HELP from Master Networking Gurus needed

Interesting setup.
I have a workgroup I need to setup inside a Domain. I do NOT want the
workgroup computers to have access to domain resources EXCEPT for the
internet.

My domain setup uses the Domain server as the gateway for the network, via
two network cards one inside one outside.

The MAIN workgroup computer is on a fiber link with other Domain PC's so it
cannot be physically separated out.

There are only 4 so they will have static IP's.
The Domain is on DHCP.

I'm putting the workgroup computers on a different subnet and having the
MAIN workgroup computer setup with two network cards to do internet
connection sharing with the other workgroup computers.

I have to use the Domain Server's IP and Subnet in order to get to the
internet. Is there a way I can ensure that these workgroup computers Don't
have access to anything else??

You are confusing two different things. Giving a machine an IP
connection to another machine does not allow it access to that machine's
files. It merely allows it to "see" the other machine on the network.

You do not even need to put the workgroup computers in a different IP
subnet. If you want them on a different subnet routing through one
workstation (as you described), that should be OK as well. But it does not
give you any extra protection. The workgroup machines would still be able to
"see" the domain machines, even if you ran ICS on the routing workstation.
It would only block connections in the other direction (ie the domain
machines would not be able to access the workgroup machines, because the
domain is on the "public" side of the ICS router. ICS, like NAT, is a
one-way address translation process. The "private" machines can get out to
the "public" side, but not the other way around).

If the users of the workgroup machines do not have valid domain
accounts they will not be able to access domain resources. They will only
have access to the workgroup.

"1SE" wrote:
> Interesting setup.
> I have a workgroup I need to setup inside a Domain. I do NOT want the
> workgroup computers to have access to domain resources EXCEPT for the
> internet.
>
> My domain setup uses the Domain server as the gateway for the
> network, via two network cards one inside one outside.
>
> The MAIN workgroup computer is on a fiber link with other Domain PC's
> so it cannot be physically separated out.
>
> There are only 4 so they will have static IP's.
> The Domain is on DHCP.
>
> I'm putting the workgroup computers on a different subnet and having
> the MAIN workgroup computer setup with two network cards to do
> internet connection sharing with the other workgroup computers.
>
> I have to use the Domain Server's IP and Subnet in order to get to the
> internet. Is there a way I can ensure that these workgroup computers
> Don't have access to anything else??

Actually, the last sentance descripes the solution exactly, preventing the
workgroup users from loging to domain is the key, they can access internet,
but not domain resourcse.

so connect them to the network, give them static IPs and they will not be
able to access any resource.

"Bill Grant" wrote:

> You are confusing two different things. Giving a machine an IP
> connection to another machine does not allow it access to that machine's
> files. It merely allows it to "see" the other machine on the network.
>
> You do not even need to put the workgroup computers in a different IP
> subnet. If you want them on a different subnet routing through one
> workstation (as you described), that should be OK as well. But it does not
> give you any extra protection. The workgroup machines would still be able to
> "see" the domain machines, even if you ran ICS on the routing workstation.
> It would only block connections in the other direction (ie the domain
> machines would not be able to access the workgroup machines, because the
> domain is on the "public" side of the ICS router. ICS, like NAT, is a
> one-way address translation process. The "private" machines can get out to
> the "public" side, but not the other way around).
>
> If the users of the workgroup machines do not have valid domain
> accounts they will not be able to access domain resources. They will only
> have access to the workgroup.
>
> "1SE" wrote:
> > Interesting setup.
> > I have a workgroup I need to setup inside a Domain. I do NOT want the
> > workgroup computers to have access to domain resources EXCEPT for the
> > internet.
> >
> > My domain setup uses the Domain server as the gateway for the
> > network, via two network cards one inside one outside.
> >
> > The MAIN workgroup computer is on a fiber link with other Domain PC's
> > so it cannot be physically separated out.
> >
> > There are only 4 so they will have static IP's.
> > The Domain is on DHCP.
> >
> > I'm putting the workgroup computers on a different subnet and having
> > the MAIN workgroup computer setup with two network cards to do
> > internet connection sharing with the other workgroup computers.
> >
> > I have to use the Domain Server's IP and Subnet in order to get to the
> > internet. Is there a way I can ensure that these workgroup computers
> > Don't have access to anything else??
>
>
>

This is not true.

