Solved

SBS2008 Grant VPN access to one server only.

Posted on 2011-09-12
4
538 Views
Last Modified: 2012-05-12
Hi all, we're currently using SBS2008 to control VPN access to all our server.
We have some external consultants that I want to grant access to one server only.
I don't want to allow any access to our email ( so don't want to create an email address for the user ID) and I don't want them to see any of the shares, files, other computers etc..
Just one particular server, which happens to be an AS400.

One way is to create a very restricted User ID somehow and grant VPN access.
Is there a way to ONLY allow this user ID access to just the AS400 in question in VPN under SBS2008?

The other way I suppose is to set up a Hardware VPN between them and us and only allow them access to the specific server via the VPN router.

Has anyone had to do something like this before?
0
Comment
Question by:afurness
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36522594
In active directory under the user's properties, on the Account tab, you can click the "Logon to" button. By default it is set to all computers. You can specify the computer/server to which you want to grant them access.
0
 

Author Comment

by:afurness
ID: 36522690
Our VPn server is also our Dc etc and a file server, can I ensure this user cannot see any of the files on this server as well?
By removing access to logon onto this server, will that  stop them being able to log into the VPN?
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 36522887
They should still be able to authenticate to the domain using the VPN and then logon only to the one server of your choice. Regardless of what server or PC to to which they are logging on, the VPN authentication is a separate process than logging onto the RRAS server, and should be allowed so long as they are a member of the "Virtual Private Network Users" group.

However, the above restriction will not stop them from accessing files through a share or similar method, if for example there is a mapped drive on their server. For that you need to make sure their account is not a member of any group that has NTFS/security permissions to access a shared resource.
For this reason, I never create a share that allows "domain users" or "Everyone access" NTFS/Security permission access. (should be everyone share access).  Instead create a group such a "file users" and grant them access, and do not add users such as your VPN users to that group. Alternatively you can always use the deny permission for your VPN users. Just be careful with deny you don't include yourself.
0
 

Author Closing Comment

by:afurness
ID: 36523380
OK thanx that all makes sense.. :)
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question