1

I'm trying to build a system where access to certain resources (file shares) in Windows Server, is limited not only by the username (in a Active Directory domain), but also by the client machine. So far, I haven't found a good way to do this; adding the computer account to the DACL is apparently not the way to do it.

Windows Server 2012 supports this with Dynamic Access Control, but this method requires all clients to be Windows 8, it seems, with no way to use this with Windows 7 clients.

Is there a supported way to do this? (or alternatively, add support for device authorization with Windows 7).

Ori Shavit
  • 11
  • 1
  • 1
  • 1
    Are all the client machines Windows 7? – rahuL Nov 28 '12 at 22:38
  • Yes, except a few (for which I can make special arrangements) – Ori Shavit Nov 28 '12 at 22:41
  • I admit to not having to use this but here's what I found - it seems Dynamic Access Control [is backward compatible](http://social.technet.microsoft.com/Forums/en-IN/winserverDS/thread/2903b909-9ef4-4520-908a-a8bad7244f3e) atleast in a Test Lab environment. Might also want to check out [here](http://technet.microsoft.com/en-us/library/hh831717) and http://blogs.technet.com/b/windowsserver/archive/2012/05/22/introduction-to-windows-server-2012-dynamic-access-control.aspx – rahuL Nov 28 '12 at 22:51
  • It's 'backward compatible' in the sense that old Windows versions didn't have device-based authorization. But when using device conditions on a share in Windows 2012, the Windows 7 client cannot access it. – Ori Shavit Nov 29 '12 at 23:34

1 Answers1

1

There's no built-in functionality to specifically do what you want prior to dynamic access control (DAC). The best that you're going to get would be to dedicate a file server and use some type of firewall functionality to limit access to that server to "authorized" machines (and, even then, you're really relying on the machine having the correct network address).

I suppose another, still network-layer method, would be to configure a dedicated file server for access only via IPSEC and use computer certificates, deployed to the "authorized" machines, to key the IPSEC communication.

Microsoft's answer is DAC. Given that, you're not going to find a very clean solution outside of DAC.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328