They can access the domain if they get a hold of a domain account.
What I'm saying is they can see the domain then they can type in names of
resources i.e. \\domaincontorller\c$ they'll then be prompted for a name
and password.

Is there anyway to block that activity? (such as, anything from this ip
range, block) Keeping in mind that they still need internet access.
These machines are not in protected areas and someone could be hacking away
for days without anyone even knowing it.


"Maamoun" <(E-Mail Removed)> wrote in message
news:E9654072-949D-404D-8FC1-(E-Mail Removed)...
> Actually, the last sentance descripes the solution exactly, preventing the
> workgroup users from loging to domain is the key, they can access
internet,
> but not domain resourcse.
>
> so connect them to the network, give them static IPs and they will not be
> able to access any resource.
>
> "Bill Grant" wrote:
>
> > You are confusing two different things. Giving a machine an IP
> > connection to another machine does not allow it access to that machine's
> > files. It merely allows it to "see" the other machine on the network.
> >
> > You do not even need to put the workgroup computers in a different
IP
> > subnet. If you want them on a different subnet routing through one
> > workstation (as you described), that should be OK as well. But it does
not
> > give you any extra protection. The workgroup machines would still be
able to
> > "see" the domain machines, even if you ran ICS on the routing
workstation.
> > It would only block connections in the other direction (ie the domain
> > machines would not be able to access the workgroup machines, because the
> > domain is on the "public" side of the ICS router. ICS, like NAT, is a
> > one-way address translation process. The "private" machines can get out
to
> > the "public" side, but not the other way around).
> >
> > If the users of the workgroup machines do not have valid domain
> > accounts they will not be able to access domain resources. They will
only
> > have access to the workgroup.
> >
> > "1SE" wrote:
> > > Interesting setup.
> > > I have a workgroup I need to setup inside a Domain. I do NOT want the
> > > workgroup computers to have access to domain resources EXCEPT for the
> > > internet.
> > >
> > > My domain setup uses the Domain server as the gateway for the
> > > network, via two network cards one inside one outside.
> > >
> > > The MAIN workgroup computer is on a fiber link with other Domain PC's
> > > so it cannot be physically separated out.
> > >
> > > There are only 4 so they will have static IP's.
> > > The Domain is on DHCP.
> > >
> > > I'm putting the workgroup computers on a different subnet and having
> > > the MAIN workgroup computer setup with two network cards to do
> > > internet connection sharing with the other workgroup computers.
> > >
> > > I have to use the Domain Server's IP and Subnet in order to get to the
> > > internet. Is there a way I can ensure that these workgroup computers
> > > Don't have access to anything else??
> >
> >
> >

I believe that Routing and Remote access will accomplish this. Simply filter
network traffic from those workgroup machines to your network resources and
only allow port 80 traffic to pass, dropping all other traffic from them. I
am not sure, but this is what I'd try first.

""1SE"" wrote:

