Network isolation: local logins ?

Discussion in 'Windows Networking' started by RLM, Dec 14, 2006.

  1. RLM

    RLM Guest

    I'm investigating the benefits of network/domain isolation. What I am
    wondering is: we have some users that also login to their PC's locally.
    Does this mean that the machine will be on the non-isolated network ?

    How about W98 pc's, is there an option to put them in the isolated
    network ?

    Thanks !

    RLM, Dec 14, 2006
    1. Advertisements

  2. Server and domain isolation using IPsec is based on the use of machine
    credentials, and includes support for machine Kerberos acocunts, machine
    x.509 certificates and pre-shared keys...

    Regarding the local user accounts, in Windows XP and Windows 2003, if the
    user's workstation is joined to the domain, the machine will download the
    group policy with the IPsec settings and can then participate in the
    secured/isolation network using its configured IPsec-based authentication
    mechanism. The credentials of the user are not evaluated when determining
    whether or not a machine has a valid credential for use in the isolated
    network or domain, so technically the addition of Server/Domain isolation
    would not need to change the local user logons if there is a need to
    maintain them...

    You do have the option to restrict access to only valid domain accounts by
    manipulating "access this computer from the network" logon rights and
    changing the Default setting of 'Everyone' to Domain Users and Domain
    Computers... We use that option here at Microsoft on downlevel systems to
    provide different levels of access control to highly restricted systems on
    the Corporate network. There are other options here as well that I'll not
    go into unless you need more options/information.

    Microsoft has extended the Server and Domain Isolation environment in
    Windows Vista and Windows Server Longhorn by integrating the WIndows
    Firewall and IPsec and adding support for Authenticated IP. Authenticated
    IP extends the core IKE functionality of machine authentication to also
    include User and NAP Health Certificate authentication, so it is much easier
    in Windows Vista to grant/deny access based on both machine and logged in
    user credentials.

    As far as Windows 98, there is no support for IPsec in platforms older than
    Windows 2000 (and preferably using at least SP4)

    Server and Domain Isolation page

    Authenticated IP article:

    Jason Popp [MS], Dec 14, 2006
    1. Advertisements

  3. RLM

    RLM Guest

    Thanks alot for your information. I will study the articles you


    RLM, Dec 20, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.