I have been waiting to see responses to this thread, but don't think many
people will want to touch this one, since there are so many security
problems involved. One big worry is that if they got on the internal
network with those credentials that any resource secured with Everyone or
Authenticated Users would give them access.
But one thing you may want to consider is adding all of the users to a
group outside that OU. You could use it as a deny access group on all of
your other shared resources. But that sounds like a pain in the butt job.
In the GPO you should look at "deny Log on locally" and "deny log on via
terminal services"
"Mulnick, Al"
<[EMAIL PROTECTED]
T.com> To
Sent by: "'[EMAIL PROTECTED]'"
[EMAIL PROTECTED] <[EMAIL PROTECTED]>
ail.activedir.org cc
Subject
02/20/04 10:50 AM RE: [ActiveDir] AD permissions for
external clients
Please respond to
[EMAIL PROTECTED]
tivedir.org
I think you may be looking in the wrong place to lock them down. You
should be locking them down at the point of entry (ISA) to prevent them
from going anywhere other than to the portal from a network perspective.
They additionally could be locked down to specific hours of operation as
well as not given any permissions anywhere else on the network. But they
at no time should be allowed to traverse the network to any other
destination other than the IIS server they need (least permissions).
Additionally, you could lock down any desktops that they could get onto
through GPO, but I think that's outside of what you're after and you could
also deny access to all servers with the ISA as an exception (logon via the
network is what I'm thinking of here).
Just some ideas.
Al
From: Pelle, Joe [mailto:[EMAIL PROTECTED]
Sent: Friday, February 20, 2004 10:31 AM
To: [EMAIL PROTECTED]
Cc: Schrock, Adam
Subject: [ActiveDir] AD permissions for external clients
I need to get some security advice with Sharepoint portal server / ISA
Server / IIS Server. The problem we're trying to solve is actually for 2
similar scenarios, but different applications.
1. We have an internal IIS server that we need to open up to
external clients. Also, we need to use integrated security on the
web due to back end DB permissions etc - so basically, we need users
in AD. We currently handle this through ISA server and it works fine
from a security standpoint. The question is - now that we're
actually rolling this app out to clients, I need to create users in
our internal AD. I have created a separate OU for these users and
planned on locking them down via Group Policy (in theory) so they
could only get to the web app - and nothing else on the network. But
I don't see anywhere in GPO where this can be done, and even if I did
I don't think it will work because these user are not really logging
onto the domain, they are just passing a valid username/password to
get through the ISA server. GPO can't do anything to an Internet
user...
2. Similar problem but using Sharepoint Portal Server. We have
the need for external suppliers/clients to access Sharepoint but I
need to lockdown their accounts in AD so they can only access the
Sharepoint resource and nothing else...
Hope that makes sense - I haven't been able to find any information on-line
about this problem.
Joe Pelle
Infrastructure Architect
Information Technology
Valassis / IT
19975 Victor Parkway Livonia, MI 48152
Tel 734.591.7324 Fax 734.632.6151
[EMAIL PROTECTED]
http://www.valassis.com/
This message may have included proprietary or protected information. This
message and the information contained herein are not to be further
communicated without my express written consent.
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
