limit access to share to a group from specific computer only?

[wallst32]

Let's say I have a terminal server called called TSSRV and a file server called FSSRV. A group called APP1_USERS has the ability to login to TSSRV. From TSSRV, this group uses an application that maps to a share on FSSRV, we'll call it \\FSSRV\APP1_DATA, where they have modify access.

Now this group would also have the ability to access \\FSSRV\APP1_DATA from any computer they login to, not just TSSRV.

Is there any way to restrict members of APP1_USERS to accessing the share only when they are on TSSRV? It wouldn't be feasible to deny all computers in the domain access to the share. I can't just add TSSRV to the share ACL since other users/groups login to TSSRV and they should not have access to the \\FSSRV\APP1_DATA.

Thanks.

 

[kmcferrin]

Nope. If you give someone access to a directory or file, then they'll always have access to that directory or file. The only exception would be if you somehow blocked certain PCs through routing/firewalling/etc.

 

[Roadki11]

i would think you could do this with a vb login script.

Sudo code:

if GroupObj = YourSpecialSecurityGroup and
ComputerName = TSSRV then
map this share
end if

Ask markdmac, he is the vb expert, or ask this question in the vbscript forum.

RoadKi11

 

[kmcferrin]

There's two different things here being discussed. Roadki11 is talking about mapping the drive only if they're coming from a specific PC. That's easy to do. But I understand the question to be how to limit access so that the files are only accessible when logged on through one of those specific PCs. While it's true that only mapping the drive from certain PCs will give the illusion that the files are not accessible unless they log on from a specific PC, those files would still be accessible from any other PC if the user chose to map the drive or browse the network for them. In that sense, they are not restricted at all.

 

[wallst32]

kmcferrin - You understood the question correctly. The end users can still use the UNC path to the share from any computer (the part that I'd like to restrict if possible).

 

[kmcferrin]

It sounds like you're going to want a multi-tiered network and application architecture. A lot of businesses are moving that direction these days. Here's an example of what I mean.

Your company has a financial application that is key to the company. It also has a lot of highly confidential data stored in it. You want your financial staff to be able to access the application and the data, but at the same time you want to restrict access to the data as much as possible. The most common approach in this situation is a 3-tiered solution. Your three application tiers are Presentation, Application, and Data.

The Data layer is easiest to understand. It is usually a database that the application connects to.

The Application layer is the application itself. It often times resides on a dedicated application server.

The Presentation layer is how the end users see the application. It could be with an application client installed directly on their PC, or they may remote desktop/telnet/Citrix into an application server.

What many companies do to achieve your goal is to separate their network into zones that match these tiers. So you would have an Data zone, and Application zone, and a Presentation zone. The Presentation zone often includes users' PCs. At any rate, the zones are separated by firewalls, and the only traffic permitted through the firewalls is the bare minimum required for the application to function correctly.

In my example, there is a SQL Server in the Database zone that hosts the financial data. In the Application zone there is a terminal server that has the financial application client installed on it. The only port that is open between the App server and the DB server is 1433 TCP, which is what is used for SQL Server connections.

Then we have the Presentation zone, which is where the users' desktop PCs are located. The only port open between the Presentation zone and the Application zone is 3389 TCP, which is the port that Windows users for Remote Desktop/Terminal Server connections.

One other thing to keep in mind is that the ports that are opened are only open between the specific hosts that would need them. So if there is another server in the Application zone, it wouldn't have access to the Financial DB server.

It would be relatively simple to put together a similar scheme for standard file access as well. Just put a file server in the Database zone that is only available from a terminal server that has your applications installed.