Open Access to Shares

[Paul]

Hopefully a quick question, I have just moved to a new organisation, which is
having a problem with staff bringing laptops and attaching then to the
network.
Accessing the file shares directly without joining the domain, the shared
permissions are currently set to full control, with NTFS allowing only
authenticated users access to the shares.
So Jo Blogs comes along with his laptop, plug into the network, copies the
network settings from a legitimate client and then log’s on with his username
& password to the file share.
How can I ensure that only domain clients can have access to network shared
recources?

Many thanks in advance.
--
Paul

 

[S. Pidgorny]

Not easily.

IPsec can make sure only authorised systems can connect to the resources.
NAP can be used to make sure connecting systems are compliant to the
organisational policy (eg up to date with fixes etc) - that goes on top of
the computer authentication.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Paul" <Paul@discussions.microsoft.com> wrote in message
news:66CC94AE-72A8-4202-8C77-58149C62C58B@microsoft.com...
> Hopefully a quick question, I have just moved to a new organisation, which
> is
> having a problem with staff bringing laptops and attaching then to the
> network.
> Accessing the file shares directly without joining the domain, the shared
> permissions are currently set to full control, with NTFS allowing only
> authenticated users access to the shares.
> So Jo Blogs comes along with his laptop, plug into the network, copies the
> network settings from a legitimate client and then log's on with his
> username
> & password to the file share.
> How can I ensure that only domain clients can have access to network
> shared
> recources?
>
> Many thanks in advance.
> --
> Paul

 

[Paul]

Thanks for your speedy response
Thus far we only allow users only access to their own files, changing NTFS
permissions of authenticated users to owner only access, that way they can
only see their own documents but this doesn’t stop the possibility of virus
infection as the files are accessed directly on the server.
How complicated is an implementation of IPSEC across the network, and would
users notice any change in service.

One final spanner, is that we also support 10 MAC running OSX would IPSEC
accommodate this?
--
Paul


"S. Pidgorny <MVP>" wrote:

> Not easily.
>
> IPsec can make sure only authorised systems can connect to the resources.
> NAP can be used to make sure connecting systems are compliant to the
> organisational policy (eg up to date with fixes etc) - that goes on top of
> the computer authentication.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
> "Paul" <Paul@discussions.microsoft.com> wrote in message
> news:66CC94AE-72A8-4202-8C77-58149C62C58B@microsoft.com...
> > Hopefully a quick question, I have just moved to a new organisation, which
> > is
> > having a problem with staff bringing laptops and attaching then to the
> > network.
> > Accessing the file shares directly without joining the domain, the shared
> > permissions are currently set to full control, with NTFS allowing only
> > authenticated users access to the shares.
> > So Jo Blogs comes along with his laptop, plug into the network, copies the
> > network settings from a legitimate client and then log's on with his
> > username
> > & password to the file share.
> > How can I ensure that only domain clients can have access to network
> > shared
> > recources?
> >
> > Many thanks in advance.
> > --
> > Paul
>
>
>

 

[S. Pidgorny]

Deploying IPsec in Windows domain is relatively easy, especially in
smaller-scale infrastructures. Reading:

http://technet.microsoft.com/en-us/network/bb531150.aspx

OS X support is a tricky bit - Apple supports IPsec as a VPN protocol (point
to point connections to a router) but not the transport mode. This is a
small challenge, giving you two options - either make exclusions from the
IPsec policuy on the servers, or implement a VPN-like connection from the
Macs to your network.


