How do I restrict outside VPN access to only one computer.

We have a vendor who has a server onsite here that only they administrate.  Rather than coming onsite, it would be helpful if they could dial in, but I need to make sure that basically all other network access is denied.  Thank you.
QuiteSupersonicAsked:
Who is Participating?
 
laskovdCommented:
Looks like that easiest way is to put this 'Rough server' to DMZ or different VLAN, and configure it like this:
1. Allow connection to\from Internet over VPN
2. Allow from this 'Rough server' connectivity by special port only to special server in LAN
3. Deny any other traffic from 'Rough server' to LAN
All this configuration may be configured on local router\firewall, and VLAN may be configured on switch also. Check with Your network guys.  
0
 
laskovdCommented:
Hello QuiteSupersonic
As i understand, You have some rough server in Your site, it managed remotely over Internet (or over dial-in telephone VPN?) and You need to be sure it only used VPN traffic? Or check opportunity to completely restrict access?
If it performed over internet - You should check Your Router\Firewall for configuring block\allow rule for specific internal IP address of Rough server. You may allow enter\exit by allowing\disallowing ports from specific IP.
0
 
QuiteSupersonicAuthor Commented:
This server has a private, unroutable IP so it would be necessary that they use VPN and then a program like pc anywhere or VNC. But i don't want them to be able to browse the next or be about to "touch" any network devices besides this server, which is really just a windows XP workstation pro, in its own workgroup.  Thanks.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
taylorludwigCommented:
Does this server that he needs to connect to have any programs running that require it to be connected to the rest of the network?
0
 
QuiteSupersonicAuthor Commented:
Yes it does.
0
 
taylorludwigCommented:
What access does he need then? just a certain program? or access to all files on that computer?

Remote Desktop Connection offers the ability for a program to start when connecting before the explorer starts, when the program is closed you are disocnnected.  This ultimatley makes it so only that one program is accessible.  Although im not sure if this is configurable on xp it might just be for 2003.  However if access to just a single program would work ill look into it more.
0
 
QuiteSupersonicAuthor Commented:
Would i do this with a group policy of some sort?  If so, which policy and how?
0
 
taylorludwigCommented:
Under active directory users and computers plugin->find the user right click and properties -> on the enviornment tab you choose the program to run at startup.  

You then use this logon for the contractor to use when connecting through terminal services and it will perform the action like i stated above.  

Here is a link with more details:
http://technet2.microsoft.com/windowsserver/en/library/8bc6ba8f-5d4a-45f1-bfe7-623a30635c3e1033.mspx?mfr=true
0
 
QuiteSupersonicAuthor Commented:
so it only allows that program to run?  Whatabout restricting network browsing, printing, open files, etc etc.
0
 
QuiteSupersonicAuthor Commented:
I mean, i don't want to have to go in and explicitly deny him access to all network resources.  I'm looking for the most effective way to have this guy log in via vpn, see the deksktop, and basically just work within this one program and that's it.  Again, the pc in question is in its own workgroup, but with a domain account he could try to use the login credentials to gain access to other resources, which i don't want.  Also, the pc in question is a part of our domain and doesn't have its own public IP address.
0
 
taylorludwigCommented:
What it would do is start the program and not run the process explorer.exe meaning that the user by default wouldnt even see the desktop or the start menu to go in and mess with other stuff, they would only have access to that one program that is running.  Now with that said, this feature isnt really set up fore security but more to host remote applications.  I believe that if the user was smart enough they could still get into the desktop by keyboard shortcuts such as start button and r to really run any program including explorer.exe which would start the desktop and all that.

However even with that all you would need to do is add his account to all the network shares on your file server and print server and he wouldnt be able to get into anything else.  As he wouldnt have access to any other computers or be able to login remotley to any other computers as a standard user by default so it wouldnt be hard to lock down everything else.  
0
 
QuiteSupersonicAuthor Commented:
Just access to a certain program and perhaps any files associated with it (.ini or config files).  
0
 
QuiteSupersonicAuthor Commented:
please close this case.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.