Lockdown network access for one network card in a windows server

I have a server located in the trusted network. one of my vendors want to access that server from his remote office via terminal services.

Now if i give him TS access , from there he can reach all my other servers in my trusted network,

Is there way i can restrict that remote user to reach my server and also restrict him from reaching any other resources. I can have multiple NIC cards in the server and assign a diferent IP to that NIC card. But at the same time this server should be able to reach other resources like other servers and able to serve users.

 I cant move my server to DMZ either since it will affect my trusted network users :(

Is there a way so that when that user logs in, he cant reach any where other resource than into the server. i mean litterlay for that user , it should behave like a standalone machine with network access other than the server.

If not via User name , is there any other way we can think off

Who is Participating?
Rich RumbleConnect With a Mentor Security SamuraiCommented:
If the account doesn't have admin privs, the likelihood of privilege escaltaion is minimal on a fully patched OS.
I've created a sample ipsec filter, it block's outbound traffic to the lan, but allows incomming traffic, tested on 2003 and XP Pro. It's not pretty and I actually can't recomend it... a product like ZoneAlarm Pro is far better suited for this, however, I'm not sure how one can apply zonealarm to a specific user reliabaly, and have ZAP turn off when that user log's off... You can place ZoneAlarmPro in the users startup folder, and it'd apply the rules quite well, however getting the rules turned off may be a manual process, such as logging on as a different user and killing the process, or rebooting the pc.

Creating a local account is one of the better things you can do, they don't have rights to access network services, and they don't have Admin. This is simple and effecient I feel, should of been my first thought, or second... or third...
Just as an added measure, create the account locally, and then login yourself as that account, try to "hack" or access your local resources while being logged in as that account, see what rights might need tightening on shares/printers etc... Just add the account to the Terminal Service or Remote Desktop users, make sure they are not listed in any other accounts, except perhaps the Guest (most restirctive) or Users Group... power users are too powerful for this situation.
Rich RumbleSecurity SamuraiCommented:
There isn't much you can do... if you assign some sort of filter, it affects the whole box while he's signed in... windows doesn't have much in the way of blocking outbound access... it does have the ability to block inbound access...
The IPSec filters introduced in windows2000 sprang to mind when I saw your question, however they do not have the ability to filter data from one user and not another.
 I'll have to think some more on this...
trackmeAuthor Commented:
thanks for your reply, is there any other possibility to lockdown access via network card , say for example, if i allow access to the vendor via one NIC card which is part of the DMZ and lockdown such that any information coming out of the NIC is blocked by the firewall etc.

I'm wondering windows works that way and i'm not an windows expert as well :(

This is a tricky case since i have to allow access to that person and also ensure that person or that connection should not be able to reach any where else. ofcourse i can get an NDA from them,but still we cant be sure.

let's wait for more answers on this regard since its some thing new i guess to all here .
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Rich RumbleSecurity SamuraiCommented:
The only way I can see doing this is with inbound and outbound filters. If the remote user has a domain account, you can have a logon-script apply an IPSec filter. I did some more research and IPSec filters are stateful, so if your filter allows the local lan to access it, but it also blocks access to the local lan... it is only blocking new outbound connections. Connections initiated from the server, to the lan will not be allowed. Connections from the lan, to the server will be allowed. I need to double check with some testing, but on paper it should work...
trackmeAuthor Commented:
i will try this as you said, i have never tried this option, but will try .

what happens if i use local user account , i mean with a user created within that server . can i do the same or ???

Hope the user is not able to crack the account and gets adminstrative prvilege and gets into the network :)
trackmeAuthor Commented:
The discussion is going good so far :)

Do you mean to say that we install any personal Firewall like Zone alarm and ensure that its in the startup folder of that local user account or ???.

Do u think that for the for the user who logs in via Terminal services, cant reach out side like ping my other servers or reach my internal Webservers etc ????

i was thinking that when u log via TS, it works for every one ,since certain applications are not username independant or some thing which can be restricted when they login via Terminal services.

So wondering how we can do this with restricting complete access to that person :(

Hope we zero down soon on this regard :)

Rich RumbleConnect With a Mentor Security SamuraiCommented:
If your using an Active Directory domain for all pc's and servers, the remote person logged in via TS on a local account on a server,  is not going to be able to access pc's and server shares, unless the share permissions are very very low. By default a shares permissions will prompt a non-domain user for a domain username/password in order to access the share. If that person was logged in to the TS server, and then tried to TS/RD to the pc's andservers via another ts session, they would still need a username and password to access those machines.
The zonealarm approach I was talking about, placing the za exe in the local accounts startup folder, is probably overkill and might introduce issues for others to use the server. I've been messing with that approach also and ZA can't really place distinctions on traffic generated by one account vs another. I think I've been approaching this wrong all along... more below

That local user account would be able to ping others, but not much else. If possible, you could enable XP's firewall on your workstations to block traffic from that one server, XP's firewall is stateful, so it knows not to block traffic that is initiated from the PC itself to the server, but rather blocks traffic initiated from the server to the pc.

To help you decide your best route to take, I think you should create this local account, place in the users group and the terminal servers group so it can log on via TS, then logon yourself as that account, and start looking around your lan for possible weakness's or improperly configured shares. You can start by using the network neighborhood and seeing what you can access, then ping's and trying to access pc's C$'s as if you had no knowledge of a domain username and pass. You should also try using the MMC and registry to see what you may beable to gather. Right-click my computer (while logged in via the TS with that local account) and goto manage. Once that opens, Right-click Computer managment(local), select "connect to another computer..." put in an IP of another pc, and see if you can find anything that a would be hacker might find useful like usernames. After that, goto start>run... and type in regedit, goto file then connect to network registry and put in an ip of a pc and see if you can browse the registry. This one can be a shocker sometimes... so if your pc's or servers have VNC installed, you may be able to browse to where the vnc pass is stored in the registry and get the values... they are easily reversed. There are other remote control softwares out there too that are just as trivially easy to gain access to.

You can remove the TS client exe from the TS server so no one can TS into that server, then TS to another, you can also remove the VNC viewer exe also...
All Courses

From novice to tech pro — start learning today.