> This is not true.
>
> They can access the domain if they get a hold of a domain account.
> What I'm saying is they can see the domain then they can type in names of
> resources i.e. \\domaincontorller\c$ they'll then be prompted for a name
> and password.
>
> Is there anyway to block that activity? (such as, anything from this ip
> range, block) Keeping in mind that they still need internet access.
> These machines are not in protected areas and someone could be hacking away
> for days without anyone even knowing it.
>
>
> "Maamoun" <(E-Mail Removed)> wrote in message
> news:E9654072-949D-404D-8FC1-(E-Mail Removed)...
> > Actually, the last sentance descripes the solution exactly, preventing the
> > workgroup users from loging to domain is the key, they can access
> internet,
> > but not domain resourcse.
> >
> > so connect them to the network, give them static IPs and they will not be
> > able to access any resource.
> >
> > "Bill Grant" wrote:
> >
> > > You are confusing two different things. Giving a machine an IP
> > > connection to another machine does not allow it access to that machine's
> > > files. It merely allows it to "see" the other machine on the network.
> > >
> > > You do not even need to put the workgroup computers in a different
> IP
> > > subnet. If you want them on a different subnet routing through one
> > > workstation (as you described), that should be OK as well. But it does
> not
> > > give you any extra protection. The workgroup machines would still be
> able to
> > > "see" the domain machines, even if you ran ICS on the routing
> workstation.
> > > It would only block connections in the other direction (ie the domain
> > > machines would not be able to access the workgroup machines, because the
> > > domain is on the "public" side of the ICS router. ICS, like NAT, is a
> > > one-way address translation process. The "private" machines can get out
> to
> > > the "public" side, but not the other way around).
> > >
> > > If the users of the workgroup machines do not have valid domain
> > > accounts they will not be able to access domain resources. They will
> only
> > > have access to the workgroup.
> > >
> > > "1SE" wrote:
> > > > Interesting setup.
> > > > I have a workgroup I need to setup inside a Domain. I do NOT want the
> > > > workgroup computers to have access to domain resources EXCEPT for the
> > > > internet.
> > > >
> > > > My domain setup uses the Domain server as the gateway for the
> > > > network, via two network cards one inside one outside.
> > > >
> > > > The MAIN workgroup computer is on a fiber link with other Domain PC's
> > > > so it cannot be physically separated out.
> > > >
> > > > There are only 4 so they will have static IP's.
> > > > The Domain is on DHCP.
> > > >
> > > > I'm putting the workgroup computers on a different subnet and having
> > > > the MAIN workgroup computer setup with two network cards to do
> > > > internet connection sharing with the other workgroup computers.
> > > >
> > > > I have to use the Domain Server's IP and Subnet in order to get to the
> > > > internet. Is there a way I can ensure that these workgroup computers
> > > > Don't have access to anything else??
> > >
> > >
> > >
>
>
>

YES! this is the kind of routing information I need.
How do I do this?

