Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 363
  • Last Modified:

Stopping user browsing and accessing shares

Hi,

I have a Windows 2008 r2 server that is being access over RDP. I don't want that user to be able to see or browse to any shares on my domain. They can have access to the Internet.

They are already in a deny list, but I don't want them browsing anywhere either. Is their a Group Policy that can do this?

Best wishes

Michael
0
proximityworld
Asked:
proximityworld
  • 3
  • 3
  • 2
  • +1
1 Solution
 
markterryCommented:
Can the machine that they are RDP'ing into be taken off the domain? that would be the easiest.

Otherwise it requires quite a bit of management, unless there is a policy or something like that I am not aware of.

Definitely, for simplicity (which is a requirement of good security) you should make that machine not part of the domain that they are RDP'ing into.
0
 
markterryCommented:
Another possibility is only giving them access to one app. however, sometimes those apps let you browse the file system to open a file or whatever, and then they can browse the network if they know what they are doing and have domain access.
0
 
Bryan ButlerCommented:
To be clear, you want the user to see only the local drive folders?  Or some shares, but not all shares?  Would a local group policy work?

http://technet.microsoft.com/en-us/library/cc938757.aspx
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
proximityworldAuthor Commented:
The problem is I need them to log into the machine with a domain account so it had the strong password and expiration of the domain policy.

I was wondering if I could block smb via the firewall, but was worried that this would also stop the machine seeing sysvol and what issues that might cause.

Best wishes

Michael
0
 
McKnifeCommented:
0
 
proximityworldAuthor Commented:
That would seem to do the trick, but surely Microsoft has policy to deny a user/computer from browsing FROM a server rather than having to block it from other servers and having to configure the remote ends.

It would seem simpler to block the user from the machine they're on.

Best wishes

Michael
0
 
McKnifeCommented:
No, MS has not. Of course you can use firewall policies, yes, but those don't care what user is logged on.
0
 
proximityworldAuthor Commented:
I don't mind about blocking all users. I can easily change the firewall policy when I need to get on the server.


Cheers

Michael
0
 
McKnifeCommented:
I advise you to use the aforementioned policy. Use a GPO and it will be configured everywhere in a jiffy.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now