dcreedon
asked on
windows security
we have third party remote users that have their own windows logon and password so they can pc anywhere to our servers is there a way to restrict what they can access? i have for example logged onto our fileserver as themselves and they are able to access active directory this i want to be able to restrict
Ok,
In active direcroty you can create group policy and apply that policy to members you want.
If unsure how to do this please ask.
In active direcroty you can create group policy and apply that policy to members you want.
If unsure how to do this please ask.
ASKER
so through group policy if they say try to open active directory users and computers how can i block this?
You can restrict all menus, desktop objects, access to most things like task manager, shutdown etc..
First off, this is a bad security practice--External users using PCAnywhere to REMOTE CONTROL a system on your network...and probably over the Internet...You gave them the keys to the castle.
PCAnywhere is a remote control application.
Who ever that system is logged in as, THE EXTERNAL user will also have access, so regardless of your Active Directory group policies or whatever, they don't need any further credentials.
Can you move them towards IPSec VPN access to access this one resource? At least you have better control over encryption and complete control over IP address assignment, access control, and authentication (both on the VPN-side and for network access).
What do they need to do on your network that requires PCAnywhere?
File share access?
Remote administrative access?
Complete network access?
Diagnostics?
This will help guage the best set of solutions for remote access (not remote control which is what you're doing).
PCAnywhere is a remote control application.
Who ever that system is logged in as, THE EXTERNAL user will also have access, so regardless of your Active Directory group policies or whatever, they don't need any further credentials.
Can you move them towards IPSec VPN access to access this one resource? At least you have better control over encryption and complete control over IP address assignment, access control, and authentication (both on the VPN-side and for network access).
What do they need to do on your network that requires PCAnywhere?
File share access?
Remote administrative access?
Complete network access?
Diagnostics?
This will help guage the best set of solutions for remote access (not remote control which is what you're doing).
ah - I see now - they're PC anywhere'ing into your Domain Controller, which is logged in as Admin, and they're able to execute 'AD Users and Computers'?
if that's the case, I'm with Phil here...very bad idea. They could also delete users, destroy the server, demote the server, etc etc etc. no amount of Group Policy will save you there :)
buy a VPN device and have the users access you office using that as a gateway, and login as a regular user
if that's the case, I'm with Phil here...very bad idea. They could also delete users, destroy the server, demote the server, etc etc etc. no amount of Group Policy will save you there :)
buy a VPN device and have the users access you office using that as a gateway, and login as a regular user
ASKER
ok thanks
You can use terminal service, and give them other logon rather than administrator and apply security policies.
ASKER
remote users need to first authenticate on our internal firewall they then can pc anywhere to the server in question so your suggesting using terminal services instead to log on to the server? would restricting the rule on the firewall to just the services the remote users need all they need to access is the application they support for example financial application called exchequer and a document management program called adest
I'll ask again since you seem to be open to remote control applications such as PCAnywhere and Terminal Server...
What do they need to do on your network that requires PCAnywhere or Terminal Server?
Remote administrative access?
Complete network access?
Diagnostics?
File share access?
This will help guage the best set of solutions for remote access (not remote control which is what you're doing).
Remote control, regardless of firewall access control and authentication is typically a bad security design.
If you had them VPN in, then you know:
1. There is encryption
2. You forced them to authenticate with your perimeter authentication system
3. You can limit access to intranet devices based on VPN/Firewall rules
What do they need to do on your network that requires PCAnywhere or Terminal Server?
Remote administrative access?
Complete network access?
Diagnostics?
File share access?
This will help guage the best set of solutions for remote access (not remote control which is what you're doing).
Remote control, regardless of firewall access control and authentication is typically a bad security design.
If you had them VPN in, then you know:
1. There is encryption
2. You forced them to authenticate with your perimeter authentication system
3. You can limit access to intranet devices based on VPN/Firewall rules
ASKER
they would need remote admin access just to resolve issues with their application
Ok, no problem how do they connect. Issue is that how do they log in the server.
I assume they are active directory users, arent they?
By using group policies, you can restrict them to use only mentioned programs and nothing else.
If this recommendation fits to you I can help you further with settings.
I assume they are active directory users, arent they?
By using group policies, you can restrict them to use only mentioned programs and nothing else.
If this recommendation fits to you I can help you further with settings.
