Machine and User credentials

Machine and User credentials
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Machine and User credentials Jacob Killian 10-09-2006
Posted by Jacob Killian on October 9, 2006, 5:10 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi.

Is it possible, using Windows XP Pro security mechanisms, to
authenticate access to a shared folder using BOTH machine and user
credentials?

i.e., userX can only login from machineX, not machineY. userY can only
login from machineY or machineX, but not from any other machine.

If so, how?

If not, why not? Any suggestions for how I could accomplish similar goals?

Thank you much,

Jacob Killian

Posted by Roger Abell [MVP] on October 9, 2006, 5:46 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
No. Access to a share is made in the security context of the
account making the access. What you can do is control what
machines can communicate with the serving machine (without
regard to user at the time), and then of course use normal
permissions for the user access. That however cannot address
the scenario you outline.

--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
> Hi.
>
> Is it possible, using Windows XP Pro security mechanisms, to authenticate
> access to a shared folder using BOTH machine and user credentials?
>
> i.e., userX can only login from machineX, not machineY. userY can only
> login from machineY or machineX, but not from any other machine.
>
> If so, how?
>
> If not, why not? Any suggestions for how I could accomplish similar
> goals?
>
> Thank you much,
>
> Jacob Killian



Posted by Jacob Killian on October 9, 2006, 5:57 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Roger,

Thank you for your prompt response. Unfortunately, in my situation, all
clients need access to the server, however, I wish to be able to have
more granular control over who, what, when, where than seems to be
available through XP.

Do you have any idea if Vista will offer more granular access control?

Thanks again,
Jacob

Roger Abell [MVP] wrote:
> No. Access to a share is made in the security context of the
> account making the access. What you can do is control what
> machines can communicate with the serving machine (without
> regard to user at the time), and then of course use normal
> permissions for the user access. That however cannot address
> the scenario you outline.
>

Posted by Roger Abell [MVP] on October 10, 2006, 3:21 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> Roger,
>
> Thank you for your prompt response. Unfortunately, in my situation, all
> clients need access to the server, however, I wish to be able to have more
> granular control over who, what, when, where than seems to be available
> through XP.
>
> Do you have any idea if Vista will offer more granular access control?

I have seen no change toward allowing Windows to provide built-in
the type of access you are after. It is not an issue of being more granular
but of adopting an entirely different access control model. Access is gated
based on the credentials in use for the access, and the machine where a
domain principal is logged in is not part of the identity of those
credentials.
I have not looked in detail at how right management wares address this,
but I believe such are quite able to do what you outline.

Roger

> Roger Abell [MVP] wrote:
>> No. Access to a share is made in the security context of the
>> account making the access. What you can do is control what
>> machines can communicate with the serving machine (without
>> regard to user at the time), and then of course use normal
>> permissions for the user access. That however cannot address
>> the scenario you outline.
>>



Similar ThreadsPosted
Command to show which User logged onto Machine September 1, 2005, 12:01 pm
how to success OpenScManager for local machine when logged in with a user don't have administrator privileges May 7, 2008, 4:34 am
Cached credentials October 22, 2007, 9:06 pm
the credentials cannot be verified June 12, 2008, 9:41 am
How to use WinLogon API to solicit credentials? July 19, 2005, 1:21 pm
Access with cached credentials December 19, 2005, 4:31 am
Clearing Cached Credentials? January 11, 2007, 8:54 am
Re: Logon to account with different credentials February 12, 2007, 12:44 am
Logon to account with different credentials February 11, 2007, 9:12 pm
TASKLIST.EXE runs under alt credentials without password? December 13, 2005, 2:41 pm

The site map in XML format XML site map

Contact Us | Privacy Policy