Solved

Restricting a windows file-share to certain domain users AND certain domain computers

Posted on 2012-12-27
21
831 Views
Last Modified: 2013-01-23
Hello,

I have two virtual zones in my office, one "secure" and the other "public."

All PCs in the office are on the same domain.

Inside the secure zone, we have about 6 PCs, let's call them SECURE_PC1, SECURE_PC2., ...., SECURE_PC6.  

There is also a SECURE_SERVER that hosts file shares, let's call them SECURE_SHARE1, SECURE_SHARE2, and so on.

Now, I would like to restrict access to these secure shares, such that only certain users can access them, provided that they are doing so from one of the secure PCs.

For example:

User Joe can access SECURE_SHARE1 if he is logged into SECURE_PC3.

But if the same user Joe tried to access SECURE_SHARE1 from his personal PC elsewhere in the office, he would not be able to.

What is the best way to achieve this kind of security?

The SECURE_SERVER is running Windows Server 2008 R2 Enterprise (SP1) and all SECURE_PCs are running Windows 7 Professional (SP1).  The other PCs in the office are also running Windows 7 Professional (SP1).
0
Comment
Question by:waqqas31
  • 9
  • 7
  • 3
  • +1
21 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 38724090
The easiest way is to make some user groups on Server 2008 (Active Directory) so that users in GROUP1 can access shares that are permitted to GROUP1, users in GROUP2 can access shares that are permitted to GROUP2 and so on.

Work out your groups carefully because a user can be in more than one group (does not have to be) and folder shares can overlap groups.

This all depends on user permissions, so Joe is secure or not secure but not both. A user using a non-secure PC would have to use a different userid.

... Thinkpads_User
0
 

Author Comment

by:waqqas31
ID: 38724174
Hi thinkpads_user,

Thanks for your input, but creating special/separate userIDs to fulfill this need is not an option.  We need to stick with the single userID created for every user for use across the entire domain.

Thanks,
Waqqas
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 38724197
Users are not dependent on what PC they use. Server domains and users are independent of computers (which change and also because of roaming profiles).

So whatever authorities a user has must work on any domain connected PC.

... Thinkpads_User
0
 

Author Comment

by:waqqas31
ID: 38725329
So, no one has a solution?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 38725360
Microsoft Windows domain services are entirely dependent on user authorities by design. They are not at all dependent on the computer used, again by design.

If you must restrict things, you need to take the non-secure machines off the domain, restrict them and give users a set of userids that will allow them only what you want.

Otherwise, if users must maintaint the same userid, then you cannot restrict by computer used. There is no solution for that.

.... Thinkads_User
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 38726349
one can restrict the computers that a user can logon to from there, so if you made these 'secure' computers and the 'secure' server their own subdomain then these users could only logon from the secure computers to the secure server.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 38726692
In the above example, a user could still map a folder on the main domain.

... Thinkpads_User
0
 

Author Comment

by:waqqas31
ID: 38726806
Is it not possible to configure Windows Firewall to only allow the SECURE_SERVER to accept incoming connections from the SECURE_PCs?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 38726823
A firewall can be used to restrict access to ports and like network funcions, and can be tailored by the use of the computer network card MAC address. However, folder mapping functions are not affected at the computer level so far as I know.

As an alternative solution, you might give the particular users laptop computers that only they can use. These could be used in the secure zone and in the public zone.

..... Thinkpads_User
0
 

Author Comment

by:waqqas31
ID: 38726846
Yes, of course I know that firewalls don't have any file-sharing-restriction type of configuration options, but what I was thinking was that if the SECURE_SERVER can only "talk" to the SECURE_PCs, regardless of what the purpose of the connection is for, then computers other than the SECURE_PCs cannot connect to file-shares (or anything, for that matter) on the SECURE_SERVER.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 38726876
Firewall policies are by network rule and not by user, so I don't think this can be done. I am not a sufficient detailed firewall expert to know this for certain, but I do use firewalls at clients and I do restrict activity by network rule.

Better, I think, to look at this differently here. Restrict the public computers to off-domain access so they cannot access the secure server at all. Then provide laptop computers to people who need secure access whereever they are. I do the latter in the sense that my computer can securely access client information but no one (except myself) has access to my computer.

.... Thinkpads_User
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 38728547
Yes it can be done by fine tuning the windows firewall policy and restricting it to specific IP ranges or computer names.

computer namesor change this to the ip addresses or ip range
you may have to edit all of these
0
 

Author Comment

by:waqqas31
ID: 38729230
Thanks ve3ofa,

I am trying these settings and will let you know how it works out.  Hopefully by Monday.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 38729929
you may also have to modify the outgoing rules as well
0
 

Author Comment

by:waqqas31
ID: 38733658
Well, I hate to say it, but these firewall rules do not work as advertised!!  

I spent countless time tinkering with rules, but it just wouldn't work beyond a very limited point.  When first enabling the "File and Sharing (SMB-in)" in-bound rule and selecting the "Allow the connection if it is secure" option, the rule successfully rejects all drive-mapping requests to the server.  When I specify one specific computer to allow connections from, it does indeed allow that to happen, but it also allows connections to come in from every other computer as well!  The Scope (IP) options and the Users options bore absolutely no success whatsoever.  I'm sorry to say that would seemed like the perfect solution simply does not work.  These settings make no difference.

The only headway I was able to make in preventing connections from unwanted parties, was to create a new rule under "Connection Security Rules" and configuring the server to only allow Kerberos authenticated communication from specific IPs.  The remote party would have to have a specific IP address, know (somehow) to change their authentication to Kerberos to make file-sharing work and they would have to be a local admin to make that change.

That said, that is by no means a solution to my problem.  If anyone knows what it takes to make Windows Firewall actually put those File and Sharing settings into effect, I would really love to hear how.

Thanks in advance.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 38733678
While I appreciate what you are trying to do, it appears to complicated and a maintenance problem into the future.

So I continue to think the *best* way to solve your problem is with secure laptop computers for those employees who need them, and that can move into any zone securely.

Since computers are being replaced all the time, the cost of this taken over 2 or 3 years will not be onerous in any way.

..... Thinkpads_User
0
 
LVL 19

Accepted Solution

by:
compdigit44 earned 500 total points
ID: 38733731
Here's a long shot idea...

On the secure_file_server and select workstations create a local or group policy that creates an IPSec policy and is set to only communicate via IPsec. This was if a user tries to access the secure_file_server from a workstation that is not configured for IPSEC the secure_file_server will automatically drop the communications.

Hope this makes sense..

Happy New Year!!!
0
 

Author Comment

by:waqqas31
ID: 38733932
@compdigit44:

Happy New Year to you as well :)

That is in effect what I was trying to do with the Kerberos authentication settings.  

I haven't played with IPSec settings yet, but I'll take a look at them in the coming day or two and report back.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 38734589
0
 

Author Comment

by:waqqas31
ID: 38810739
@compdigit44:

Thank you for those links.  

I used the final portion of the caryglobal.com article to create Connectivity Rules in Windows Firewall that required all computers that wished to talk to one another to be configured with the correct IPsec passphrase and to be explicitly checked for conforming to the IPsec settings desired.

The only down side is that if I want different data to have different access restrictions, I would need to create a server for each variation.

However, the set up remains clean on the AD side as there are no multiple usernames required per user or anything like that.  

Thanks for your help!
0
 

Author Closing Comment

by:waqqas31
ID: 38810749
I did not try doing it via Group Policy.  I just created Connectivity Rules on each workstation I wished to restrict and it worked wonderfully.  Thanks!
0

Join & Write a Comment

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now