• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 842
  • Last Modified:

How do I restrict outside VPN access to only one computer.

We have a vendor who has a server onsite here that only they administrate.  Rather than coming onsite, it would be helpful if they could dial in, but I need to make sure that basically all other network access is denied.  Thank you.
0
QuiteSupersonic
Asked:
QuiteSupersonic
  • 7
  • 4
  • 2
2 Solutions
 
laskovdCommented:
Hello QuiteSupersonic
As i understand, You have some rough server in Your site, it managed remotely over Internet (or over dial-in telephone VPN?) and You need to be sure it only used VPN traffic? Or check opportunity to completely restrict access?
If it performed over internet - You should check Your Router\Firewall for configuring block\allow rule for specific internal IP address of Rough server. You may allow enter\exit by allowing\disallowing ports from specific IP.
0
 
QuiteSupersonicAuthor Commented:
This server has a private, unroutable IP so it would be necessary that they use VPN and then a program like pc anywhere or VNC. But i don't want them to be able to browse the next or be about to "touch" any network devices besides this server, which is really just a windows XP workstation pro, in its own workgroup.  Thanks.
0
 
taylorludwigCommented:
Does this server that he needs to connect to have any programs running that require it to be connected to the rest of the network?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
QuiteSupersonicAuthor Commented:
Yes it does.
0
 
taylorludwigCommented:
What access does he need then? just a certain program? or access to all files on that computer?

Remote Desktop Connection offers the ability for a program to start when connecting before the explorer starts, when the program is closed you are disocnnected.  This ultimatley makes it so only that one program is accessible.  Although im not sure if this is configurable on xp it might just be for 2003.  However if access to just a single program would work ill look into it more.
0
 
QuiteSupersonicAuthor Commented:
Would i do this with a group policy of some sort?  If so, which policy and how?
0
 
taylorludwigCommented:
Under active directory users and computers plugin->find the user right click and properties -> on the enviornment tab you choose the program to run at startup.  

You then use this logon for the contractor to use when connecting through terminal services and it will perform the action like i stated above.  

Here is a link with more details:
http://technet2.microsoft.com/windowsserver/en/library/8bc6ba8f-5d4a-45f1-bfe7-623a30635c3e1033.mspx?mfr=true
0
 
QuiteSupersonicAuthor Commented:
so it only allows that program to run?  Whatabout restricting network browsing, printing, open files, etc etc.
0
 
QuiteSupersonicAuthor Commented:
I mean, i don't want to have to go in and explicitly deny him access to all network resources.  I'm looking for the most effective way to have this guy log in via vpn, see the deksktop, and basically just work within this one program and that's it.  Again, the pc in question is in its own workgroup, but with a domain account he could try to use the login credentials to gain access to other resources, which i don't want.  Also, the pc in question is a part of our domain and doesn't have its own public IP address.
0
 
taylorludwigCommented:
What it would do is start the program and not run the process explorer.exe meaning that the user by default wouldnt even see the desktop or the start menu to go in and mess with other stuff, they would only have access to that one program that is running.  Now with that said, this feature isnt really set up fore security but more to host remote applications.  I believe that if the user was smart enough they could still get into the desktop by keyboard shortcuts such as start button and r to really run any program including explorer.exe which would start the desktop and all that.

However even with that all you would need to do is add his account to all the network shares on your file server and print server and he wouldnt be able to get into anything else.  As he wouldnt have access to any other computers or be able to login remotley to any other computers as a standard user by default so it wouldnt be hard to lock down everything else.  
0
 
QuiteSupersonicAuthor Commented:
Just access to a certain program and perhaps any files associated with it (.ini or config files).  
0
 
laskovdCommented:
Looks like that easiest way is to put this 'Rough server' to DMZ or different VLAN, and configure it like this:
1. Allow connection to\from Internet over VPN
2. Allow from this 'Rough server' connectivity by special port only to special server in LAN
3. Deny any other traffic from 'Rough server' to LAN
All this configuration may be configured on local router\firewall, and VLAN may be configured on switch also. Check with Your network guys.  
0
 
QuiteSupersonicAuthor Commented:
please close this case.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 7
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now