I have been working on tightening some security pieces on the network, part of which is to secure remote desktop access, and remote administration access to user workstations.
In the past, I had sent another post with a form to send me your device mac address.
I have been segregating group policies in Active Directory to only allow Remote Desktop connections from given IP ranges.
The short version:
Basically, anyone that doesn't have an administrative IP, will lack access to do a lot of administrative tasks on any servers/workstations.
The longer version:
the IP ranges that are 4 octets below the top one. i.e: for the DO, it would be 10.40.52.0/24 , on each school will be designated as the administrative IP ranges. other IP ranges will be limited in their access of what they can do.
If I have your device Mac addresses, then I can make sure that they have a reservation within the administrative IP in each school, so that you are able to perform your work, and still be able to do RDP connections, even if you're at a remote site.
This brings up an important point when deploying new computers:
GPOs, by design, cannot be applied specifically to the built-int active directory "Computers" OU. the only reason it was working in the past, was because the GPO policies were targeting the root of the forest (on chino.k12.ca.us), and that is the only way a GPO can be specifically applied to the "Computers" OU.
I'm moving away from applying blanket policies at the root of the domain, to targeting more specific OUs, with more granular control over access.
This means that even if you do have the correct administrative IP on your workstation, if the computer that you just deployed is still sitting in the built-in "Computers" OU, then it will not get the correct GPOs, and therefore you will not be able to administer it at all.
For this reason, I ask that, as part of the your setup, whether you do it yourself, or tell me or the helpdesk about it, that you please make sure to move a newly joined machine to the domain, to its corresponding OU.
In the CVUSD domain there are two main places:
chino.k12.ca.us/District Office/Computers/
and
chino.k12.ca.us/Schools/Computers/
In the Student and Student2 domains it's in:
student/student2.chino.k12.ca.us/Schools//Workstations
These are the only two places that will open up appropriate permissions. Anything outside of those will be pretty locked down and inaccessible.
As part of the process, and as I close up some ports, some services may inadvertently stop functioning. Please let me know if you see any of those, and I can look at them, and create appropriate exceptions.
If you have any questions or concerns, please let me know.
In the past, I had sent another post with a form to send me your device mac address.
I have been segregating group policies in Active Directory to only allow Remote Desktop connections from given IP ranges.
The short version:
Basically, anyone that doesn't have an administrative IP, will lack access to do a lot of administrative tasks on any servers/workstations.
The longer version:
the IP ranges that are 4 octets below the top one. i.e: for the DO, it would be 10.40.52.0/24 , on each school will be designated as the administrative IP ranges. other IP ranges will be limited in their access of what they can do.
If I have your device Mac addresses, then I can make sure that they have a reservation within the administrative IP in each school, so that you are able to perform your work, and still be able to do RDP connections, even if you're at a remote site.
This brings up an important point when deploying new computers:
GPOs, by design, cannot be applied specifically to the built-int active directory "Computers" OU. the only reason it was working in the past, was because the GPO policies were targeting the root of the forest (on chino.k12.ca.us), and that is the only way a GPO can be specifically applied to the "Computers" OU.
I'm moving away from applying blanket policies at the root of the domain, to targeting more specific OUs, with more granular control over access.
This means that even if you do have the correct administrative IP on your workstation, if the computer that you just deployed is still sitting in the built-in "Computers" OU, then it will not get the correct GPOs, and therefore you will not be able to administer it at all.
For this reason, I ask that, as part of the your setup, whether you do it yourself, or tell me or the helpdesk about it, that you please make sure to move a newly joined machine to the domain, to its corresponding OU.
In the CVUSD domain there are two main places:
chino.k12.ca.us/District Office/Computers/
and
chino.k12.ca.us/Schools/Computers/
In the Student and Student2 domains it's in:
student/student2.chino.k12.ca.us/Schools/
These are the only two places that will open up appropriate permissions. Anything outside of those will be pretty locked down and inaccessible.
As part of the process, and as I close up some ports, some services may inadvertently stop functioning. Please let me know if you see any of those, and I can look at them, and create appropriate exceptions.
If you have any questions or concerns, please let me know.
No comments:
Post a Comment
Please make your comment. (GMK)
Note: Only a member of this blog may post a comment.