trackme
asked on
Lockdown network access for one network card in a windows server
Hello,
I have a server located in the trusted network. one of my vendors want to access that server from his remote office via terminal services.
Now if i give him TS access , from there he can reach all my other servers in my trusted network,
Is there way i can restrict that remote user to reach my server and also restrict him from reaching any other resources. I can have multiple NIC cards in the server and assign a diferent IP to that NIC card. But at the same time this server should be able to reach other resources like other servers and able to serve users.
I cant move my server to DMZ either since it will affect my trusted network users :(
Is there a way so that when that user logs in, he cant reach any where other resource than into the server. i mean litterlay for that user , it should behave like a standalone machine with network access other than the server.
If not via User name , is there any other way we can think off
Regards
Anantha
I have a server located in the trusted network. one of my vendors want to access that server from his remote office via terminal services.
Now if i give him TS access , from there he can reach all my other servers in my trusted network,
Is there way i can restrict that remote user to reach my server and also restrict him from reaching any other resources. I can have multiple NIC cards in the server and assign a diferent IP to that NIC card. But at the same time this server should be able to reach other resources like other servers and able to serve users.
I cant move my server to DMZ either since it will affect my trusted network users :(
Is there a way so that when that user logs in, he cant reach any where other resource than into the server. i mean litterlay for that user , it should behave like a standalone machine with network access other than the server.
If not via User name , is there any other way we can think off
Regards
Anantha
ASKER
thanks for your reply, is there any other possibility to lockdown access via network card , say for example, if i allow access to the vendor via one NIC card which is part of the DMZ and lockdown such that any information coming out of the NIC is blocked by the firewall etc.
I'm wondering windows works that way and i'm not an windows expert as well :(
This is a tricky case since i have to allow access to that person and also ensure that person or that connection should not be able to reach any where else. ofcourse i can get an NDA from them,but still we cant be sure.
let's wait for more answers on this regard since its some thing new i guess to all here .
I'm wondering windows works that way and i'm not an windows expert as well :(
This is a tricky case since i have to allow access to that person and also ensure that person or that connection should not be able to reach any where else. ofcourse i can get an NDA from them,but still we cant be sure.
let's wait for more answers on this regard since its some thing new i guess to all here .
The only way I can see doing this is with inbound and outbound filters. If the remote user has a domain account, you can have a logon-script apply an IPSec filter. I did some more research and IPSec filters are stateful, so if your filter allows the local lan to access it, but it also blocks access to the local lan... it is only blocking new outbound connections. Connections initiated from the server, to the lan will not be allowed. Connections from the lan, to the server will be allowed. I need to double check with some testing, but on paper it should work...
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/ispstep.mspx
-rich
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/ispstep.mspx
-rich
ASKER
hi,
i will try this as you said, i have never tried this option, but will try .
what happens if i use local user account , i mean with a user created within that server . can i do the same or ???
Hope the user is not able to crack the account and gets adminstrative prvilege and gets into the network :)
i will try this as you said, i have never tried this option, but will try .
what happens if i use local user account , i mean with a user created within that server . can i do the same or ???
Hope the user is not able to crack the account and gets adminstrative prvilege and gets into the network :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
The discussion is going good so far :)
Do you mean to say that we install any personal Firewall like Zone alarm and ensure that its in the startup folder of that local user account or ???.
Do u think that for the for the user who logs in via Terminal services, cant reach out side like ping my other servers or reach my internal Webservers etc ????
i was thinking that when u log via TS, it works for every one ,since certain applications are not username independant or some thing which can be restricted when they login via Terminal services.
So wondering how we can do this with restricting complete access to that person :(
Hope we zero down soon on this regard :)
The discussion is going good so far :)
Do you mean to say that we install any personal Firewall like Zone alarm and ensure that its in the startup folder of that local user account or ???.
Do u think that for the for the user who logs in via Terminal services, cant reach out side like ping my other servers or reach my internal Webservers etc ????
i was thinking that when u log via TS, it works for every one ,since certain applications are not username independant or some thing which can be restricted when they login via Terminal services.
So wondering how we can do this with restricting complete access to that person :(
Hope we zero down soon on this regard :)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The IPSec filters introduced in windows2000 sprang to mind when I saw your question, however they do not have the ability to filter data from one user and not another.
I'll have to think some more on this...
-rich