RE: [ActiveDir] AD permissions for external clients

[Mulnick, Al]

I think you may be looking in the wrong place to lock them down.  You should be locking them down at the point of entry (ISA) to prevent them from going anywhere other than to the portal from a network perspective.  They additionally could be locked down to specific hours of operation as well as not given any permissions anywhere else on the network.  But they at no time should be allowed to traverse the network to any other destination other than the IIS server they need (least permissions).  Additionally, you could lock down any desktops that they could get onto through GPO, but I think that's outside of what you're after and you could also deny access to all servers with the ISA as an exception (logon via the network is what I'm thinking of here).   Just some ideas. Al From: Pelle, Joe [mailto:[EMAIL PROTECTED] Sent: Friday, February 20, 2004 10:31 AM To: [EMAIL PROTECTED] Cc: Schrock, Adam Subject: [ActiveDir] AD permissions for external clients   I need to get some security advice with Sharepoint portal server / ISA Server / IIS Server.  The problem we're trying to solve is actually for 2 similar scenarios, but different applications.   1.       We have an internal IIS server that we need to open up to external clients.  Also, we need to use integrated security on the web due to back end DB permissions etc - so basically, we need users in AD.  We currently handle this through ISA server and it works fine from a security standpoint.  The question is - now that we're actually rolling this app out to clients, I need to create users in our internal AD.  I have created a separate OU for these users and planned on locking them down via Group Policy (in theory) so they could only get to the web app - and nothing else on the network.  But I don't see anywhere in GPO where this can be done, and even if I did I don't think it will work because these user are not really logging onto the domain, they are just passing a valid username/password to get through the ISA server.  GPO can't do anything to an Internet user...   2.       Similar problem but using Sharepoint Portal Server.  We have the need for external suppliers/clients to access Sharepoint but I need to lockdown their accounts in AD so they can only access the Sharepoint resource and nothing else...   Hope that makes sense - I haven't been able to find any information on-line about this problem.       Joe Pelle Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324  Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/   This message may have included proprietary or protected information.  This message and the information contained herein are not to be further communicated without my express written consent.