"Eric the IT Idiot" <(E-Mail Removed)> wrote in
message newsEF589B7-B2C2-4A81-B79E-(E-Mail Removed)...
> I believe that Routing and Remote access will accomplish this. Simply
filter
> network traffic from those workgroup machines to your network resources
and
> only allow port 80 traffic to pass, dropping all other traffic from them.
I
> am not sure, but this is what I'd try first.
>
> ""1SE"" wrote:
>
> > This is not true.
> >
> > They can access the domain if they get a hold of a domain account.
> > What I'm saying is they can see the domain then they can type in names
of
> > resources i.e. \\domaincontorller\c$ they'll then be prompted for a
name
> > and password.
> >
> > Is there anyway to block that activity? (such as, anything from this ip
> > range, block) Keeping in mind that they still need internet access.
> > These machines are not in protected areas and someone could be hacking
away
> > for days without anyone even knowing it.
> >
> >
> > "Maamoun" <(E-Mail Removed)> wrote in message
> > news:E9654072-949D-404D-8FC1-(E-Mail Removed)...
> > > Actually, the last sentance descripes the solution exactly, preventing
the
> > > workgroup users from loging to domain is the key, they can access
> > internet,
> > > but not domain resourcse.
> > >
> > > so connect them to the network, give them static IPs and they will not
be
> > > able to access any resource.
> > >
> > > "Bill Grant" wrote:
> > >
> > > > You are confusing two different things. Giving a machine an IP
> > > > connection to another machine does not allow it access to that
machine's
> > > > files. It merely allows it to "see" the other machine on the
network.
> > > >
> > > > You do not even need to put the workgroup computers in a
different
> > IP
> > > > subnet. If you want them on a different subnet routing through one
> > > > workstation (as you described), that should be OK as well. But it
does
> > not
> > > > give you any extra protection. The workgroup machines would still be
> > able to
> > > > "see" the domain machines, even if you ran ICS on the routing
> > workstation.
> > > > It would only block connections in the other direction (ie the
domain
> > > > machines would not be able to access the workgroup machines, because
the
> > > > domain is on the "public" side of the ICS router. ICS, like NAT, is
a
> > > > one-way address translation process. The "private" machines can get
out
> > to
> > > > the "public" side, but not the other way around).
> > > >
> > > > If the users of the workgroup machines do not have valid
domain
> > > > accounts they will not be able to access domain resources. They will
> > only
> > > > have access to the workgroup.
> > > >
> > > > "1SE" wrote:
> > > > > Interesting setup.
> > > > > I have a workgroup I need to setup inside a Domain. I do NOT want
the
> > > > > workgroup computers to have access to domain resources EXCEPT for
the
> > > > > internet.
> > > > >
> > > > > My domain setup uses the Domain server as the gateway for the
> > > > > network, via two network cards one inside one outside.
> > > > >
> > > > > The MAIN workgroup computer is on a fiber link with other Domain
PC's
> > > > > so it cannot be physically separated out.
> > > > >
> > > > > There are only 4 so they will have static IP's.
> > > > > The Domain is on DHCP.
> > > > >
> > > > > I'm putting the workgroup computers on a different subnet and
having
> > > > > the MAIN workgroup computer setup with two network cards to do
> > > > > internet connection sharing with the other workgroup computers.
> > > > >
> > > > > I have to use the Domain Server's IP and Subnet in order to get to
the
> > > > > internet. Is there a way I can ensure that these workgroup
computers
> > > > > Don't have access to anything else??
> > > >
> > > >
> > > >
> >
> >
> >

"They can access the domain if they get a hold of a domain account. What
I'm saying is they can see the domain then they can type in names of
