Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Restricting share permissions when using VPN only

Status
Not open for further replies.
GravyFace

GravyFace

Vendor
Apr 3, 2002
10
CA
I don't think this is possible with Windows PPTP VPN (Windows 2003 SBS) out of the box, but I figured I'd ask.

My client wants to restrict a particular user (Bob) from using an application when connected via VPN. When at the office, this user needs to have access, however. The application's client component looks for a particular mapped drive, so I was thinking I could lock down NTFS and/or share permissions for that particular user on that particular share.
Problem is, even with using a different user for VPN auth (i.e. bobvpn) and denying access to that share, it'll still pop-up and ask the user for credentials and then they can just put in their normal domain credentials and have access.

I was also thinking of assigning that VPN user a static RAS IP but I can't lock down all SMB/CIFS traffic as their are other shares/mapped drives the user should be allowed to access.

Would ISA accomplish this? Anything else I'm overlooking? I don't mind saying "no it can't be done" but only if that truly is the case, or it would require a significant investment (small SOHO office) in more sophisticated hardware/software.

TIA
 
Sort by date Sort by votes
Upvote 0 Downvote
ShackDaddy: the problem is, when the VPN user tries to authenticate to that share, Windows will conveniently pop-up the username/password modal window at which point the user can just put in their normal domain credentials and have access.
 
Upvote 0 Downvote
I wonder if setting logon hours on the main account would disallow file/share access, or whether it would only disallow real workstation logins.

Other than that, I can't think of a solution, except for maybe switching to an HTTPS VPN that has different authentication options.

Dave Shackelford
Shackelford Consulting
 
Upvote 0 Downvote
I'm not sure if SBS 2003 comes with SSL VPN as an option. There's got to be a way to script against the GPO and test "If current session is RAS, then don't allow this".
 
Upvote 0 Downvote
GPOs only test group/OU membership. Even if you managed to create a separate IP subnet just for VPN user addresses, you'd still have a project on your hands limiting file access to a particular share based on originating subnet.

What would be nice is if a user coming in on a VPN would automatically be added to a particular group for the duration of the session, and permissions/ACLs could be set based on membership in that group...Such groups exist for connecting locally vs connecting over the network, but there isn't a special one for RAS connections, to my knowledge.

Dave Shackelford
Shackelford Consulting
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
434
gbaughma
gbaughma
dpellegrini
  • Locked
  • Question
Website will load using hostname but not IP address
Replies
3
Views
486
mangentle
mangentle
StevenFromSouth
  • Locked
  • Question
VPN Connects but cannot access remote network computers or folders
Replies
1
Views
123
StevenFromSouth
StevenFromSouth
bechna
  • Locked
  • Question
Windows Server and VPN Setup
Replies
1
Views
111
DrB0b
DrB0b
bechna
  • Locked
  • Question
Unable to connect to VPN windows server 2019
Replies
0
Views
92
bechna
bechna

Part and Inventory Search

Sponsor

Back
Top