ASKER
yes they are setup in active directory through group policy would be great if i could restrict this way i know that some 3rd parties need to use pc-anywhere so terminal services wont do in that case appreciate your help
do they have to pc-anywhere into the server directly? esp. a server with all the AD tools installed?
how about have them remote into a locked-down PC with only the app they need on it.
how about have them remote into a locked-down PC with only the app they need on it.
What does the server do? Besides their application.
Where is it located?
Can you isolate it in a DMZ so that they cannot access AD?
We have many similar situations where I work.
We provide VPN access to our 3rd party (such as this), they need to either have an established site-site VPN or VPN client.
We limit their access using the VPN concentrator to just the system that they need access to.
The VPN provides encryption over the Net and authentication using our perimeter Radius auth server.
Now once they are on the system, that system is located in a DMZ that has only limited access to our intranet and limited access from the VPN concentrator.
Does that help get you closer to what you're asking for?
In regards to what you need now knowing that it's a 3rd party developer, I agree you should require:
1. VPN access
2. Radius or perimeter authentication
3. Terminal Server and locked down policies for access
Terminal Server (RDP) is A LOT more secure than PCAnywhere.
I've locked down banks and healthcare organizations (that should pass HIPAA) based on locking down and removing access from RDP.
My other suggestion is to enable RDL over SSL (IIS).
All yoy will need is a VPN/Firewall rule for SSL-RDP to this single server.
After locking down the SSL-RDP ssystem, you can limit access to ONLY that developer's application.
Where is it located?
Can you isolate it in a DMZ so that they cannot access AD?
We have many similar situations where I work.
We provide VPN access to our 3rd party (such as this), they need to either have an established site-site VPN or VPN client.
We limit their access using the VPN concentrator to just the system that they need access to.
The VPN provides encryption over the Net and authentication using our perimeter Radius auth server.
Now once they are on the system, that system is located in a DMZ that has only limited access to our intranet and limited access from the VPN concentrator.
Does that help get you closer to what you're asking for?
In regards to what you need now knowing that it's a 3rd party developer, I agree you should require:
1. VPN access
2. Radius or perimeter authentication
3. Terminal Server and locked down policies for access
Terminal Server (RDP) is A LOT more secure than PCAnywhere.
I've locked down banks and healthcare organizations (that should pass HIPAA) based on locking down and removing access from RDP.
My other suggestion is to enable RDL over SSL (IIS).
All yoy will need is a VPN/Firewall rule for SSL-RDP to this single server.
After locking down the SSL-RDP ssystem, you can limit access to ONLY that developer's application.
ASKER
the software is located on our fileserver we could eventually move it off the server but this is a big job so restricting down is what i would like to do first
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
To setup group policy:
Open Active Directory Users and Computers.
Right Click on Server > New > Organization Unit. Create it, name it as you like, (e.g. restricted users.)
Right Click on newly created unit, go to tab Group Policy.
New > Name It > Edit.
There under User Configuration do whatever you like. You can disable/enable features.
Ask for more if unsure.
Open Active Directory Users and Computers.
Right Click on Server > New > Organization Unit. Create it, name it as you like, (e.g. restricted users.)
Right Click on newly created unit, go to tab Group Policy.
New > Name It > Edit.
There under User Configuration do whatever you like. You can disable/enable features.
Ask for more if unsure.
ASKER
Check this out:
Using Windows Terminal Services to Run a Single Application
http://www.windowsecurity.com/articles/Windows-Terminal-Services-Run-Single-Application.html
Locking Down Windows Server 2003 Terminal Server Sessions
http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdown.mspx
these links helped me greatly how do i allow the application they need to access through group policy?
Using Windows Terminal Services to Run a Single Application
http://www.windowsecurity.com/articles/Windows-Terminal-Services-Run-Single-Application.html
Locking Down Windows Server 2003 Terminal Server Sessions
http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdown.mspx
these links helped me greatly how do i allow the application they need to access through group policy?
You just give shortcuts on their desktop.
And you restrict browsing directories by hiding them.
And you restrict browsing directories by hiding them.
ASKER
ok great thanks for your help
By the way, this solution is great for auditing, showing controls for compliance, provides encryption, provides several layers of authentication, and granular access control to key applications...think SOX and HIPAA compliance.
I've left this solution for several hospitals and know they will pass HIPAA because of it.
I've left this solution for several hospitals and know they will pass HIPAA because of it.
what they can access will be controlled by which user they are logging in as...I don't think it will be any different than a local user in that regard.