Prev: Vista user folder - Access denied when trying to access as externa
Next: Default profile by Workstation
From: Sam Mok on 31 Jan 2010 20:39
Hi Sir/Miss,

I had just build up a VPN for my company with a windows 2003 server.
But my company only want the users who can connect to our VPN for just
remote desktop function.
We don't want the users to use our file server's resources.
I had tried to block by IP Filter function from the "Routing and remote
access" policies.
But after many tires, I also failed to do it.

Anybody can in help? Thanks so much.

Sam Mok
From: Shenan Stanley on 31 Jan 2010 20:53
Sam Mok wrote:
> I had just build up a VPN for my company with a windows 2003 server.
> But my company only want the users who can connect to our VPN for just
> remote desktop function.
> We don't want the users to use our file server's resources.
> I had tried to block by IP Filter function from the "Routing and remote
> access" policies.
> But after many tires, I also failed to do it.
>
> Anybody can in help? Thanks so much.

Just to verify - you do know that if they can map drives on their remote
desktop - then through that they can copy files to their local computers
too - right? No need to map the drives directly (from their laptop/home
PC/remote location.) Remote Desktop can let their local resources pass
through.

So can you define what it is you are trying to prevent? Is it that ability?
Is it mapping the drive shares directly? Something else?

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html


From: Sam Mok on 31 Jan 2010 23:32
Hi Shenan Stanley,

Thanks for your helps, my company just don't want the users to copy any
files from our server. But we can let the remote users to login our terminal
server.
How can I do? Thanks so much.

Sam Mok




"Shenan Stanley" <newshelper(a)gmail.com> �b�l��i�K���e�D��
O9ufbFuoKHA.5700(a)TK2MSFTNGP04.phx.gbl �����g...
> Sam Mok wrote:
>> I had just build up a VPN for my company with a windows 2003 server.
>> But my company only want the users who can connect to our VPN for just
>> remote desktop function.
>> We don't want the users to use our file server's resources.
>> I had tried to block by IP Filter function from the "Routing and remote
>> access" policies.
>> But after many tires, I also failed to do it.
>>
>> Anybody can in help? Thanks so much.
>
> Just to verify - you do know that if they can map drives on their remote
> desktop - then through that they can copy files to their local computers
> too - right? No need to map the drives directly (from their laptop/home
> PC/remote location.) Remote Desktop can let their local resources pass
> through.
>
> So can you define what it is you are trying to prevent? Is it that
> ability? Is it mapping the drive shares directly? Something else?
>
> --
> Shenan Stanley
> MS-MVP
> --
> How To Ask Questions The Smart Way
> http://www.catb.org/~esr/faqs/smart-questions.html
>
From: Sam Mok on 1 Feb 2010 00:38
Hi Shenan Stanley,

My company just don't want the remote users to copy any files to their
notebook or home pc from our server. But we can let them to login our
terminal server for jobs need.
How can we do? Thanks so much.

Sam Mok


"Sam Mok" <sam.mkh(a)gmail.com> �b�l��i�K���e�D��
D61F60FF-BB89-431B-9841-CDBF932D506D(a)microsoft.com �����g...
> Hi Shenan Stanley,
>
> Thanks for your helps, my company just don't want the users to copy any
> files from our server. But we can let the remote users to login our
> terminal server.
> How can I do? Thanks so much.
>
> Sam Mok
>
>
>
>
> "Shenan Stanley" <newshelper(a)gmail.com> �b�l��i�K���e�D��
> O9ufbFuoKHA.5700(a)TK2MSFTNGP04.phx.gbl �����g...
>> Sam Mok wrote:
>>> I had just build up a VPN for my company with a windows 2003 server.
>>> But my company only want the users who can connect to our VPN for just
>>> remote desktop function.
>>> We don't want the users to use our file server's resources.
>>> I had tried to block by IP Filter function from the "Routing and remote
>>> access" policies.
>>> But after many tires, I also failed to do it.
>>>
>>> Anybody can in help? Thanks so much.
>>
>> Just to verify - you do know that if they can map drives on their remote
>> desktop - then through that they can copy files to their local computers
>> too - right? No need to map the drives directly (from their laptop/home
>> PC/remote location.) Remote Desktop can let their local resources pass
>> through.
>>
>> So can you define what it is you are trying to prevent? Is it that
>> ability? Is it mapping the drive shares directly? Something else?
>>
>> --
>> Shenan Stanley
>> MS-MVP
>> --
>> How To Ask Questions The Smart Way
>> http://www.catb.org/~esr/faqs/smart-questions.html
>>
From: VanguardLH on 1 Feb 2010 05:41
Sam Mok wrote:

> Hi Sir/Miss,
>
> I had just build up a VPN for my company with a windows 2003 server.
> But my company only want the users who can connect to our VPN for just
> remote desktop function.
> We don't want the users to use our file server's resources.
> I had tried to block by IP Filter function from the "Routing and remote
> access" policies.
> But after many tires, I also failed to do it.
>
> Anybody can in help? Thanks so much.
>
> Sam Mok

Why do you permit outsiders entry into your network as though they were
located at work? Even if coming through a VPN, the outside hosts should be
placed in a less-privileged zone. That zone dictates to which servers those
hosts may connect, like to the Exchange server, the company "news" server
(or where any company-wide info is retained), and perhaps to some other
common company servers. The file servers of which you speak could not be
reached from that outer-zone. Users that needed to access servers outside
that zone's list would have to get permission and then allowed to connect to
those inner-zone hosts.

I have done domain administration but I have used VPN coming into my company
which puts me in a security zone will less permissions that my workstation
at my work desk. I can get at Exchange and other common web servers while
in that throttled zone and to get to other hosts meant I had to get
permission and get on some list of servers to add my host as having
permission to connect to them. This is a security issue but I suspect you
need to speak with a domain admin rather than a security expert regarding
how to setup the security zone for those VPN connections coming from the
outside.
 |  Next  |  Last
Pages: 1 2
Prev: Vista user folder - Access denied when trying to access as externa
Next: Default profile by Workstation