resources i.e. \\domaincontorller\c$ they'll then be prompted for a name
and password."

You would need a domain administrator user name and password to log onto
this share.

If you are running Windows Server 2003 with SP1, then you can block access
to the server by users on machines located on a remote subnet. Enable the
Windows Firewall on the LAN connection; create an exception for File and
Printer Sharing; edit the exception so that only machines on the
non-workgroup subnet are allowed. Or, put everyone on the same subnet and
edit to block the IPs of the workgroup machines.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

""1SE"" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> This is not true.
>
> They can access the domain if they get a hold of a domain account.
> What I'm saying is they can see the domain then they can type in names of
> resources i.e. \\domaincontorller\c$ they'll then be prompted for a name
> and password.
>
> Is there anyway to block that activity? (such as, anything from this ip
> range, block) Keeping in mind that they still need internet access.
> These machines are not in protected areas and someone could be hacking
away
> for days without anyone even knowing it.
>
>
> "Maamoun" <(E-Mail Removed)> wrote in message
> news:E9654072-949D-404D-8FC1-(E-Mail Removed)...
> > Actually, the last sentance descripes the solution exactly, preventing
the
> > workgroup users from loging to domain is the key, they can access
> internet,
> > but not domain resourcse.
> >
> > so connect them to the network, give them static IPs and they will not
be
> > able to access any resource.
> >
> > "Bill Grant" wrote:
> >
> > > You are confusing two different things. Giving a machine an IP
> > > connection to another machine does not allow it access to that
machine's
> > > files. It merely allows it to "see" the other machine on the network.
> > >
> > > You do not even need to put the workgroup computers in a different
> IP
> > > subnet. If you want them on a different subnet routing through one
> > > workstation (as you described), that should be OK as well. But it does
> not
> > > give you any extra protection. The workgroup machines would still be
> able to
> > > "see" the domain machines, even if you ran ICS on the routing
> workstation.
> > > It would only block connections in the other direction (ie the domain
> > > machines would not be able to access the workgroup machines, because
the
> > > domain is on the "public" side of the ICS router. ICS, like NAT, is a
> > > one-way address translation process. The "private" machines can get
out
> to
> > > the "public" side, but not the other way around).
> > >
> > > If the users of the workgroup machines do not have valid domain
> > > accounts they will not be able to access domain resources. They will
> only
> > > have access to the workgroup.
> > >
> > > "1SE" wrote:
> > > > Interesting setup.
> > > > I have a workgroup I need to setup inside a Domain. I do NOT want
the
> > > > workgroup computers to have access to domain resources EXCEPT for
the
> > > > internet.
> > > >
> > > > My domain setup uses the Domain server as the gateway for the
> > > > network, via two network cards one inside one outside.
> > > >
> > > > The MAIN workgroup computer is on a fiber link with other Domain
PC's
> > > > so it cannot be physically separated out.
> > > >
> > > > There are only 4 so they will have static IP's.
> > > > The Domain is on DHCP.
> > > >
> > > > I'm putting the workgroup computers on a different subnet and having
> > > > the MAIN workgroup computer setup with two network cards to do
> > > > internet connection sharing with the other workgroup computers.
> > > >
> > > > I have to use the Domain Server's IP and Subnet in order to get to
the
> > > > internet. Is there a way I can ensure that these workgroup
computers
> > > > Don't have access to anything else??
> > >
> > >
> > >
>
>

