Re: Access restriction after machine authentication

Darkmatter · ‎08-27-2020

So we're doing machine and user authentication, which is working perfectly, but now i want to know which best practice regarding access restriction to implement after only machine authentication has taken place.

So the user booted his PC, but didn't logged on yet.

Is there a best practice config for this?

Like allowing all traffic to domain controllers and ISE, but block the rest?

I don't see what's really necessary at the minimum to have all windows services and stuff working, but of course, we don't want to give full access yet.

Rob Ingram · ‎08-28-2020

Hi,

It depends on each customers environment, but normally I'd recommend restricting access using a DACL or TrustSec SGT to infrastructure systems such as Domain Controllers, DNS, AV, SCCM (or other mgmt system).

HTH

neil.woodhouse · ‎08-28-2020

Don't think I've ever seen a best practice guide for this but ideally you need to restrict access to what is required for a non cached user to be able to log in (Users that have logged in to a device before will (depending on GPO settings) have their AD credentials cached so won't need to access domain to log in)

Unfortunately Microsoft don't make it easy to craft ACLs that are too explicit with regards this as login process uses dynamically negotiuated ports between client and server so you have to allow pretty much everything between endpoint and domain controller. Therefore to provide at least some security I usually block ports for services I know I definately don't want them to have access to (RDP) and then allow the rest.

Besides user login, I usually try and allow a machine to update it's AV, etc.

If your company uses remote support tools it can be usefull to permit these so support staff can connect to the machine remotely.