Restricting a windows file-share to certain domain users AND certain domain computers

The easiest way is to make some user groups on Server 2008 (Active Directory) so that users in GROUP1 can access shares that are permitted to GROUP1, users in GROUP2 can access shares that are permitted to GROUP2 and so on.

Work out your groups carefully because a user can be in more than one group (does not have to be) and folder shares can overlap groups.

This all depends on user permissions, so Joe is secure or not secure but not both. A user using a non-secure PC would have to use a different userid.

... Thinkpads_User

Hi thinkpads_user,

Thanks for your input, but creating special/separate userIDs to fulfill this need is not an option.  We need to stick with the single userID created for every user for use across the entire domain.

Thanks,
Waqqas

Users are not dependent on what PC they use. Server domains and users are independent of computers (which change and also because of roaming profiles).

So whatever authorities a user has must work on any domain connected PC.

... Thinkpads_User

So, no one has a solution?

Microsoft Windows domain services are entirely dependent on user authorities by design. They are not at all dependent on the computer used, again by design.

If you must restrict things, you need to take the non-secure machines off the domain, restrict them and give users a set of userids that will allow them only what you want.

Otherwise, if users must maintaint the same userid, then you cannot restrict by computer used. There is no solution for that.

.... Thinkads_User

one can restrict the computers that a user can logon to from there, so if you made these 'secure' computers and the 'secure' server their own subdomain then these users could only logon from the secure computers to the secure server.

In the above example, a user could still map a folder on the main domain.

... Thinkpads_User

Is it not possible to configure Windows Firewall to only allow the SECURE_SERVER to accept incoming connections from the SECURE_PCs?

A firewall can be used to restrict access to ports and like network funcions, and can be tailored by the use of the computer network card MAC address. However, folder mapping functions are not affected at the computer level so far as I know.

As an alternative solution, you might give the particular users laptop computers that only they can use. These could be used in the secure zone and in the public zone.

..... Thinkpads_User

Yes, of course I know that firewalls don't have any file-sharing-restriction type of configuration options, but what I was thinking was that if the SECURE_SERVER can only "talk" to the SECURE_PCs, regardless of what the purpose of the connection is for, then computers other than the SECURE_PCs cannot connect to file-shares (or anything, for that matter) on the SECURE_SERVER.

Firewall policies are by network rule and not by user, so I don't think this can be done. I am not a sufficient detailed firewall expert to know this for certain, but I do use firewalls at clients and I do restrict activity by network rule.

Better, I think, to look at this differently here. Restrict the public computers to off-domain access so they cannot access the secure server at all. Then provide laptop computers to people who need secure access whereever they are. I do the latter in the sense that my computer can securely access client information but no one (except myself) has access to my computer.

.... Thinkpads_User

Yes it can be done by fine tuning the windows firewall policy and restricting it to specific IP ranges or computer names.

Thanks ve3ofa,

I am trying these settings and will let you know how it works out.  Hopefully by Monday.

you may also have to modify the outgoing rules as well

Well, I hate to say it, but these firewall rules do not work as advertised!!  

I spent countless time tinkering with rules, but it just wouldn't work beyond a very limited point.  When first enabling the "File and Sharing (SMB-in)" in-bound rule and selecting the "Allow the connection if it is secure" option, the rule successfully rejects all drive-mapping requests to the server.  When I specify one specific computer to allow connections from, it does indeed allow that to happen, but it also allows connections to come in from every other computer as well!  The Scope (IP) options and the Users options bore absolutely no success whatsoever.  I'm sorry to say that would seemed like the perfect solution simply does not work.  These settings make no difference.

The only headway I was able to make in preventing connections from unwanted parties, was to create a new rule under "Connection Security Rules" and configuring the server to only allow Kerberos authenticated communication from specific IPs.  The remote party would have to have a specific IP address, know (somehow) to change their authentication to Kerberos to make file-sharing work and they would have to be a local admin to make that change.

That said, that is by no means a solution to my problem.  If anyone knows what it takes to make Windows Firewall actually put those File and Sharing settings into effect, I would really love to hear how.

Thanks in advance.

While I appreciate what you are trying to do, it appears to complicated and a maintenance problem into the future.

So I continue to think the *best* way to solve your problem is with secure laptop computers for those employees who need them, and that can move into any zone securely.

Since computers are being replaced all the time, the cost of this taken over 2 or 3 years will not be onerous in any way.

..... Thinkpads_User

@compdigit44:

Happy New Year to you as well :)

That is in effect what I was trying to do with the Kerberos authentication settings.  

I haven't played with IPSec settings yet, but I'll take a look at them in the coming day or two and report back.

The following links contain information on how to setup a IPSec policy:

http://technet.microsoft.com/en-us/library/cc730656(v=ws.10).aspx

http://www.caryglobal.com/miklos/post/How-to-configure-IPSec-on-Windows-20008---Example-and-detailed-steps.aspx

@compdigit44:

Thank you for those links.  

I used the final portion of the caryglobal.com article to create Connectivity Rules in Windows Firewall that required all computers that wished to talk to one another to be configured with the correct IPsec passphrase and to be explicitly checked for conforming to the IPsec settings desired.

The only down side is that if I want different data to have different access restrictions, I would need to create a server for each variation.

However, the set up remains clean on the AD side as there are no multiple usernames required per user or anything like that.  

Thanks for your help!

I did not try doing it via Group Policy.  I just created Connectivity Rules on each workstation I wished to restrict and it worked wonderfully.  Thanks!