Thank you for the suggestion, the share was just an example.
I've found that using the windows firewall really sucks and it's best just
to turn it off.
If there's a way to do it via subnets an routers I'd much rather go that
path. Getting involved in firewall rules on the LAN just doesn't make sense
to me.


"Doug Sherman [MVP]" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> "They can access the domain if they get a hold of a domain account. What
> I'm saying is they can see the domain then they can type in names of
> resources i.e. \\domaincontorller\c$ they'll then be prompted for a name
> and password."
>
> You would need a domain administrator user name and password to log onto
> this share.
>
> If you are running Windows Server 2003 with SP1, then you can block access
> to the server by users on machines located on a remote subnet. Enable the
> Windows Firewall on the LAN connection; create an exception for File and
> Printer Sharing; edit the exception so that only machines on the
> non-workgroup subnet are allowed. Or, put everyone on the same subnet and
> edit to block the IPs of the workgroup machines.
>
> Doug Sherman
> MCSE, MCSA, MCP+I, MVP
>
> ""1SE"" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > This is not true.
> >
> > They can access the domain if they get a hold of a domain account.
> > What I'm saying is they can see the domain then they can type in names
of
> > resources i.e. \\domaincontorller\c$ they'll then be prompted for a
name
> > and password.
> >
> > Is there anyway to block that activity? (such as, anything from this ip
> > range, block) Keeping in mind that they still need internet access.
> > These machines are not in protected areas and someone could be hacking
> away
> > for days without anyone even knowing it.
> >
> >
> > "Maamoun" <(E-Mail Removed)> wrote in message
> > news:E9654072-949D-404D-8FC1-(E-Mail Removed)...
> > > Actually, the last sentance descripes the solution exactly, preventing
> the
> > > workgroup users from loging to domain is the key, they can access
> > internet,
> > > but not domain resourcse.
> > >
> > > so connect them to the network, give them static IPs and they will not
> be
> > > able to access any resource.
> > >
> > > "Bill Grant" wrote:
> > >
> > > > You are confusing two different things. Giving a machine an IP
> > > > connection to another machine does not allow it access to that
> machine's
> > > > files. It merely allows it to "see" the other machine on the
network.
> > > >
> > > > You do not even need to put the workgroup computers in a
different
> > IP
> > > > subnet. If you want them on a different subnet routing through one
> > > > workstation (as you described), that should be OK as well. But it
does
> > not
> > > > give you any extra protection. The workgroup machines would still be
> > able to
> > > > "see" the domain machines, even if you ran ICS on the routing
> > workstation.
> > > > It would only block connections in the other direction (ie the
domain
> > > > machines would not be able to access the workgroup machines, because
> the
> > > > domain is on the "public" side of the ICS router. ICS, like NAT, is
a
> > > > one-way address translation process. The "private" machines can get
> out
> > to
> > > > the "public" side, but not the other way around).
> > > >
> > > > If the users of the workgroup machines do not have valid
domain
> > > > accounts they will not be able to access domain resources. They will
> > only
> > > > have access to the workgroup.
> > > >
> > > > "1SE" wrote:
> > > > > Interesting setup.
> > > > > I have a workgroup I need to setup inside a Domain. I do NOT want
> the
> > > > > workgroup computers to have access to domain resources EXCEPT for
> the
> > > > > internet.
> > > > >
> > > > > My domain setup uses the Domain server as the gateway for the
> > > > > network, via two network cards one inside one outside.
> > > > >
> > > > > The MAIN workgroup computer is on a fiber link with other Domain
> PC's
> > > > > so it cannot be physically separated out.
> > > > >
> > > > > There are only 4 so they will have static IP's.
> > > > > The Domain is on DHCP.
> > > > >
> > > > > I'm putting the workgroup computers on a different subnet and
having
> > > > > the MAIN workgroup computer setup with two network cards to do
> > > > > internet connection sharing with the other workgroup computers.
> > > > >
> > > > > I have to use the Domain Server's IP and Subnet in order to get to
> the
> > > > > internet. Is there a way I can ensure that these workgroup
> computers
> > > > > Don't have access to anything else??
> > > >
> > > >
> > > >
> >
> >
>
>

