Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

AD in factory environment

Status
Not open for further replies.
gmail2

gmail2

Programmer
Jun 15, 2005
987
IE
We have a client with about 15 machines and a single server which acts as DC, file/print server etc. Up until now, all machines were in a secure office area, but now we need to put one machine on the factory floor which is obviously less secure than a traditional office environment.

The PC will only be used to terminal service to a server - so the PC itself will not really do any "work", therefore it can (or should !) be locked down pretty tightly.

The machine is not connected to the corporate network but is actually connected to a network specifically for "unsecure" machines (ie visitor machines).


Because of it's unsecure location, somebody has suggested that we don't join the machine to the domain but instead have the user local on locally because of security issues (ie opening various TCP ports to the server etc). But AD has developed alot in the past few years, so I'm not 100% convinced that this is the best soltuion.

Does anybody have any suggestions as to how we can lock down the PC so that a user can logon to authenticate but cannot do anything else apart from open RDP client? Is it possible to open TCP ports for authentication to the server(and have GPO's apply) without allowing users to map drives/printers etc to the same server?

Thanks in advance for any suggestions

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau
 
Sort by date Sort by votes
Being this pc is on a separate network you could create a VPN connection to the server and join it to the Domain. By doing so the you could create a GP for that user or machine to lock it down.
 
Upvote 0 Downvote
Thanks for the replies guys. Yea - I agree, I think the machine should be joined to the domain also, but I wondered if it was possible to allow authentication through without having to allow file sharing. But I see from this list you can't:
So I guess I'll just have to lock down the machine so that drives are inaccessible etc. Would you recommend installing SteadyState also?

I also understood that Server 2003 required certain ICMP packets through in order for Group Policy processing to work properly. But after googling it now, it seems that it's only used for slow link detection - is that right?

I've decided aswell that we should implement some MAC filtering on the firewall so that if anybody does decide to use the connection to plug in a "malicious" machine, they won't be able to do anything.

One final thing ... it strikes me that it seems a little pointless in locking down the machine if the user will be able to RDP to a machine in a less secure area (the terminal server has beenlocked down some what but not as tightly as this machine will be ... various different reasons). Does anybody think the same? Or am I just thinking about the whole thing too much !!!!!?????

Thanks again

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau
 
Upvote 0 Downvote
sounds like you're overthinking this....

the best solution for this isn't a PC at all, but a "thin client", assuming that you only want to use it for RDP. With a thin client you've got no hard disk.... it's effectively a dummy terminal, typically used for connecting to RDP or Citrix ICA sessions.

from there you open 1 port only, just 1!!!!!!!! from your thin client to your Terminal server. The port number is TCP 3389 RDP
 
Upvote 0 Downvote
Thanks for the reply Dublin

Yup, I agree ... but the customer didn't want to buy additional HW as this machine will hopefully be moved to a more secure area in the next year when the company move office. As they already had spare machines, this seemed like a good enough compromise. But my concern was more over whether it would be more secure to join the machine to the domain or leave it in a workgroup.

Thanks again

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau
 
Upvote 0 Downvote
leave it in a workgroup.

Lock it down through the Windows "Local Security Settings" and away you go.
 
Upvote 0 Downvote
Upvote 0 Downvote
Thousand ways to skin this cat. Pick your poison and do it.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!
 
Upvote 0 Downvote
gmail2,
True you can lock it down in a workgroup but on a domain there is more control. As for a thin client HP makes an inexpensive one which I have used and works well.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
460
suncit
suncit
ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
679
gbaughma
gbaughma
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
187
DrB0b
DrB0b
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
377
Aquiles Vidal
Aquiles Vidal
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
320
DTGMI
DTGMI

Part and Inventory Search

Sponsor

Back
Top