Prev: Vista user folder - Access denied when trying to access as externa
Next: Default profile by Workstation
From: Sam Mok on 1 Feb 2010 23:42
Hi VanguardLH,

My company just don't want the remote users to copy any files to their
notebook or home pc from our server. But we can let them to login our
terminal server for jobs need (Such as checking our MRP system informations,
check company's inside mailbox, etc..).
How can we do? Thanks so much.

Sam Mok


"VanguardLH" <V(a)nguard.LH> 在郵件張貼內容主旨 hk6b44$e43$1(a)news.albasani.net
中撰寫...
> Sam Mok wrote:
>
>> Hi Sir/Miss,
>>
>> I had just build up a VPN for my company with a windows 2003 server.
>> But my company only want the users who can connect to our VPN for just
>> remote desktop function.
>> We don't want the users to use our file server's resources.
>> I had tried to block by IP Filter function from the "Routing and remote
>> access" policies.
>> But after many tires, I also failed to do it.
>>
>> Anybody can in help? Thanks so much.
>>
>> Sam Mok
>
> Why do you permit outsiders entry into your network as though they were
> located at work? Even if coming through a VPN, the outside hosts should
> be
> placed in a less-privileged zone. That zone dictates to which servers
> those
> hosts may connect, like to the Exchange server, the company "news" server
> (or where any company-wide info is retained), and perhaps to some other
> common company servers. The file servers of which you speak could not be
> reached from that outer-zone. Users that needed to access servers outside
> that zone's list would have to get permission and then allowed to connect
> to
> those inner-zone hosts.
>
> I have done domain administration but I have used VPN coming into my
> company
> which puts me in a security zone will less permissions that my workstation
> at my work desk. I can get at Exchange and other common web servers while
> in that throttled zone and to get to other hosts meant I had to get
> permission and get on some list of servers to add my host as having
> permission to connect to them. This is a security issue but I suspect you
> need to speak with a domain admin rather than a security expert regarding
> how to setup the security zone for those VPN connections coming from the
> outside.

From: Leythos on 2 Feb 2010 07:27
In article <D44E441E-82F4-4194-BD15-85BA502EC987(a)microsoft.com>,
sam.mkh(a)gmail.com says...
>
> Hi Sir/Miss,
>
> I had just build up a VPN for my company with a windows 2003 server.
> But my company only want the users who can connect to our VPN for just
> remote desktop function.
> We don't want the users to use our file server's resources.
> I had tried to block by IP Filter function from the "Routing and remote
> access" policies.
> But after many tires, I also failed to do it.
>
> Anybody can in help? Thanks so much.
>
> Sam Mok

Why not setup the VPN on the Firewall that your company should have
purchased, then you can limit the VPN sessions to specific IP ranges
inside the LAN as well as just RDP TCP 3389.

If your company doesn't have a Firewall that acts as a VPN server then
you should really consider getting a real firewall.


--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
spam999free(a)rrohio.com (remove 999 for proper email address)
From: Anteaus on 4 Feb 2010 13:08
A VPN effectively makes the remote user part of your internal network. They
then have whatever rights they would have if logged-on to a computer in the
office itself.

You can, as mentioned, use firewall rules to restrict the ports available to
VPN users.

Although, since you don't actually want remote users to be part of your LAN,
VPN may not be the best solution for you. What you probably need here is
secure tunneling of a single port or range of ports for terminal services,
which could be achieved with utilities such as SSH or Zebedee. There are GPL
and commercial releases of SSH, and Zebedee is a similar and completely free
client/server tunneling implementation.

"Leythos" wrote:

> In article <D44E441E-82F4-4194-BD15-85BA502EC987(a)microsoft.com>,
> sam.mkh(a)gmail.com says...
> >
> > Hi Sir/Miss,
> >
> > I had just build up a VPN for my company with a windows 2003 server.
> > But my company only want the users who can connect to our VPN for just
> > remote desktop function.
> > We don't want the users to use our file server's resources.
> > I had tried to block by IP Filter function from the "Routing and remote
> > access" policies.
> > But after many tires, I also failed to do it.
> >
> > Anybody can in help? Thanks so much.
> >
> > Sam Mok
>
> Why not setup the VPN on the Firewall that your company should have
> purchased, then you can limit the VPN sessions to specific IP ranges
> inside the LAN as well as just RDP TCP 3389.
>
> If your company doesn't have a Firewall that acts as a VPN server then
> you should really consider getting a real firewall.
>
>
> --
> You can't trust your best friends, your five senses, only the little
> voice inside you that most civilians don't even hear -- Listen to that.
> Trust yourself.
> spam999free(a)rrohio.com (remove 999 for proper email address)
> .
>
First  |  Prev  | 
Pages: 1 2
Prev: Vista user folder - Access denied when trying to access as externa
Next: Default profile by Workstation