This is kind of what I am talking about. You access this under RRAS in the
MMC:
http://windows.microsoft.com/windows...RAStopnode.htm

It works on Server 2K3 also.

""1SE"" wrote:

> Thank you for the suggestion, the share was just an example.
> I've found that using the windows firewall really sucks and it's best just
> to turn it off.
> If there's a way to do it via subnets an routers I'd much rather go that
> path. Getting involved in firewall rules on the LAN just doesn't make sense
> to me.
>
>
> "Doug Sherman [MVP]" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > "They can access the domain if they get a hold of a domain account. What
> > I'm saying is they can see the domain then they can type in names of
> > resources i.e. \\domaincontorller\c$ they'll then be prompted for a name
> > and password."
> >
> > You would need a domain administrator user name and password to log onto
> > this share.
> >
> > If you are running Windows Server 2003 with SP1, then you can block access
> > to the server by users on machines located on a remote subnet. Enable the
> > Windows Firewall on the LAN connection; create an exception for File and
> > Printer Sharing; edit the exception so that only machines on the
> > non-workgroup subnet are allowed. Or, put everyone on the same subnet and
> > edit to block the IPs of the workgroup machines.
> >
> > Doug Sherman
> > MCSE, MCSA, MCP+I, MVP
> >
> > ""1SE"" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > This is not true.
> > >
> > > They can access the domain if they get a hold of a domain account.
> > > What I'm saying is they can see the domain then they can type in names
> of
> > > resources i.e. \\domaincontorller\c$ they'll then be prompted for a
> name
> > > and password.
> > >
> > > Is there anyway to block that activity? (such as, anything from this ip
> > > range, block) Keeping in mind that they still need internet access.
> > > These machines are not in protected areas and someone could be hacking
> > away
> > > for days without anyone even knowing it.
> > >
> > >
> > > "Maamoun" <(E-Mail Removed)> wrote in message
> > > news:E9654072-949D-404D-8FC1-(E-Mail Removed)...
> > > > Actually, the last sentance descripes the solution exactly, preventing
> > the
> > > > workgroup users from loging to domain is the key, they can access
> > > internet,
> > > > but not domain resourcse.
> > > >
> > > > so connect them to the network, give them static IPs and they will not
> > be
> > > > able to access any resource.
> > > >
> > > > "Bill Grant" wrote:
> > > >
> > > > > You are confusing two different things. Giving a machine an IP
> > > > > connection to another machine does not allow it access to that
> > machine's
> > > > > files. It merely allows it to "see" the other machine on the
> network.
> > > > >
> > > > > You do not even need to put the workgroup computers in a
> different
> > > IP
> > > > > subnet. If you want them on a different subnet routing through one
> > > > > workstation (as you described), that should be OK as well. But it
> does
> > > not
> > > > > give you any extra protection. The workgroup machines would still be
> > > able to
> > > > > "see" the domain machines, even if you ran ICS on the routing
> > > workstation.
> > > > > It would only block connections in the other direction (ie the
> domain
> > > > > machines would not be able to access the workgroup machines, because
> > the
> > > > > domain is on the "public" side of the ICS router. ICS, like NAT, is
> a
> > > > > one-way address translation process. The "private" machines can get
> > out
> > > to
> > > > > the "public" side, but not the other way around).
> > > > >
> > > > > If the users of the workgroup machines do not have valid
> domain
> > > > > accounts they will not be able to access domain resources. They will
> > > only
> > > > > have access to the workgroup.
> > > > >
> > > > > "1SE" wrote:
> > > > > > Interesting setup.
> > > > > > I have a workgroup I need to setup inside a Domain. I do NOT want
> > the
> > > > > > workgroup computers to have access to domain resources EXCEPT for
> > the
> > > > > > internet.
> > > > > >
> > > > > > My domain setup uses the Domain server as the gateway for the
> > > > > > network, via two network cards one inside one outside.
> > > > > >
> > > > > > The MAIN workgroup computer is on a fiber link with other Domain
> > PC's
> > > > > > so it cannot be physically separated out.
> > > > > >
> > > > > > There are only 4 so they will have static IP's.
> > > > > > The Domain is on DHCP.
> > > > > >
> > > > > > I'm putting the workgroup computers on a different subnet and
> having
> > > > > > the MAIN workgroup computer setup with two network cards to do
> > > > > > internet connection sharing with the other workgroup computers.
> > > > > >
> > > > > > I have to use the Domain Server's IP and Subnet in order to get to
> > the
> > > > > > internet. Is there a way I can ensure that these workgroup
> > computers
> > > > > > Don't have access to anything else??
> > > > >
> > > > >
> > > > >
> > >
> > >
> >
> >
>
>
>

Thank you Great resource But I am using 2003.



