Posts: 26
Joined: 3.Oct.2003
From: UK
Status: offline
Hello there.
I have a user that I want to allow in to the domain, but I really want to restrict his access to one server/share.
I guess this is really a Windows Security question, but someone here might be able to help.
This user 'GuestVPN' is part of a 'GuestVPNusers' group, and a RRAS policy is applied.
Ideally, I don't want this group to be able to browse the network at all ... at the moment they can ... and because of W2K 'Everyone/Read' default on shares, they can poke around.
Perhaps I'm being lazy - but the though of explicit deny on every share seems a bit like a hassle ...
I just wondered if anyone had a clever way of stopping network browsing whilst allowing access to *only* SERVER/MyShare
Just to be clear, there are really 3 types of authenticated clients in ISA 2004 - Web Proxy, Firewall Clients and VPN Clients.
VPN Clients is kinda different in that when the user connects, ISA associates that clients IP address with the user account (through the vpnplgn.dll component) so that you can create rules with a Source of VPN Clients / Destination of %Server% / User : VPNGuest and ISA will know that the user is coming from that IP - this applies to all protocols - SMB, FTP, POP, all without needing to use the Firewall Client.
Now, you can't restrict the shares that the user can navigate on that specific server, but the new Access based Enumeration available on Win2003 SP1 is a pretty handy feature to limit their view of the shares on that server. Novell has had this for years and MS finally listened to everyone complain and they released this recently with SP1.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Restrict network access of VPN users 
Restrict network access of VPN users - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread