Network isolation: local logins ?

I'm investigating the benefits of network/domain isolation. What I am
wondering is: we have some users that also login to their PC's locally.
Does this mean that the machine will be on the non-isolated network ?

How about W98 pc's, is there an option to put them in the isolated
network ?

Thanks !

--

Server and domain isolation using IPsec is based on the use of machine
credentials, and includes support for machine Kerberos acocunts, machine
x.509 certificates and pre-shared keys...

Regarding the local user accounts, in Windows XP and Windows 2003, if the
user's workstation is joined to the domain, the machine will download the
group policy with the IPsec settings and can then participate in the
secured/isolation network using its configured IPsec-based authentication
mechanism. The credentials of the user are not evaluated when determining
whether or not a machine has a valid credential for use in the isolated
network or domain, so technically the addition of Server/Domain isolation
would not need to change the local user logons if there is a need to
maintain them...

You do have the option to restrict access to only valid domain accounts by
manipulating "access this computer from the network" logon rights and
changing the Default setting of 'Everyone' to Domain Users and Domain
Computers... We use that option here at Microsoft on downlevel systems to
provide different levels of access control to highly restricted systems on
the Corporate network. There are other options here as well that I'll not
go into unless you need more options/information.

Microsoft has extended the Server and Domain Isolation environment in
Windows Vista and Windows Server Longhorn by integrating the WIndows
Firewall and IPsec and adding support for Authenticated IP. Authenticated
IP extends the core IKE functionality of machine authentication to also
include User and NAP Health Certificate authentication, so it is much easier
in Windows Vista to grant/deny access based on both machine and logged in
user credentials.

As far as Windows 98, there is no support for IPsec in platforms older than
Windows 2000 (and preferably using at least SP4)

Server and Domain Isolation page
http://www.microsoft.com/technet/net...o/default.mspx

Authenticated IP article:
http://www.microsoft.com/technet/com...uy/cg0806.mspx

Jason



"RLM" <redlob+(E-Mail Removed)> wrote in message
news:slrneo2ha3.k3o.redlob+(E-Mail Removed)...
> I'm investigating the benefits of network/domain isolation. What I am
> wondering is: we have some users that also login to their PC's locally.
> Does this mean that the machine will be on the non-isolated network ?
>
> How about W98 pc's, is there an option to put them in the isolated
> network ?
>
> Thanks !
>
> --

Thanks alot for your information. I will study the articles you
provided.

Regards,
Dick

> Server and domain isolation using IPsec is based on the use of machine
> credentials, and includes support for machine Kerberos acocunts, machine
> x.509 certificates and pre-shared keys...
>
> Regarding the local user accounts, in Windows XP and Windows 2003, if the
> user's workstation is joined to the domain, the machine will download the
> group policy with the IPsec settings and can then participate in the
> secured/isolation network using its configured IPsec-based authentication
> mechanism. The credentials of the user are not evaluated when determining
> whether or not a machine has a valid credential for use in the isolated
> network or domain, so technically the addition of Server/Domain isolation
> would not need to change the local user logons if there is a need to
> maintain them...
>
> You do have the option to restrict access to only valid domain accounts by
> manipulating "access this computer from the network" logon rights and
> changing the Default setting of 'Everyone' to Domain Users and Domain
> Computers... We use that option here at Microsoft on downlevel systems to
> provide different levels of access control to highly restricted systems on
> the Corporate network. There are other options here as well that I'll not
> go into unless you need more options/information.
>
> Microsoft has extended the Server and Domain Isolation environment in
> Windows Vista and Windows Server Longhorn by integrating the WIndows
> Firewall and IPsec and adding support for Authenticated IP. Authenticated
> IP extends the core IKE functionality of machine authentication to also
> include User and NAP Health Certificate authentication, so it is much easier
> in Windows Vista to grant/deny access based on both machine and logged in
> user credentials.
>
> As far as Windows 98, there is no support for IPsec in platforms older than
> Windows 2000 (and preferably using at least SP4)
>
> Server and Domain Isolation page
> http://www.microsoft.com/technet/net...o/default.mspx
>
> Authenticated IP article:
> http://www.microsoft.com/technet/com...uy/cg0806.mspx
>
> Jason
>
>
>
> "RLM" <redlob+(E-Mail Removed)> wrote in message
> news:slrneo2ha3.k3o.redlob+(E-Mail Removed)...
>> I'm investigating the benefits of network/domain isolation. What I am
>> wondering is: we have some users that also login to their PC's locally.
>> Does this mean that the machine will be on the non-isolated network ?
>>
>> How about W98 pc's, is there an option to put them in the isolated
>> network ?
>>
>> Thanks !
>>
>> --
>


--