Windows Server 2003: IP-Based Access

K

Kasyx

Expert Member
Joined
Jun 6, 2006
Messages
2,565
Reaction score
1
Location
127.0.0.1
I'm currently trying to set up a fileserver at work running Windows Server 2003. The issue with this is that only certain people must be allowed to access it, and I know if I just use basic password-authentication, accounts will just be shared amongst the users who shouldn't have access (they're all college kids).

My thoughts in combatting this was to run a DHCP server that would assign certain IP addresses based on MAC addresses, thus the users who needed to have access would have a reserved IP for their MAC address. That way, I could have Windows Server 2003 (the fileserver) only allowing access to the shares to certain IPs (i.e. the ones I want to have access). My question is, what is the best way to implement this system on Server? I'm no MCSE (working on it), so I'm not completely clued up, but at the same time, my parents tell me I'm not an idiot (though they are the only ones...).

tl;dr version: How to I enable access to shares on Windows Server 2003 based on client IPs?
 
So each individual will have a pc assigned to them? Coz if more than one person use that same pc it won't work either
 
Each individual has their own laptop that connects via wireless to the network.
 
Use IPSec security policies, your provided with 3 default policies, create your own then add then add the IP's, set the reservations on your DHCP server

After doing this your still left with users sharing passwords which would at the end defeat all the security you've setup.

run\mmc add snap-in\ IP Security Policies
 
How do you mean the sharing of passwords will still defeat all the security set up, surely it makes no difference what password they use, provided they are using the right IP? i.e. if someone who was not using the right (or authorised) IP, they would not be able to get access to the server regardless of whether they have a password or not?
 
if users share their login details, ipsec will only allow the machines specified in the policy access to the file server based on ip ad mac address, basically anyone can with the correct shared user login details access the file server
 
So if IP filtering can be completely bypassed if the person has the correct user name and password, why bring it up in the first place?
 
correct, the users behaviour needs changing, no policy can do that.
 
All I want to know is if it is possible to grant access to a server based solely on an IP address.

i.e If your internal network address is 10.5.0.22 you have access, but if it is 10.5.0.12, you don't.
 
plenty of ways
Use certificates (Windows Certificate server)
Use Terminal services
Use NTFS permissions,
use GPO WMI filters
distributed file systems
Encrypted filesystem
why do u want to have it specific to IP addresses...thats to much work and effort if you
setting up a classroom ?
 
I'm hunting the same problem as topicstarter Kasyx.

veez101 said:
specific to IP addresses...thats to much work and effort if you setting up a classroom ?
Click to expand...
I elaborate my case:
Some sort of search-crawler that has to go thru windows shares is not capable of logging in protected ones. The next best thing to spending a week on adding this feature to its engine, is to have the shares not require a login for a certain IP that the crawler runs from.

The_Librarian said:
Maybe this site can be of any help : http://www.windowsecurity.com/
Click to expand...
Couldn't find a solution there, maybe its about terminology?
 
Kasyx said:
All I want to know is if it is possible to grant access to a server based solely on an IP address.

i.e If your internal network address is 10.5.0.22 you have access, but if it is 10.5.0.12, you don't.
Click to expand...


Try subnetting then!!

255.255.255.240 Mask
10 .5 .0 .22 IP
10 .5 .0 .16 Subnet
10 .5 .0 .17 First usable IP
10 .5 .0 .30 Last usable IP
10 .5 .0 .31 Broadcast Ip

Here you have 13 usable IP's which should narrow done your IP filtering.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X