Lockdown network access for one network card in a windows server

Posted on 2006-06-15
Last Modified: 2013-12-04
I have a server located in the trusted network. one of my vendors want to access that server from his remote office via terminal services.

Now if i give him TS access , from there he can reach all my other servers in my trusted network,

Is there way i can restrict that remote user to reach my server and also restrict him from reaching any other resources. I can have multiple NIC cards in the server and assign a diferent IP to that NIC card. But at the same time this server should be able to reach other resources like other servers and able to serve users.

 I cant move my server to DMZ either since it will affect my trusted network users :(

Is there a way so that when that user logs in, he cant reach any where other resource than into the server. i mean litterlay for that user , it should behave like a standalone machine with network access other than the server.

If not via User name , is there any other way we can think off

Question by:trackme
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 38

Expert Comment

by:Rich Rumble
ID: 16910283
There isn't much you can do... if you assign some sort of filter, it affects the whole box while he's signed in... windows doesn't have much in the way of blocking outbound access... it does have the ability to block inbound access...
The IPSec filters introduced in windows2000 sprang to mind when I saw your question, however they do not have the ability to filter data from one user and not another.
 I'll have to think some more on this...

Author Comment

ID: 16917784
thanks for your reply, is there any other possibility to lockdown access via network card , say for example, if i allow access to the vendor via one NIC card which is part of the DMZ and lockdown such that any information coming out of the NIC is blocked by the firewall etc.

I'm wondering windows works that way and i'm not an windows expert as well :(

This is a tricky case since i have to allow access to that person and also ensure that person or that connection should not be able to reach any where else. ofcourse i can get an NDA from them,but still we cant be sure.

let's wait for more answers on this regard since its some thing new i guess to all here .
LVL 38

Expert Comment

by:Rich Rumble
ID: 16919184
The only way I can see doing this is with inbound and outbound filters. If the remote user has a domain account, you can have a logon-script apply an IPSec filter. I did some more research and IPSec filters are stateful, so if your filter allows the local lan to access it, but it also blocks access to the local lan... it is only blocking new outbound connections. Connections initiated from the server, to the lan will not be allowed. Connections from the lan, to the server will be allowed. I need to double check with some testing, but on paper it should work...
[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.


Author Comment

ID: 16933400
i will try this as you said, i have never tried this option, but will try .

what happens if i use local user account , i mean with a user created within that server . can i do the same or ???

Hope the user is not able to crack the account and gets adminstrative prvilege and gets into the network :)
LVL 38

Accepted Solution

Rich Rumble earned 150 total points
ID: 16933763
If the account doesn't have admin privs, the likelihood of privilege escaltaion is minimal on a fully patched OS.
I've created a sample ipsec filter, it block's outbound traffic to the lan, but allows incomming traffic, tested on 2003 and XP Pro. It's not pretty and I actually can't recomend it... a product like ZoneAlarm Pro is far better suited for this, however, I'm not sure how one can apply zonealarm to a specific user reliabaly, and have ZAP turn off when that user log's off... You can place ZoneAlarmPro in the users startup folder, and it'd apply the rules quite well, however getting the rules turned off may be a manual process, such as logging on as a different user and killing the process, or rebooting the pc.

Creating a local account is one of the better things you can do, they don't have rights to access network services, and they don't have Admin. This is simple and effecient I feel, should of been my first thought, or second... or third...
Just as an added measure, create the account locally, and then login yourself as that account, try to "hack" or access your local resources while being logged in as that account, see what rights might need tightening on shares/printers etc... Just add the account to the Terminal Service or Remote Desktop users, make sure they are not listed in any other accounts, except perhaps the Guest (most restirctive) or Users Group... power users are too powerful for this situation.

Author Comment

ID: 16940528
The discussion is going good so far :)

Do you mean to say that we install any personal Firewall like Zone alarm and ensure that its in the startup folder of that local user account or ???.

Do u think that for the for the user who logs in via Terminal services, cant reach out side like ping my other servers or reach my internal Webservers etc ????

i was thinking that when u log via TS, it works for every one ,since certain applications are not username independant or some thing which can be restricted when they login via Terminal services.

So wondering how we can do this with restricting complete access to that person :(

Hope we zero down soon on this regard :)

LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 150 total points
ID: 16941565
If your using an Active Directory domain for all pc's and servers, the remote person logged in via TS on a local account on a server,  is not going to be able to access pc's and server shares, unless the share permissions are very very low. By default a shares permissions will prompt a non-domain user for a domain username/password in order to access the share. If that person was logged in to the TS server, and then tried to TS/RD to the pc's andservers via another ts session, they would still need a username and password to access those machines.
The zonealarm approach I was talking about, placing the za exe in the local accounts startup folder, is probably overkill and might introduce issues for others to use the server. I've been messing with that approach also and ZA can't really place distinctions on traffic generated by one account vs another. I think I've been approaching this wrong all along... more below

That local user account would be able to ping others, but not much else. If possible, you could enable XP's firewall on your workstations to block traffic from that one server, XP's firewall is stateful, so it knows not to block traffic that is initiated from the PC itself to the server, but rather blocks traffic initiated from the server to the pc.

To help you decide your best route to take, I think you should create this local account, place in the users group and the terminal servers group so it can log on via TS, then logon yourself as that account, and start looking around your lan for possible weakness's or improperly configured shares. You can start by using the network neighborhood and seeing what you can access, then ping's and trying to access pc's C$'s as if you had no knowledge of a domain username and pass. You should also try using the MMC and registry to see what you may beable to gather. Right-click my computer (while logged in via the TS with that local account) and goto manage. Once that opens, Right-click Computer managment(local), select "connect to another computer..." put in an IP of another pc, and see if you can find anything that a would be hacker might find useful like usernames. After that, goto start>run... and type in regedit, goto file then connect to network registry and put in an ip of a pc and see if you can browse the registry. This one can be a shocker sometimes... so if your pc's or servers have VNC installed, you may be able to browse to where the vnc pass is stored in the registry and get the values... they are easily reversed. There are other remote control softwares out there too that are just as trivially easy to gain access to.

You can remove the TS client exe from the TS server so no one can TS into that server, then TS to another, you can also remove the VNC viewer exe also...

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question