+ Post New Thread
Results 1 to 9 of 9
Windows Thread, STOP UNC Connections in Technical; Is there anyway to stop valid domain users creating a unc conection to the server shares i.e "\Domain\Shared" and loggin ...
  1. #1

    Join Date
    May 2006
    Location
    Frimley, Surrey
    Posts
    40
    Thank Post
    2
    Thanked 3 Times in 3 Posts
    Rep Power
    17

    STOP UNC Connections

    Is there anyway to stop valid domain users creating a unc conection to the server shares i.e "\\Domain\Shared" and loggin in, when on the XP logon screen they change "log on to" from domain to (this computer)

    But still allow domain admins to create connections.

    Windows Server 2003 R2 SP2

  2. #2

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,331
    Thank Post
    622
    Thanked 1,578 Times in 1,415 Posts
    Rep Power
    413

    Re: STOP UNC Connections

    They shouldn't be able to logon to the local computer in the first place.

    Ben

  3. #3

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,617
    Thank Post
    514
    Thanked 2,442 Times in 1,890 Posts
    Blog Entries
    24
    Rep Power
    831

    Re: STOP UNC Connections

    I just want to get this clear in my head.

    A user logs in to the local machine
    They then try to connect to a server and enter valid domain credentials
    You don't want them to be able to connect like this.

    Is this correct? If so, then not really. The thing is, the user has permissions to connect to the domain. The ability to log in to UNC shares from non-domain accounts uses the same process as logging in to a domain (minus GPO's and that sorta thing). So the server doesn't actually see any difference.

    The ways around this problem could include using firewalls on the client machines which disallow traffic on the SMB sharing ports for non-domain accounts (ie. 'Standard Profile' in the Windows firewall part of a GPO). Or to use a third party lock down tool to prevent this.

    Or if the machines are external machines, a combination of the above with RADIUS authentication to prevent unauthorised computers connecting to the network. Or finally, a firewall on the servers which only allows access to resources to a list of legitimate computers (would only work with static IP's) - this would be a bodge job to get around needing a RADIUS server and could very easily be bypassed.

  4. #4
    mrforgetful's Avatar
    Join Date
    May 2006
    Posts
    1,637
    Thank Post
    7
    Thanked 15 Times in 15 Posts
    Rep Power
    22

    Re: STOP UNC Connections

    Yeh they shouldn't be logging in locally at all.

    But you could start my adding a $ to the end of all the shares which will hide them.

    They'll still be accessible but the students will need to know it's there and type the exact path.

  5. #5
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 70 Times in 42 Posts
    Rep Power
    33

    Re: STOP UNC Connections

    You could set up local group policies to remove access to the features which allow unc connections to be made easily e.g. disable the run menu, disable typing paths directly into windows explorer address bar etc as you would with a domain group policy.

    For admins you could put a net use script in your start menu or something.

    It seems a long way round compared to just not giving them a local account though! Presumably there's a specific reason why they need a local login?

  6. #6

    Join Date
    May 2006
    Location
    Frimley, Surrey
    Posts
    40
    Thank Post
    2
    Thanked 3 Times in 3 Posts
    Rep Power
    17

    Re: STOP UNC Connections

    SLT asked for local logon's on all admin workstations.

    Have tried GPO computer configuration > administrative templates > network > network connections > windows firewall > standard profile >

    137:TCP:localsubnet:disabled:SMB
    138:TCP:localsubnet:disabled:SMB
    139:TCP:localsubnet:disabled:SMB
    445:TCP:localsubnet:disabled:SMB
    137:UDP:localsubnet:disabled:SMB
    138:UDP:localsubnet:disabled:SMB
    139:UDP:localsubnet:disabled:SMB
    445:UDP:localsubnet:disabled:SMB

    While logged into the domain ran gpupdate /force then gpresult (GPO applied ok), logged out logged in locally but the firewall polices were not there

  7. #7
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 70 Times in 42 Posts
    Rep Power
    33

    Re: STOP UNC Connections

    Have you tried setting those as local group policies (i.e. start>run>gpedit.msc) rather than applying them to an OU. It's more of a pain, but might be necessary for local logons. With it being a computer policy I am a bit surprised.

    Still a bit unsure what the local logons achieve, but presumably you can't get out of it!

  8. #8

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,331
    Thank Post
    622
    Thanked 1,578 Times in 1,415 Posts
    Rep Power
    413

    Re: STOP UNC Connections

    You said SLT want local logins on all admin stations? so we aren't talking about kids using these machines then?

    If it's staff why worry?

    Ben

  9. #9
    AustenLowe
    Guest

    Re: STOP UNC Connections

    Try creating a domain login with an identical login and password to that of the local login.

    I.e

    Local login LocalUser pass LocalMachine

    Create this on the domain too and remove it from domain users and add to domain guests.

    Windows should by design try and authenticate with the credentials it already has been supplied with at the point of logon.

    Not sure if it will prompt for an alternative login or just say access denied. hell you could try disabling the account too.

    Its all educated theory never had to try it.

SHARE:
+ Post New Thread

Similar Threads

  1. Printer Connections - I NEED HELP PLEASE
    By Mr_M_Cox in forum Windows
    Replies: 14
    Last Post: 7th June 2007, 06:00 PM
  2. Internet Connections
    By 20RickY06 in forum General Chat
    Replies: 7
    Last Post: 6th September 2006, 08:56 AM
  3. How to rid of hidden network connections.
    By tickmike in forum Wireless Networks
    Replies: 4
    Last Post: 9th August 2006, 01:19 AM
  4. Promethean IWB Connections
    By plexer in forum Hardware
    Replies: 6
    Last Post: 21st July 2006, 04:01 PM
  5. Dual ADSL connections
    By Simcfc73 in forum Wireless Networks
    Replies: 1
    Last Post: 9th March 2006, 09:19 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •