• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Restrict network access of VPN users

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Restrict network access of VPN users Page: [1]
Login
Message << Older Topic   Newer Topic >>
Restrict network access of VPN users - 18.Jul.2005 12:54:00 PM   
SpencerSteel

 

Posts: 26
Joined: 3.Oct.2003
From: UK
Status: offline
Hello there.

I have a user that I want to allow in to the domain, but I really want to restrict his access to one server/share.

I guess this is really a Windows Security question, but someone here might be able to help.

This user 'GuestVPN' is part of a 'GuestVPNusers' group, and a RRAS policy is applied.

Ideally, I don't want this group to be able to browse the network at all ... at the moment they can ... and because of W2K 'Everyone/Read' default on shares, they can poke around.

Perhaps I'm being lazy - but the though of explicit deny on every share seems a bit like a hassle ...

I just wondered if anyone had a clever way of stopping network browsing whilst allowing access to *only* SERVER/MyShare

Thanks for listening,

S.S.
Post #: 1
RE: Restrict network access of VPN users - 18.Jul.2005 3:16:00 PM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
Just to be clear, there are really 3 types of authenticated clients in ISA 2004 - Web Proxy, Firewall Clients and VPN Clients.

VPN Clients is kinda different in that when the user connects, ISA associates that clients IP address with the user account (through the vpnplgn.dll component) so that you can create rules with a Source of VPN Clients / Destination of %Server% / User : VPNGuest and ISA will know that the user is coming from that IP - this applies to all protocols - SMB, FTP, POP, all without needing to use the Firewall Client.

Now, you can't restrict the shares that the user can navigate on that specific server, but the new Access based Enumeration available on Win2003 SP1 is a pretty handy feature to limit their view of the shares on that server. Novell has had this for years and MS finally listened to everyone complain and they released this recently with SP1.

Link - Windows Server 2003 Access-based Enumeration.

Since you're using Win2000, you're out of luck but this is one nice feature for when/if you decide to upgrade your file server to Win2003.

[ July 18, 2005, 03:17 PM: Message edited by: ClintD ]

(in reply to SpencerSteel)
Post #: 2
RE: Restrict network access of VPN users - 18.Jul.2005 3:54:00 PM   
isawader

 

Posts: 420
Joined: 27.Apr.2005
Status: offline
quote:
but the new Access based Enumeration available on Win2003 SP1 is a pretty handy feature to limit their view of the shares on that server.
Great! finally MS implemented this feature!

(in reply to SpencerSteel)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Restrict network access of VPN users Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts