| Author |
Message |
Denis Crotty
Guest
|
 Posted:
Tue Jan 18, 2005 8:46 am Post subject:
VPN restricted viewing |
|
|
Hello,
I am trying to set up a VPN for a developer and would like to restrict the
machines that they see on the network. We are running Server 2003, can we do
this with the CMAK wizard? If so could you please give a brief overview or
point me to a good reference?
Thank you,
Denis Crotty |
|
| Back to top |
|
 |
Todd J Heron
Guest
|
| Posted:
Tue Jan 18, 2005 10:05 pm Post subject:
Re: VPN restricted viewing |
|
|
Perhaps setting up a static route for them on their VPN connection will do
the trick.
--
Todd J Heron, MCSE
Windows Server 2003/2000/NT
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights |
|
| Back to top |
|
|
Phillip Windell
Guest
|
| Posted:
Tue Jan 18, 2005 10:49 pm Post subject:
Re: VPN restricted viewing |
|
|
"Denis Crotty" <DenisCrotty@discussions.microsoft.com> wrote in message
news:A6374A7A-828F-44EE-987A-8AA57B969BB5@microsoft.com...
| Quote: | I am trying to set up a VPN for a developer and would like to restrict the
machines that they see on the network. We are running Server 2003, can we
do
this with the CMAK wizard?
|
Define "see"
Resource access requires user accounts and passwords. He can not access what
his account isn't given permission to access. It doesn't matter what his
machine can "see" at the Layer 3 & 4 level unless you have resources that
can be accessed by "anonymous" or by "Everyone" although those two are not
the same thing.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com |
|
| Back to top |
|
|
Denis Crotty
Guest
|
| Posted:
Tue Jan 18, 2005 10:53 pm Post subject:
Re: VPN restricted viewing |
|
|
HI Todd,
I'm not too sure of how to go about setting up a static route on their VPN
connection. THe direction I was looking into was ip packet filtering so that
any packets from the source computer would only get to the computer I want
them to "see". But that sounds like the same concept as static routing to me.
Denis
"Todd J Heron" wrote:
| Quote: | Perhaps setting up a static route for them on their VPN connection will do
the trick.
--
Todd J Heron, MCSE
Windows Server 2003/2000/NT
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights
|
|
|
| Back to top |
|
|
Denis Crotty
Guest
|
| Posted:
Tue Jan 18, 2005 11:01 pm Post subject:
Re: VPN restricted viewing |
|
|
HI Phillip, Thank you for the reply.
I realize that they should not be able to access what they do not have
permission to access but we have some shares on the network that are
completely open and we would prefer that the user only be able to find the
computers on the network that we specifically allow them to. Do you have any
suggestions to help us accomplish this?
Denis
"Phillip Windell" wrote:
| Quote: | "Denis Crotty" <DenisCrotty@discussions.microsoft.com> wrote in message
news:A6374A7A-828F-44EE-987A-8AA57B969BB5@microsoft.com...
I am trying to set up a VPN for a developer and would like to restrict the
machines that they see on the network. We are running Server 2003, can we
do
this with the CMAK wizard?
Define "see"
Resource access requires user accounts and passwords. He can not access what
his account isn't given permission to access. It doesn't matter what his
machine can "see" at the Layer 3 & 4 level unless you have resources that
can be accessed by "anonymous" or by "Everyone" although those two are not
the same thing.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
|
|
|
| Back to top |
|
|
Phillip Windell
Guest
|
| Posted:
Tue Jan 18, 2005 11:48 pm Post subject:
Re: VPN restricted viewing |
|
|
"Denis Crotty" <DenisCrotty@discussions.microsoft.com> wrote in message
news:050B9988-BD24-4501-90DE-276F0BF2768B@microsoft.com...
| Quote: | HI Phillip, Thank you for the reply.
I realize that they should not be able to access what they do not have
permission to access but we have some shares on the network that are
completely open and we would prefer that the user only be able to find the
computers on the network that we specifically allow them to. Do you have
any
suggestions to help us accomplish this?
|
Yes.
Don't have shares like that. The problem is not that you have a VPN user,
the problem is that you have shares that are so unrestricted. Base your
security on who people are, not by what technology they connect by.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com |
|
| Back to top |
|
|
Phillip Windell
Guest
|
| Posted:
Tue Jan 18, 2005 11:56 pm Post subject:
Re: VPN restricted viewing |
|
|
"Denis Crotty" <DenisCrotty@discussions.microsoft.com> wrote in message
news:ED5B350C-0658-4DD6-9A7C-6017ED11AF3F@microsoft.com...
| Quote: | HI Todd,
I'm not too sure of how to go about setting up a static route on their VPN
connection. THe direction I was looking into was ip packet filtering so
that
any packets from the source computer would only get to the computer I want
them to "see". But that sounds like the same concept as static routing to
me. |
That would be Packet Filtering,...although it would running on top of Layer3
Routing. VPN users would need to be in their own subnet. The routing device
between their subnet and the rest of the LAN would have ACLs configured on
it to create the restrictions. It can be done, but is a lot of work, and
probably a period of trial and error.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com |
|
| Back to top |
|
|
Denis Crotty
Guest
|
| Posted:
Wed Jan 19, 2005 12:03 am Post subject:
Re: VPN restricted viewing |
|
|
HI Phillip,
Unfortunately that is not a solution for us. As you probably know sometimes
business needs over ride security needs. As this is not possible do you have
any suggestions to accomplish what we are trying to accomplish?
Denis
"Phillip Windell" wrote:
| Quote: |
"Denis Crotty" <DenisCrotty@discussions.microsoft.com> wrote in message
news:050B9988-BD24-4501-90DE-276F0BF2768B@microsoft.com...
HI Phillip, Thank you for the reply.
I realize that they should not be able to access what they do not have
permission to access but we have some shares on the network that are
completely open and we would prefer that the user only be able to find the
computers on the network that we specifically allow them to. Do you have
any
suggestions to help us accomplish this?
Yes.
Don't have shares like that. The problem is not that you have a VPN user,
the problem is that you have shares that are so unrestricted. Base your
security on who people are, not by what technology they connect by.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
|
|
|
| Back to top |
|
|
Denis Crotty
Guest
|
| Posted:
Wed Jan 19, 2005 12:09 am Post subject:
Re: VPN restricted viewing |
|
|
Here is an example from Windows on what we think is needed:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_VPN_us20.asp
Denis
"Phillip Windell" wrote:
| Quote: |
"Denis Crotty" <DenisCrotty@discussions.microsoft.com> wrote in message
news:050B9988-BD24-4501-90DE-276F0BF2768B@microsoft.com...
HI Phillip, Thank you for the reply.
I realize that they should not be able to access what they do not have
permission to access but we have some shares on the network that are
completely open and we would prefer that the user only be able to find the
computers on the network that we specifically allow them to. Do you have
any
suggestions to help us accomplish this?
Yes.
Don't have shares like that. The problem is not that you have a VPN user,
the problem is that you have shares that are so unrestricted. Base your
security on who people are, not by what technology they connect by.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
|
|
|
| Back to top |
|
|
Phillip Windell
Guest
|
| Posted:
Wed Jan 19, 2005 1:00 am Post subject:
Re: VPN restricted viewing |
|
|
"Denis Crotty" <DenisCrotty@discussions.microsoft.com> wrote in message
news:C33FAC93-0D53-474D-A0FC-E08D309ACF58@microsoft.com...
| Quote: | HI Phillip,
Unfortunately that is not a solution for us. As you probably know
sometimes
business needs over ride security needs.
|
That may be so,...but i don't think this is one of them. This is quite
simply way, way too easy to fix to accept that as being the condition.
All you have to do is make those shares available to Domain Users (not the
Everyone Group) which is going to be everybody anyway,...then create a user
account to use for the VPN,...create a Group called VPN Users,...add the
user to that Group,...set the Group as the user's "default group" and then
remove them from the Domain Users group. Now all the Domain Users have
access to the shares except for the VPN User because he is only in the VPN
Users Group which doesn't have permission.
If that isn't good enough then create the VPN User and VPN Group the same
way but actually *include* the VPN Group in the permissions to the shares
but set the permission to Denied. Denied always over-rides everything else,
so everyone would have access to the share except for Users who are members
of the VNP Group.
This isn't that difficult,...MS has had years to develope the flexability in
their NTFS permissions system and they aren't going to be that short
sighted.
| Quote: | As this is not possible do you have
any suggestions to accomplish what we are trying to accomplish?
|
I haven't had time to look at the link you gave in the other post yet. But
in another post I commented on a possible solution offered by Todd. However
I think it is much more difficult to make a reality than correcting this
very simple issue that I stated above.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com |
|
| Back to top |
|
|
Denis Crotty
Guest
|
| Posted:
Wed Jan 19, 2005 1:07 am Post subject:
Re: VPN restricted viewing |
|
|
HI Phillip,
We are not using a domain.
Denis
"Phillip Windell" wrote:
| Quote: | "Denis Crotty" <DenisCrotty@discussions.microsoft.com> wrote in message
news:C33FAC93-0D53-474D-A0FC-E08D309ACF58@microsoft.com...
HI Phillip,
Unfortunately that is not a solution for us. As you probably know
sometimes
business needs over ride security needs.
That may be so,...but i don't think this is one of them. This is quite
simply way, way too easy to fix to accept that as being the condition.
All you have to do is make those shares available to Domain Users (not the
Everyone Group) which is going to be everybody anyway,...then create a user
account to use for the VPN,...create a Group called VPN Users,...add the
user to that Group,...set the Group as the user's "default group" and then
remove them from the Domain Users group. Now all the Domain Users have
access to the shares except for the VPN User because he is only in the VPN
Users Group which doesn't have permission.
If that isn't good enough then create the VPN User and VPN Group the same
way but actually *include* the VPN Group in the permissions to the shares
but set the permission to Denied. Denied always over-rides everything else,
so everyone would have access to the share except for Users who are members
of the VNP Group.
This isn't that difficult,...MS has had years to develope the flexability in
their NTFS permissions system and they aren't going to be that short
sighted.
As this is not possible do you have
any suggestions to accomplish what we are trying to accomplish?
I haven't had time to look at the link you gave in the other post yet. But
in another post I commented on a possible solution offered by Todd. However
I think it is much more difficult to make a reality than correcting this
very simple issue that I stated above.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
|
|
|
| Back to top |
|
|
Phillip Windell
Guest
|
| Posted:
Wed Jan 19, 2005 8:59 pm Post subject:
Re: VPN restricted viewing |
|
|
"Denis Crotty" <DenisCrotty@discussions.microsoft.com> wrote in message
news:23998875-43F9-4735-878C-96EB89D3456D@microsoft.com...
| Quote: | HI Phillip,
We are not using a domain.
|
Doesn't matter.
You just follow the same principle using the local Accounts and local Groups
on the Server holding the share.
BTW - it is more secure to run a Domain than not run a Domain. Since
security is the central issue here, that is something else you should
consider.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in