Block users from accessing certain server IPs

Lex

Lex

Lex

Associate
Joined
26 Dec 2002
Posts
971
Location
NW London, United Kingdom
I have a group of temp users or users who should have limited access to my network.

What is the recommended method of invoking this? Group policy in AD? User classes? If so can someone recommened me a how to article.

Thanks in advance.
 
Dangerous said:
DHCP Reservations. Think we have the 1st 100 IPs set in there then the clients will pickup xxx.xxx.xxx.101 and so on.

http://technet2.microsoft.com/windo...3f92-4eac-ba00-8e93feaafe861033.mspx?mfr=true

What are you trying to stop them doing?
Click to expand...

Just trying to limit access to the LAN. For example i dont want temporary users accessing the main servers by typing in the server IP into start>run (guess i could disable that in GPO. I want them mainly to be limited to their 'given' spaces and shared folders and THATS it.
 
if you were using vlans, you could stick all of your temp users in a guest vlan and then just control what they can access with fw rules.

if they've got AD accounts, you can go into those, click the accounts tab and then set the Logon To options (i think its in there anyways) and limit what they can logon to from there.
 
Sorry ignore that, you never said it was machines. So this is a bit of a long winded way.

Use GPO and give them heavily restricted account eg no run command.
 
Felix said:
Sorry ignore that, you never said it was machines. So this is a bit of a long winded way.

Use GPO and give them heavily restricted account eg no run command.
Click to expand...

Might have to do that. must be another way tho! dhcp user classes or something.
 
Users or machines?

There's lots of ways really ranging from GPO to NAP/NAC to standard ACLs... need some more info!

Does sound like if it's just on a user basis that a very restrictive GPO might be your best bet.
 
If you lock down a GPO tight enough, you wont have to goto all that effort.
Just create an OU thats severely locked down, so they can only do certain things. Disable stuff like run, command line, ect; And then map their shares with a kix script.
Problem solved. :).
 
GPO works if there's no way they can log on using, say, a Linux laptop. I'm not totally sure how it works, but surely there are ways around client-side restrictions? I'd want my security on the server side or at least network hardware.
 
Audigex said:
GPO works if there's no way they can log on using, say, a Linux laptop. I'm not totally sure how it works, but surely there are ways around client-side restrictions? I'd want my security on the server side or at least network hardware.
Click to expand...

GP- "Deny interactive logon"

Job still done.
 
Or lock down the GPO, disable any unused switch ports and enable only a single MAC address per port [comes down to if you think people are Knowledgeable enough to start cloning MAC addresses].
 
Last edited:
BoomAM said:
If you lock down a GPO tight enough, you wont have to goto all that effort.
Just create an OU thats severely locked down, so they can only do certain things. Disable stuff like run, command line, ect; And then map their shares with a kix script.
Problem solved. :).
Click to expand...

agreed

ots3go said:
Or lock down the GPO, disable any unused switch ports and enable only a single MAC address per port [comes down to if you think people are KnowledgeStorm enough to start cloning MAC addresses].
Click to expand...

this would be the way forward but it is a little extreme, I would if you have the time recommend that however its dependant on the users and the type of data you have really
 
If you had an Extreme networks estate managed by Ridgeline you can use user-aware port profiles :)
Which holds traffic at the switchport while snooping and forwarding kerberos, it sniffs the username checks the server response. If it's successful, it opens the port up and applies a port profile for VLAN, QoS and ACLs based on what profile is assigned in ridgeline, based on selected AD attributes :)

This doesn't help this thread at all, but I thought I'd take the opportunity to brag about what MY network can do :D
 
You must log in or register to reply here.
Back
Top Bottom