Solved

Deny access to shared folder to specific machine

Posted on 2010-08-12
6
853 Views
Last Modified: 2013-12-04
Hi all_
      My windows 2003 domain controller has a SATAbeast RAID Array attached to it.  This shows up on the server as six separate drives.  I have about 10 shared folders spread across the six drives.  This network is closed and has about 75 systems on it, all windows xp pro SP3.  A login script maps all 10 drives each time a user logs in.  I would like to deny access to all shares to five specific systems. I dont mind if they show up under my computer when a user logs in but i would like for it to say access denied if they try to open it.  Here is what i have tried....

I have created a security group and placed the five target systems in this group.  I then visited the share tab on each share, added the group and gave it deny all permissions, did not work.

I added each system individually to the share tab with deny permissions, did not work.

I tested this by logging on with a non-privileged account.

Anyone have any ideas!?!  Thank you very much.
0
Comment
Question by:MDAARC
6 Comments
 
LVL 11

Expert Comment

by:Coast-IT
ID: 33424149
Are the drives formatted as NTFS?  You have to use NTFS to enable file level permissions.  A simple convert command will do the trick.
0
 
LVL 7

Expert Comment

by:BobintheNoc
ID: 33424212
Since the NTFS permissions are defined by USER accounts, it'd be tough to truly restrict those machines to only certain shares.

You could do a loopback policy that's user based that DOESN'T MAP those drives for the user when they login to that workstation, however if they have privilege to MAP or use NET USE, they could technically still get there if they're a little saavy.

You could also possibly use TWEAK UI to HIDE those drives.  Maybe even another script executing on those local machines to net use /d all the mappings you don't want.

If there were NO resources on the target server that these machines need access to, you could do a firewalling with IP restrictions to prevent those machines from reaching that particular server in any way.

0
 

Author Comment

by:MDAARC
ID: 33424310
Coast-IT_ thanks for your help!  Yes the drives are all NTFS.  I have the security as well as the share permissions on each drive set for full deny for the security group i created and users can still access the drive.  I am not familiar with the convert command....

BobintheNoc_  Thank you for your help also.  Users in the lab log into several different systems so i cannot block the shares based on user.  We are in the process of updating the script to exclude mapping any drives on the security group systems.  I am also going to do a registry edit to remove the option to map a drive on these five systems but unfortunately some of the users are savvy and know the path to the server and shared drives.  The server hosting the shares is also the domain controller so blocking these systems would also block them from authenticating.

Thanks again.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Expert Comment

by:Byru Srikanth
ID: 33427639

Create a Security Group add the user profiles of whom you want to restrict.
Edit the Script such that only the specified 5 Shared drives will be mapped.
Now Create GP which when a specified profile logs it will pick from the security group and runs the script.
0
 

Author Comment

by:MDAARC
ID: 33429747
byru srikar_ thanks for your help.  I actually do not want to restrict users but machines.  I dont want any user who logs in to the five specific machines to be able to access the shares....  Thanks.
0
 

Accepted Solution

by:
MDAARC earned 0 total points
ID: 33432701
Found it!  In order to block shares from the set of systems i changed a registry setting on each of the five systems

HKLM\System\CurrentControlSet\Services\NetBT\Parameters

TransportBindName has a value of /device/, you just remove that leaving the field blank and the system can no longer access a share!

Thanks everyone.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Assess most serious Linux privilege escalation bug 17 180
Read-only access for auditors 5 79
PCI compliance 16 50
Hyper-V won't start Server 2003 as a guest OS 7 68
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question