Go Premium for a chance to win a PS4. Enter to Win


Lockdown network access for one network card in a windows server

Posted on 2006-06-15
Medium Priority
Last Modified: 2013-12-04
I have a server located in the trusted network. one of my vendors want to access that server from his remote office via terminal services.

Now if i give him TS access , from there he can reach all my other servers in my trusted network,

Is there way i can restrict that remote user to reach my server and also restrict him from reaching any other resources. I can have multiple NIC cards in the server and assign a diferent IP to that NIC card. But at the same time this server should be able to reach other resources like other servers and able to serve users.

 I cant move my server to DMZ either since it will affect my trusted network users :(

Is there a way so that when that user logs in, he cant reach any where other resource than into the server. i mean litterlay for that user , it should behave like a standalone machine with network access other than the server.

If not via User name , is there any other way we can think off

Question by:trackme
  • 4
  • 3
LVL 38

Expert Comment

by:Rich Rumble
ID: 16910283
There isn't much you can do... if you assign some sort of filter, it affects the whole box while he's signed in... windows doesn't have much in the way of blocking outbound access... it does have the ability to block inbound access...
The IPSec filters introduced in windows2000 sprang to mind when I saw your question, however they do not have the ability to filter data from one user and not another.
 I'll have to think some more on this...

Author Comment

ID: 16917784
thanks for your reply, is there any other possibility to lockdown access via network card , say for example, if i allow access to the vendor via one NIC card which is part of the DMZ and lockdown such that any information coming out of the NIC is blocked by the firewall etc.

I'm wondering windows works that way and i'm not an windows expert as well :(

This is a tricky case since i have to allow access to that person and also ensure that person or that connection should not be able to reach any where else. ofcourse i can get an NDA from them,but still we cant be sure.

let's wait for more answers on this regard since its some thing new i guess to all here .
LVL 38

Expert Comment

by:Rich Rumble
ID: 16919184
The only way I can see doing this is with inbound and outbound filters. If the remote user has a domain account, you can have a logon-script apply an IPSec filter. I did some more research and IPSec filters are stateful, so if your filter allows the local lan to access it, but it also blocks access to the local lan... it is only blocking new outbound connections. Connections initiated from the server, to the lan will not be allowed. Connections from the lan, to the server will be allowed. I need to double check with some testing, but on paper it should work...
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!


Author Comment

ID: 16933400
i will try this as you said, i have never tried this option, but will try .

what happens if i use local user account , i mean with a user created within that server . can i do the same or ???

Hope the user is not able to crack the account and gets adminstrative prvilege and gets into the network :)
LVL 38

Accepted Solution

Rich Rumble earned 450 total points
ID: 16933763
If the account doesn't have admin privs, the likelihood of privilege escaltaion is minimal on a fully patched OS.
I've created a sample ipsec filter, it block's outbound traffic to the lan, but allows incomming traffic, tested on 2003 and XP Pro. It's not pretty and I actually can't recomend it... a product like ZoneAlarm Pro is far better suited for this, however, I'm not sure how one can apply zonealarm to a specific user reliabaly, and have ZAP turn off when that user log's off... You can place ZoneAlarmPro in the users startup folder, and it'd apply the rules quite well, however getting the rules turned off may be a manual process, such as logging on as a different user and killing the process, or rebooting the pc.

Creating a local account is one of the better things you can do, they don't have rights to access network services, and they don't have Admin. This is simple and effecient I feel, should of been my first thought, or second... or third...
Just as an added measure, create the account locally, and then login yourself as that account, try to "hack" or access your local resources while being logged in as that account, see what rights might need tightening on shares/printers etc... Just add the account to the Terminal Service or Remote Desktop users, make sure they are not listed in any other accounts, except perhaps the Guest (most restirctive) or Users Group... power users are too powerful for this situation.

Author Comment

ID: 16940528
The discussion is going good so far :)

Do you mean to say that we install any personal Firewall like Zone alarm and ensure that its in the startup folder of that local user account or ???.

Do u think that for the for the user who logs in via Terminal services, cant reach out side like ping my other servers or reach my internal Webservers etc ????

i was thinking that when u log via TS, it works for every one ,since certain applications are not username independant or some thing which can be restricted when they login via Terminal services.

So wondering how we can do this with restricting complete access to that person :(

Hope we zero down soon on this regard :)

LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 450 total points
ID: 16941565
If your using an Active Directory domain for all pc's and servers, the remote person logged in via TS on a local account on a server,  is not going to be able to access pc's and server shares, unless the share permissions are very very low. By default a shares permissions will prompt a non-domain user for a domain username/password in order to access the share. If that person was logged in to the TS server, and then tried to TS/RD to the pc's andservers via another ts session, they would still need a username and password to access those machines.
The zonealarm approach I was talking about, placing the za exe in the local accounts startup folder, is probably overkill and might introduce issues for others to use the server. I've been messing with that approach also and ZA can't really place distinctions on traffic generated by one account vs another. I think I've been approaching this wrong all along... more below

That local user account would be able to ping others, but not much else. If possible, you could enable XP's firewall on your workstations to block traffic from that one server, XP's firewall is stateful, so it knows not to block traffic that is initiated from the PC itself to the server, but rather blocks traffic initiated from the server to the pc.

To help you decide your best route to take, I think you should create this local account, place in the users group and the terminal servers group so it can log on via TS, then logon yourself as that account, and start looking around your lan for possible weakness's or improperly configured shares. You can start by using the network neighborhood and seeing what you can access, then ping's and trying to access pc's C$'s as if you had no knowledge of a domain username and pass. You should also try using the MMC and registry to see what you may beable to gather. Right-click my computer (while logged in via the TS with that local account) and goto manage. Once that opens, Right-click Computer managment(local), select "connect to another computer..." put in an IP of another pc, and see if you can find anything that a would be hacker might find useful like usernames. After that, goto start>run... and type in regedit, goto file then connect to network registry and put in an ip of a pc and see if you can browse the registry. This one can be a shocker sometimes... so if your pc's or servers have VNC installed, you may be able to browse to where the vnc pass is stored in the registry and get the values... they are easily reversed. There are other remote control softwares out there too that are just as trivially easy to gain access to.

You can remove the TS client exe from the TS server so no one can TS into that server, then TS to another, you can also remove the VNC viewer exe also...

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
OfficeMate Freezes on login or does not load after login credentials are input.
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question