active directory client restriction and security

Question

I have active directory and several clients joined the domain. Every user logs to the computer with domain user and password credentials.

I need the users only to be able to log in to the specified computer and no other computer.
This computer is monitored.

If someone discovers the password (or malicious worker who knows the pass) he can add another computer with the computer name, user and pass, and the joining process will allow him to join the computer. He can do a lot of problems while discovering that we have illegal login.

My application uses wcf (windows communication foundation) and the service is hosted in iis. It uses message authentication with integrated windows authentication.

My question is how can I protect the application only to be authenticated from the computer I like (pc at work, it is not allowed to use it outside the work place, by workplace I mean several offices geographically alocated)?

Regards

You seem to be asking two questions here. If so, please split the second one off to a separate question. — Chris Thorpe, Oct 10 '10 at 06:56

score 1 · Accepted Answer · answered Oct 10 '10 at 03:41

1

It sounds like you want to restrict an AD user to only log in from a single computer?

Within the user properties in AD, on the account tab, you can bind that user to a specific computer account.

answered Oct 10 '10 at 03:41

Kara Marfia

7,892
5
33
57

1

Also, you can work around the problem of users being able to join new machines to the domain, by applying GPOs to the 'computers' OU in AD, and treating it as a jail. So set a GPO on that OU that says 'only domain admins can log into machines in here'. User joins machine then finds out they can't log into it anymore. – Chris Thorpe Oct 10 '10 at 06:52

active directory client restriction and security

1 Answers1