you CAN set up > > the domain so that it will not allow non-domain computers to access > > the LAN and any resources therein. I've never been on a corporate > > network where I could bring in my personal equipment and do this - > > well, not entirely true, I COULD as a SysAdmin, but ordinary users > > could not. I watched them try, fail, then call me for help only to > > tell them why it wouldn't work and why we wouldn't allow them to do > > it. > > > > So it CAN be stopped - you just need to read up on how to do it. > > > >
Guest Iain Posted November 30, 2007 Posted November 30, 2007 RE: How to prevent users on unauthorized machines from w2k3 files I am interested in this request and will trial this answer myself over the weekend but here's an idea. In the properties - share - permissions of the share folder we often apply groups or users access ... why not remove all groups and users ( except yourself & Administrator ) and add the computers container instead? Its just an idea .. try making a new share and appling this security policy? The security tab after the share tab takes care of who can access the folder but the sharing tab takes care of who can see the share and have access... my thought is .. computer first then user. Dont kno if its worth a try. -- Iain Marshall MCSE MCSA MCPs MCP "Scott" wrote: > I want to prevent a user from accessing the fileshare if they come from an > unauthorized machine. > As of now, if Joe User brings in his personal laptop and plugs it into the > network, and tries to access a Windows 2003 file share, it prompts them for > username/password. If they enter their AD uname/pw, they can gain access. > > How can I prevent authorized users on unauthorized machines from gaining > access to W2K3 file shares?
Guest nospam Posted November 30, 2007 Posted November 30, 2007 Re: How to prevent users on unauthorized machines from w2k3 files =?Utf-8?B?U2NvdHQ=?= <Scott@discussions.microsoft.com> wrote in news:F9061B3F-BA2F-48B3-897D-08CEA3DD41C6@microsoft.com: > I want to prevent a user from accessing the fileshare if they come > from an unauthorized machine. > As of now, if Joe User brings in his personal laptop and plugs it into > the network, and tries to access a Windows 2003 file share, it prompts > them for username/password. If they enter their AD uname/pw, they can > gain access. > > How can I prevent authorized users on unauthorized machines from > gaining access to W2K3 file shares? > You should go even further than that - an unauthorized machine should not be given an IP number by your DHCP server. I don't use a Windows server for the DHCP server, so I can't tell you how to do this on a Windows server. If possible, put the personal laptops into a separate VLAN so they cannot access your servers at all.
Recommended Posts