"Eric the IT Idiot" <(E-Mail Removed)> wrote in
message news:7372EFCA-3615-481A-8DF3-(E-Mail Removed)...
> This is kind of what I am talking about. You access this under RRAS in
the
> MMC:
>
http://windows.microsoft.com/windows...RAStopnode.htm
>
> It works on Server 2K3 also.
>
> ""1SE"" wrote:
>
> > Thank you for the suggestion, the share was just an example.
> > I've found that using the windows firewall really sucks and it's best
just
> > to turn it off.
> > If there's a way to do it via subnets an routers I'd much rather go that
> > path. Getting involved in firewall rules on the LAN just doesn't make
sense
> > to me.
> >
> >
> > "Doug Sherman [MVP]" <(E-Mail Removed)> wrote in message
> > news:%(E-Mail Removed)...
> > > "They can access the domain if they get a hold of a domain account.
What
> > > I'm saying is they can see the domain then they can type in names of
> > > resources i.e. \\domaincontorller\c$ they'll then be prompted for a
name
> > > and password."
> > >
> > > You would need a domain administrator user name and password to log
onto
> > > this share.
> > >
> > > If you are running Windows Server 2003 with SP1, then you can block
access
> > > to the server by users on machines located on a remote subnet. Enable
the
> > > Windows Firewall on the LAN connection; create an exception for File
and
> > > Printer Sharing; edit the exception so that only machines on the
> > > non-workgroup subnet are allowed. Or, put everyone on the same subnet
and
> > > edit to block the IPs of the workgroup machines.
> > >
> > > Doug Sherman
> > > MCSE, MCSA, MCP+I, MVP
> > >
> > > ""1SE"" <(E-Mail Removed)> wrote in message
> > > news:(E-Mail Removed)...
> > > > This is not true.
> > > >
> > > > They can access the domain if they get a hold of a domain account.
> > > > What I'm saying is they can see the domain then they can type in
names
> > of
> > > > resources i.e. \\domaincontorller\c$ they'll then be prompted for a
> > name
> > > > and password.
> > > >
> > > > Is there anyway to block that activity? (such as, anything from this
ip
> > > > range, block) Keeping in mind that they still need internet access.
> > > > These machines are not in protected areas and someone could be
hacking
> > > away
> > > > for days without anyone even knowing it.
> > > >
> > > >
> > > > "Maamoun" <(E-Mail Removed)> wrote in message
> > > > news:E9654072-949D-404D-8FC1-(E-Mail Removed)...
> > > > > Actually, the last sentance descripes the solution exactly,
preventing
> > > the
> > > > > workgroup users from loging to domain is the key, they can access
> > > > internet,
> > > > > but not domain resourcse.
> > > > >
> > > > > so connect them to the network, give them static IPs and they will
not
> > > be
> > > > > able to access any resource.
> > > > >
> > > > > "Bill Grant" wrote:
> > > > >
> > > > > > You are confusing two different things. Giving a machine an
IP
> > > > > > connection to another machine does not allow it access to that
> > > machine's
> > > > > > files. It merely allows it to "see" the other machine on the
> > network.
> > > > > >
> > > > > > You do not even need to put the workgroup computers in a
> > different
> > > > IP
> > > > > > subnet. If you want them on a different subnet routing through
one
> > > > > > workstation (as you described), that should be OK as well. But
it
> > does
> > > > not
> > > > > > give you any extra protection. The workgroup machines would
still be
> > > > able to
> > > > > > "see" the domain machines, even if you ran ICS on the routing
> > > > workstation.
> > > > > > It would only block connections in the other direction (ie the
> > domain
> > > > > > machines would not be able to access the workgroup machines,
because
> > > the
> > > > > > domain is on the "public" side of the ICS router. ICS, like NAT,
is
> > a
> > > > > > one-way address translation process. The "private" machines can
get
> > > out
> > > > to
> > > > > > the "public" side, but not the other way around).
> > > > > >
> > > > > > If the users of the workgroup machines do not have valid
> > domain
> > > > > > accounts they will not be able to access domain resources. They
will
> > > > only
> > > > > > have access to the workgroup.
> > > > > >
> > > > > > "1SE" wrote:
> > > > > > > Interesting setup.
> > > > > > > I have a workgroup I need to setup inside a Domain. I do NOT
want
> > > the
> > > > > > > workgroup computers to have access to domain resources EXCEPT
for
> > > the
> > > > > > > internet.
> > > > > > >
> > > > > > > My domain setup uses the Domain server as the gateway for the
> > > > > > > network, via two network cards one inside one outside.
> > > > > > >
> > > > > > > The MAIN workgroup computer is on a fiber link with other
Domain
> > > PC's
> > > > > > > so it cannot be physically separated out.
> > > > > > >
> > > > > > > There are only 4 so they will have static IP's.
> > > > > > > The Domain is on DHCP.
> > > > > > >
> > > > > > > I'm putting the workgroup computers on a different subnet and
> > having
> > > > > > > the MAIN workgroup computer setup with two network cards to do
> > > > > > > internet connection sharing with the other workgroup
computers.
> > > > > > >
> > > > > > > I have to use the Domain Server's IP and Subnet in order to
get to
> > > the
> > > > > > > internet. Is there a way I can ensure that these workgroup
> > > computers
> > > > > > > Don't have access to anything else??
> > > > > >
> > > > > >
> > > > > >
> > > >
> > > >
> > >
> > >
> >
> >
> >