What is the best way to protect CIFS from domain users who connect an
unauthorized laptop to the domain?
I'm thinking of just setting up integrity checking on ports 137,139,445
before any client can connect.
Anyone know of a better way to make sure that the machine and user principal
BOTH authenticate before the server gives away any resources?
Re: CIFS Authentication
You can do this in Win2000+ using IPsec to enforce machine authentication
via Kerberos/Cert/PreSharedKey and user permissions on the folder itself to
restrict access to the data on a per user basis.
For a more broad machine-wide restriction, you could modify the machine's
"Access this computer from the network right" via local or domain group
policy to restrict access to only 'Authenticated Users.' Auth Users
restricts access to only authenticated machines and users, and when combined
with IPsec authentication, that access right is a nice way to restrict
access to the system in general...
In Win Vista and Srv2008, this level of machine + user authentication has
been integrated into a new protocol called authenticated IP (extension to
IKE/IPsec). With this implementation you can implement a very basic IPsec
policy that uses machine and user authentication and combine it with
authenticated Windows Firewall rules to restrict access to the applications,
services, ports, protocols or IP's that you want.
Intro to Windows Firewall with Advanced Security
Step by Step Guide for Deploying Policies with Windows Firewall with
"fixitchris" <email@example.com> wrote in message
> What is the best way to protect CIFS from domain users who connect an
> unauthorized laptop to the domain?
> I'm thinking of just setting up integrity checking on ports 137,139,445
> before any client can connect.
> Anyone know of a better way to make sure that the machine and user
> BOTH authenticate before the server gives away any resources?[/color]