Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 428
  • Last Modified:

windows security

we have third party remote users that have their own windows logon and password so they can pc anywhere to our servers is there a way to restrict what they can access? i have for example logged onto our fileserver as themselves and they are able to access active directory this i want to be able to restrict
0
dcreedon
Asked:
dcreedon
  • 8
  • 6
  • 5
  • +1
1 Solution
 
JammyPakCommented:
what do you mean they are able to access active directory? in what way?

what they can access will be controlled by which user they are logging in as...I don't think it will be any different than a local user in that regard.
0
 
masirofCommented:
Ok,
In active direcroty you can create group policy and apply that policy to members you want.
If unsure how to do this please ask.
0
 
dcreedonAuthor Commented:
so through group policy if they say try to open active directory users and computers how can i block this?
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
masirofCommented:
You can restrict all menus, desktop objects, access to most things like task manager, shutdown etc..
0
 
Phil_AgcaoiliCommented:
First off, this is a bad security practice--External users using PCAnywhere to REMOTE CONTROL a system on your network...and probably over the Internet...You gave them the keys to the castle.

PCAnywhere is a remote control application.
Who ever that system is logged in as, THE EXTERNAL user will also have access, so regardless of your Active Directory group policies or whatever, they don't need any further credentials.

Can you move them towards IPSec VPN access to access this one resource?  At least you have better control over encryption and complete control over IP address assignment, access control, and authentication (both on the VPN-side and for network access).

What do they need to do on your network that requires PCAnywhere?
File share access?
Remote administrative access?
Complete network access?
Diagnostics?

This will help guage the best set of solutions for remote access (not remote control which is what you're doing).
0
 
JammyPakCommented:
ah - I see now - they're PC anywhere'ing into your Domain Controller, which is logged in as Admin, and they're able to execute 'AD Users and Computers'?

if that's the case, I'm with Phil here...very bad idea. They could also delete users, destroy the server, demote the server, etc etc etc. no amount of Group Policy will save you there :)

buy a VPN device and have the users access you office using that as a gateway, and login as a regular user
0
 
dcreedonAuthor Commented:
ok thanks
0
 
masirofCommented:
You can use terminal service, and give them other logon rather than administrator and apply security policies.
0
 
dcreedonAuthor Commented:
remote users need to first authenticate on our internal firewall they then can pc anywhere to the server in question so your suggesting using terminal services instead to log on to the server? would restricting the rule on the firewall to just the services the remote users need all they need to access is the application they support for example financial application called exchequer and a document management program called adest
0
 
Phil_AgcaoiliCommented:
I'll ask again since you seem to be open to remote control applications such as PCAnywhere and Terminal Server...

What do they need to do on your network that requires PCAnywhere or Terminal Server?
Remote administrative access?
Complete network access?
Diagnostics?
File share access?

This will help guage the best set of solutions for remote access (not remote control which is what you're doing).

Remote control, regardless of firewall access control and authentication is typically a bad security design.

If you had them VPN in, then you know:
1. There is encryption
2. You forced them to authenticate with your perimeter authentication system
3. You can limit access to intranet devices based on VPN/Firewall rules
0
 
dcreedonAuthor Commented:
they would need remote admin access just to resolve issues with their application
0
 
masirofCommented:
Ok, no problem how do they connect. Issue is that how do they log in the server.
I assume they are active directory users, arent they?

By using group policies, you can restrict them to use only mentioned programs and nothing else.
If this recommendation fits to you I can help you further with settings.
0
 
dcreedonAuthor Commented:
yes they are setup in active directory through group policy would be great if i could restrict this way i know that some 3rd parties need to use pc-anywhere so terminal services wont do in that case appreciate your help
0
 
JammyPakCommented:
do they have to pc-anywhere into the server directly? esp. a server with all the AD tools installed?

how about have them remote into a locked-down PC with only the app they need on it.
0
 
Phil_AgcaoiliCommented:
What does the server do? Besides their application.
Where is it located?

Can you isolate it in a DMZ so that they cannot access AD?


We have many similar situations where I work.
We provide VPN access to our 3rd party (such as this), they need to either have an established site-site VPN or VPN client.
We limit their access using the VPN concentrator to just the system that they need access to.
The VPN provides encryption over the Net and authentication using our perimeter Radius auth server.

Now once they are on the system, that system is located in a DMZ that has only limited access to our intranet and limited access from the VPN concentrator.

Does that help get you closer to what you're asking for?

In regards to what you need now knowing that it's a 3rd party developer, I agree you should require:
1. VPN access
2. Radius or perimeter authentication
3. Terminal Server and locked down policies for access

Terminal Server (RDP) is A LOT more secure than PCAnywhere.

I've locked down banks and healthcare organizations (that should pass HIPAA) based on locking down and removing access from RDP.

My other suggestion is to enable RDL over SSL (IIS).
All yoy will need is a VPN/Firewall rule for SSL-RDP to this single server.  
After locking down the SSL-RDP ssystem, you can limit access to ONLY that developer's application.
0
 
dcreedonAuthor Commented:
the software is located on our fileserver we could eventually move it off the server but this is a big job so restricting down is what i would like to do first
0
 
Phil_AgcaoiliCommented:
Check this out:

Using Windows Terminal Services to Run a Single Application
http://www.windowsecurity.com/articles/Windows-Terminal-Services-Run-Single-Application.html

Locking Down Windows Server 2003 Terminal Server Sessions
http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdown.mspx

I had a typo above...

Use RDP over SSL. This means that you take IIS (a Web server), enable SSL, force all HTTP/S connections to HTTPS, then run Terminal Server (RDP) over it, then only allow access to HTTPS from your VPN concentrator, and the lockdown Terminal Services to run your vendor's single application.  When they go to modify their application, that's all they have access to.

Of course, there will be a few applications that they will also need access to, but I've removed everything including the ability to run a cmd prompt to removing file explorer and network browsing functionality from this locked system.

Hopefully this puts you down the path.
0
 
masirofCommented:
To setup group policy:

Open Active Directory Users and Computers.

Right Click on Server > New > Organization Unit. Create it, name it as you like, (e.g. restricted users.)
Right Click on newly created unit, go to tab Group Policy.
New > Name It > Edit.

There under User Configuration do whatever you like. You can disable/enable features.

Ask for more if unsure.
0
 
dcreedonAuthor Commented:
Check this out:

Using Windows Terminal Services to Run a Single Application
http://www.windowsecurity.com/articles/Windows-Terminal-Services-Run-Single-Application.html

Locking Down Windows Server 2003 Terminal Server Sessions
http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdown.mspx

these links helped me greatly how do i allow the application they need to access through group policy?
 
 
0
 
masirofCommented:
You just give shortcuts on their desktop.
And you restrict browsing directories by hiding them.
0
 
dcreedonAuthor Commented:
ok great thanks for your help
0
 
Phil_AgcaoiliCommented:
By the way, this solution is great for auditing, showing controls for compliance, provides encryption, provides several layers of authentication, and granular access control to key applications...think SOX and HIPAA compliance.

I've left this solution for several hospitals and know they will pass HIPAA because of it.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 8
  • 6
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now