- Posts: 83
- Thank you received: 0
LAN access
19 years 10 months ago #6555
by gl0bal
Replied by gl0bal on topic Re: LAN access
You mention you are operating in a Windows 2000 environment with 1 domain. Therefore I assume you are using Active Directory.
Have you looked at what Group Policies you may be able to enforce to block this non authenticated machine from browsing to known shares.
I believe you can do this by user but I would have to look into whether its possible by machine account as well. I forget where the policy is located but there is one I remember that blocks user accounts from browsing local neighbourhood etc.
I'll have a look on 4 Jan when I get into work for the relevant policy. I believe you should also be able to deny any machine accounts from browsing to shared folders.
I'll post on 4 Jan GMT
Have you looked at what Group Policies you may be able to enforce to block this non authenticated machine from browsing to known shares.
I believe you can do this by user but I would have to look into whether its possible by machine account as well. I forget where the policy is located but there is one I remember that blocks user accounts from browsing local neighbourhood etc.
I'll have a look on 4 Jan when I get into work for the relevant policy. I believe you should also be able to deny any machine accounts from browsing to shared folders.
I'll post on 4 Jan GMT
19 years 10 months ago #6581
by gl0bal
Replied by gl0bal on topic Re: LAN access
I have looked at the Group Policy options and found a couple but they only work once someone is part of the domain.
But an alternative question comes to mind - how about going to the known shares and changing the share options?
For example go to the properties of the shared folder and add authenticated users as a group allowed to access the share, set the rights as you desire and then remove the everyone group if its there. I would recommend doing this via the Computer Management GUI rather than through Windows Explorer.
I have tested this briefly and it appears this means the user cannot access the share unless they log on to the domain, thus becoming an authenticated user.
You can then use group policies to limit what they can and cannot map to or access.
You would also need to make sure that the offender did not know how to access the administrative shares (Admin$, C$ D$ etc, IPC$ and others) on the machine hosting the shares. If they did know how to access these admin shares and they were part of the administrator, backup operators, or server operators group then they will have the rights to access the share. Therefore the only other technical option may be to delete the admin shares (but this may break some functionality so approach this with caution).
Hope this helps and let us know how it goes or if you need more help.
But an alternative question comes to mind - how about going to the known shares and changing the share options?
For example go to the properties of the shared folder and add authenticated users as a group allowed to access the share, set the rights as you desire and then remove the everyone group if its there. I would recommend doing this via the Computer Management GUI rather than through Windows Explorer.
I have tested this briefly and it appears this means the user cannot access the share unless they log on to the domain, thus becoming an authenticated user.
You can then use group policies to limit what they can and cannot map to or access.
You would also need to make sure that the offender did not know how to access the administrative shares (Admin$, C$ D$ etc, IPC$ and others) on the machine hosting the shares. If they did know how to access these admin shares and they were part of the administrator, backup operators, or server operators group then they will have the rights to access the share. Therefore the only other technical option may be to delete the admin shares (but this may break some functionality so approach this with caution).
Hope this helps and let us know how it goes or if you need more help.
Time to create page: 0.125 seconds