--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *


"Paul" <Paul@discussions.microsoft.com> wrote in message
news3EE525B-D397-4781-BB3A-57EAB68BC1F1@microsoft.com...
> Thanks for your speedy response
> Thus far we only allow users only access to their own files, changing NTFS
> permissions of authenticated users to owner only access, that way they can
> only see their own documents but this doesn't stop the possibility of
> virus
> infection as the files are accessed directly on the server.
> How complicated is an implementation of IPSEC across the network, and
> would
> users notice any change in service.
>
> One final spanner, is that we also support 10 MAC running OSX would IPSEC
> accommodate this?
> --
> Paul
>
>
> "S. Pidgorny <MVP>" wrote:
>
>> Not easily.
>>
>> IPsec can make sure only authorised systems can connect to the resources.
>> NAP can be used to make sure connecting systems are compliant to the
>> organisational policy (eg up to date with fixes etc) - that goes on top
>> of
>> the computer authentication.
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>
>> "Paul" <Paul@discussions.microsoft.com> wrote in message
>> news:66CC94AE-72A8-4202-8C77-58149C62C58B@microsoft.com...
>> > Hopefully a quick question, I have just moved to a new organisation,
>> > which
>> > is
>> > having a problem with staff bringing laptops and attaching then to the
>> > network.
>> > Accessing the file shares directly without joining the domain, the
>> > shared
>> > permissions are currently set to full control, with NTFS allowing only
>> > authenticated users access to the shares.
>> > So Jo Blogs comes along with his laptop, plug into the network, copies
>> > the
>> > network settings from a legitimate client and then log's on with his
>> > username
>> > & password to the file share.
>> > How can I ensure that only domain clients can have access to network
>> > shared
>> > recources?
>> >
>> > Many thanks in advance.
>> > --
>> > Paul
>>
>>
>>

 

[Paul]

Once again thanks very much for your time and responce

Regards
--
Paul


"S. Pidgorny <MVP>" wrote:

> Deploying IPsec in Windows domain is relatively easy, especially in
> smaller-scale infrastructures. Reading:
>
> http://technet.microsoft.com/en-us/network/bb531150.aspx
>
> OS X support is a tricky bit - Apple supports IPsec as a VPN protocol (point
> to point connections to a router) but not the transport mode. This is a
> small challenge, giving you two options - either make exclusions from the
> IPsec policuy on the servers, or implement a VPN-like connection from the
> Macs to your network.
>
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
>
> "Paul" <Paul@discussions.microsoft.com> wrote in message
> news3EE525B-D397-4781-BB3A-57EAB68BC1F1@microsoft.com...
> > Thanks for your speedy response
> > Thus far we only allow users only access to their own files, changing NTFS
> > permissions of authenticated users to owner only access, that way they can
> > only see their own documents but this doesn't stop the possibility of
> > virus
> > infection as the files are accessed directly on the server.
> > How complicated is an implementation of IPSEC across the network, and
> > would
> > users notice any change in service.
> >
> > One final spanner, is that we also support 10 MAC running OSX would IPSEC
> > accommodate this?
> > --
> > Paul
> >
> >
> > "S. Pidgorny <MVP>" wrote:
> >
> >> Not easily.
> >>
> >> IPsec can make sure only authorised systems can connect to the resources.
> >> NAP can be used to make sure connecting systems are compliant to the
> >> organisational policy (eg up to date with fixes etc) - that goes on top
> >> of
> >> the computer authentication.
> >>
> >> --
> >> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> >> -= F1 is the key =-
> >>
> >> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
> >>
> >> "Paul" <Paul@discussions.microsoft.com> wrote in message
> >> news:66CC94AE-72A8-4202-8C77-58149C62C58B@microsoft.com...
> >> > Hopefully a quick question, I have just moved to a new organisation,
> >> > which
> >> > is
> >> > having a problem with staff bringing laptops and attaching then to the
> >> > network.
> >> > Accessing the file shares directly without joining the domain, the
> >> > shared
> >> > permissions are currently set to full control, with NTFS allowing only
> >> > authenticated users access to the shares.
> >> > So Jo Blogs comes along with his laptop, plug into the network, copies
> >> > the
> >> > network settings from a legitimate client and then log's on with his
> >> > username
> >> > & password to the file share.
> >> > How can I ensure that only domain clients can have access to network
> >> > shared
> >> > recources?
> >> >
> >> > Many thanks in advance.
> >> > --
> >> > Paul
> >>
> >>
> >>
>
>
>

 

[David H. Lipman]

From: "Paul" <Paul@discussions.microsoft.com>

| Hopefully a quick question, I have just moved to a new organisation, which is
| having a problem with staff bringing laptops and attaching then to the
| network.
| Accessing the file shares directly without joining the domain, the shared
| permissions are currently set to full control, with NTFS allowing only
| authenticated users access to the shares.
| So Jo Blogs comes along with his laptop, plug into the network, copies the
| network settings from a legitimate client and then log’s on with his username
| & password to the file share.
| How can I ensure that only domain clients can have access to network shared
| recources?
|
| Many thanks in advance.

Set the shares to ONLY allow access to Domain Members such as those that are in an OU group.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp