STOP UNC Connections

[tomlin]

Is there anyway to stop valid domain users creating a unc conection to the server shares i.e "\\Domain\Shared" and loggin in, when on the XP logon screen they change "log on to" from domain to (this computer)

But still allow domain admins to create connections.

Windows Server 2003 R2 SP2

[plexer]

They shouldn't be able to logon to the local computer in the first place.

Ben

[localzuk]

I just want to get this clear in my head.

A user logs in to the local machine
They then try to connect to a server and enter valid domain credentials
You don't want them to be able to connect like this.

Is this correct? If so, then not really. The thing is, the user has permissions to connect to the domain. The ability to log in to UNC shares from non-domain accounts uses the same process as logging in to a domain (minus GPO's and that sorta thing). So the server doesn't actually see any difference.

The ways around this problem could include using firewalls on the client machines which disallow traffic on the SMB sharing ports for non-domain accounts (ie. 'Standard Profile' in the Windows firewall part of a GPO). Or to use a third party lock down tool to prevent this.

Or if the machines are external machines, a combination of the above with RADIUS authentication to prevent unauthorised computers connecting to the network. Or finally, a firewall on the servers which only allows access to resources to a list of legitimate computers (would only work with static IP's) - this would be a bodge job to get around needing a RADIUS server and could very easily be bypassed.

[mrforgetful]

Yeh they shouldn't be logging in locally at all.

But you could start my adding a $ to the end of all the shares which will hide them.

They'll still be accessible but the students will need to know it's there and type the exact path.

[sahmeepee]

You could set up local group policies to remove access to the features which allow unc connections to be made easily e.g. disable the run menu, disable typing paths directly into windows explorer address bar etc as you would with a domain group policy.

For admins you could put a net use script in your start menu or something.

It seems a long way round compared to just not giving them a local account though! Presumably there's a specific reason why they need a local login?

[tomlin]

SLT asked for local logon's on all admin workstations.

Have tried GPO computer configuration > administrative templates > network > network connections > windows firewall > standard profile >

137:TCP:localsubnet:disabled:SMB
138:TCP:localsubnet:disabled:SMB
139:TCP:localsubnet:disabled:SMB
445:TCP:localsubnet:disabled:SMB
137:UDP:localsubnet:disabled:SMB
138:UDP:localsubnet:disabled:SMB
139:UDP:localsubnet:disabled:SMB
445:UDP:localsubnet:disabled:SMB

While logged into the domain ran gpupdate /force then gpresult (GPO applied ok), logged out logged in locally but the firewall polices were not there

[sahmeepee]

Have you tried setting those as local group policies (i.e. start>run>gpedit.msc) rather than applying them to an OU. It's more of a pain, but might be necessary for local logons. With it being a computer policy I am a bit surprised.

Still a bit unsure what the local logons achieve, but presumably you can't get out of it!

[plexer]

You said SLT want local logins on all admin stations? so we aren't talking about kids using these machines then?

If it's staff why worry?

Ben

Try creating a domain login with an identical login and password to that of the local login.

I.e

Local login LocalUser pass LocalMachine

Create this on the domain too and remove it from domain users and add to domain guests.

Windows should by design try and authenticate with the credentials it already has been supplied with at the point of logon.

Not sure if it will prompt for an alternative login or just say access denied. hell you could try disabling the account too.

Its all educated theory never had to try it.