Link to home
Start Free TrialLog in
Avatar of waqqas31

asked on

Restricting a windows file-share to certain domain users AND certain domain computers


I have two virtual zones in my office, one "secure" and the other "public."

All PCs in the office are on the same domain.

Inside the secure zone, we have about 6 PCs, let's call them SECURE_PC1, SECURE_PC2., ...., SECURE_PC6.  

There is also a SECURE_SERVER that hosts file shares, let's call them SECURE_SHARE1, SECURE_SHARE2, and so on.

Now, I would like to restrict access to these secure shares, such that only certain users can access them, provided that they are doing so from one of the secure PCs.

For example:

User Joe can access SECURE_SHARE1 if he is logged into SECURE_PC3.

But if the same user Joe tried to access SECURE_SHARE1 from his personal PC elsewhere in the office, he would not be able to.

What is the best way to achieve this kind of security?

The SECURE_SERVER is running Windows Server 2008 R2 Enterprise (SP1) and all SECURE_PCs are running Windows 7 Professional (SP1).  The other PCs in the office are also running Windows 7 Professional (SP1).
Avatar of John
Flag of Canada image

The easiest way is to make some user groups on Server 2008 (Active Directory) so that users in GROUP1 can access shares that are permitted to GROUP1, users in GROUP2 can access shares that are permitted to GROUP2 and so on.

Work out your groups carefully because a user can be in more than one group (does not have to be) and folder shares can overlap groups.

This all depends on user permissions, so Joe is secure or not secure but not both. A user using a non-secure PC would have to use a different userid.

... Thinkpads_User
Avatar of waqqas31


Hi thinkpads_user,

Thanks for your input, but creating special/separate userIDs to fulfill this need is not an option.  We need to stick with the single userID created for every user for use across the entire domain.

Users are not dependent on what PC they use. Server domains and users are independent of computers (which change and also because of roaming profiles).

So whatever authorities a user has must work on any domain connected PC.

... Thinkpads_User
So, no one has a solution?
Microsoft Windows domain services are entirely dependent on user authorities by design. They are not at all dependent on the computer used, again by design.

If you must restrict things, you need to take the non-secure machines off the domain, restrict them and give users a set of userids that will allow them only what you want.

Otherwise, if users must maintaint the same userid, then you cannot restrict by computer used. There is no solution for that.

.... Thinkads_User
Avatar of David Johnson, CD
one can restrict the computers that a user can logon to from there, so if you made these 'secure' computers and the 'secure' server their own subdomain then these users could only logon from the secure computers to the secure server.
In the above example, a user could still map a folder on the main domain.

... Thinkpads_User
Is it not possible to configure Windows Firewall to only allow the SECURE_SERVER to accept incoming connections from the SECURE_PCs?
A firewall can be used to restrict access to ports and like network funcions, and can be tailored by the use of the computer network card MAC address. However, folder mapping functions are not affected at the computer level so far as I know.

As an alternative solution, you might give the particular users laptop computers that only they can use. These could be used in the secure zone and in the public zone.

..... Thinkpads_User
Yes, of course I know that firewalls don't have any file-sharing-restriction type of configuration options, but what I was thinking was that if the SECURE_SERVER can only "talk" to the SECURE_PCs, regardless of what the purpose of the connection is for, then computers other than the SECURE_PCs cannot connect to file-shares (or anything, for that matter) on the SECURE_SERVER.
Firewall policies are by network rule and not by user, so I don't think this can be done. I am not a sufficient detailed firewall expert to know this for certain, but I do use firewalls at clients and I do restrict activity by network rule.

Better, I think, to look at this differently here. Restrict the public computers to off-domain access so they cannot access the secure server at all. Then provide laptop computers to people who need secure access whereever they are. I do the latter in the sense that my computer can securely access client information but no one (except myself) has access to my computer.

.... Thinkpads_User
Yes it can be done by fine tuning the windows firewall policy and restricting it to specific IP ranges or computer names.

User generated imageUser generated image
User generated image
Thanks ve3ofa,

I am trying these settings and will let you know how it works out.  Hopefully by Monday.
you may also have to modify the outgoing rules as well
Well, I hate to say it, but these firewall rules do not work as advertised!!  

I spent countless time tinkering with rules, but it just wouldn't work beyond a very limited point.  When first enabling the "File and Sharing (SMB-in)" in-bound rule and selecting the "Allow the connection if it is secure" option, the rule successfully rejects all drive-mapping requests to the server.  When I specify one specific computer to allow connections from, it does indeed allow that to happen, but it also allows connections to come in from every other computer as well!  The Scope (IP) options and the Users options bore absolutely no success whatsoever.  I'm sorry to say that would seemed like the perfect solution simply does not work.  These settings make no difference.

The only headway I was able to make in preventing connections from unwanted parties, was to create a new rule under "Connection Security Rules" and configuring the server to only allow Kerberos authenticated communication from specific IPs.  The remote party would have to have a specific IP address, know (somehow) to change their authentication to Kerberos to make file-sharing work and they would have to be a local admin to make that change.

That said, that is by no means a solution to my problem.  If anyone knows what it takes to make Windows Firewall actually put those File and Sharing settings into effect, I would really love to hear how.

Thanks in advance.
While I appreciate what you are trying to do, it appears to complicated and a maintenance problem into the future.

So I continue to think the *best* way to solve your problem is with secure laptop computers for those employees who need them, and that can move into any zone securely.

Since computers are being replaced all the time, the cost of this taken over 2 or 3 years will not be onerous in any way.

..... Thinkpads_User
Avatar of compdigit44

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial

Happy New Year to you as well :)

That is in effect what I was trying to do with the Kerberos authentication settings.  

I haven't played with IPSec settings yet, but I'll take a look at them in the coming day or two and report back.

Thank you for those links.  

I used the final portion of the article to create Connectivity Rules in Windows Firewall that required all computers that wished to talk to one another to be configured with the correct IPsec passphrase and to be explicitly checked for conforming to the IPsec settings desired.

The only down side is that if I want different data to have different access restrictions, I would need to create a server for each variation.

However, the set up remains clean on the AD side as there are no multiple usernames required per user or anything like that.  

Thanks for your help!
I did not try doing it via Group Policy.  I just created Connectivity Rules on each workstation I wished to restrict and it worked wonderfully.  Thanks!