Managing Active Directory does not always have to be complicated. If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why
Restricting a windows file-share to certain domain users AND certain domain computers
Hello,
I have two virtual zones in my office, one "secure" and the other "public."
All PCs in the office are on the same domain.
Inside the secure zone, we have about 6 PCs, let's call them SECURE_PC1, SECURE_PC2., ...., SECURE_PC6.
There is also a SECURE_SERVER that hosts file shares, let's call them SECURE_SHARE1, SECURE_SHARE2, and so on.
Now, I would like to restrict access to these secure shares, such that only certain users can access them, provided that they are doing so from one of the secure PCs.
For example:
User Joe can access SECURE_SHARE1 if he is logged into SECURE_PC3.
But if the same user Joe tried to access SECURE_SHARE1 from his personal PC elsewhere in the office, he would not be able to.
What is the best way to achieve this kind of security?
The SECURE_SERVER is running Windows Server 2008 R2 Enterprise (SP1) and all SECURE_PCs are running Windows 7 Professional (SP1). The other PCs in the office are also running Windows 7 Professional (SP1).
I have two virtual zones in my office, one "secure" and the other "public."
All PCs in the office are on the same domain.
Inside the secure zone, we have about 6 PCs, let's call them SECURE_PC1, SECURE_PC2., ...., SECURE_PC6.
There is also a SECURE_SERVER that hosts file shares, let's call them SECURE_SHARE1, SECURE_SHARE2, and so on.
Now, I would like to restrict access to these secure shares, such that only certain users can access them, provided that they are doing so from one of the secure PCs.
For example:
User Joe can access SECURE_SHARE1 if he is logged into SECURE_PC3.
But if the same user Joe tried to access SECURE_SHARE1 from his personal PC elsewhere in the office, he would not be able to.
What is the best way to achieve this kind of security?
The SECURE_SERVER is running Windows Server 2008 R2 Enterprise (SP1) and all SECURE_PCs are running Windows 7 Professional (SP1). The other PCs in the office are also running Windows 7 Professional (SP1).
Asked:
-
9
7
3- +1
1 Solution
Hi thinkpads_user,
Thanks for your input, but creating special/separate userIDs to fulfill this need is not an option. We need to stick with the single userID created for every user for use across the entire domain.
Thanks,
Waqqas
Thanks for your input, but creating special/separate userIDs to fulfill this need is not an option. We need to stick with the single userID created for every user for use across the entire domain.
Thanks,
Waqqas
Users are not dependent on what PC they use. Server domains and users are independent of computers (which change and also because of roaming profiles).
So whatever authorities a user has must work on any domain connected PC.
... Thinkpads_User
So whatever authorities a user has must work on any domain connected PC.
... Thinkpads_User
Microsoft Windows domain services are entirely dependent on user authorities by design. They are not at all dependent on the computer used, again by design.
If you must restrict things, you need to take the non-secure machines off the domain, restrict them and give users a set of userids that will allow them only what you want.
Otherwise, if users must maintaint the same userid, then you cannot restrict by computer used. There is no solution for that.
.... Thinkads_User
If you must restrict things, you need to take the non-secure machines off the domain, restrict them and give users a set of userids that will allow them only what you want.
Otherwise, if users must maintaint the same userid, then you cannot restrict by computer used. There is no solution for that.
.... Thinkads_User
one can restrict the computers that a user can logon to from there, so if you made these 'secure' computers and the 'secure' server their own subdomain then these users could only logon from the secure computers to the secure server.
Is it not possible to configure Windows Firewall to only allow the SECURE_SERVER to accept incoming connections from the SECURE_PCs?
A firewall can be used to restrict access to ports and like network funcions, and can be tailored by the use of the computer network card MAC address. However, folder mapping functions are not affected at the computer level so far as I know.
As an alternative solution, you might give the particular users laptop computers that only they can use. These could be used in the secure zone and in the public zone.
..... Thinkpads_User
As an alternative solution, you might give the particular users laptop computers that only they can use. These could be used in the secure zone and in the public zone.
..... Thinkpads_User
Yes, of course I know that firewalls don't have any file-sharing-restriction type of configuration options, but what I was thinking was that if the SECURE_SERVER can only "talk" to the SECURE_PCs, regardless of what the purpose of the connection is for, then computers other than the SECURE_PCs cannot connect to file-shares (or anything, for that matter) on the SECURE_SERVER.
Firewall policies are by network rule and not by user, so I don't think this can be done. I am not a sufficient detailed firewall expert to know this for certain, but I do use firewalls at clients and I do restrict activity by network rule.
Better, I think, to look at this differently here. Restrict the public computers to off-domain access so they cannot access the secure server at all. Then provide laptop computers to people who need secure access whereever they are. I do the latter in the sense that my computer can securely access client information but no one (except myself) has access to my computer.
.... Thinkpads_User
Better, I think, to look at this differently here. Restrict the public computers to off-domain access so they cannot access the secure server at all. Then provide laptop computers to people who need secure access whereever they are. I do the latter in the sense that my computer can securely access client information but no one (except myself) has access to my computer.
.... Thinkpads_User
Yes it can be done by fine tuning the windows firewall policy and restricting it to specific IP ranges or computer names.
Thanks ve3ofa,
I am trying these settings and will let you know how it works out. Hopefully by Monday.
I am trying these settings and will let you know how it works out. Hopefully by Monday.
Well, I hate to say it, but these firewall rules do not work as advertised!!
I spent countless time tinkering with rules, but it just wouldn't work beyond a very limited point. When first enabling the "File and Sharing (SMB-in)" in-bound rule and selecting the "Allow the connection if it is secure" option, the rule successfully rejects all drive-mapping requests to the server. When I specify one specific computer to allow connections from, it does indeed allow that to happen, but it also allows connections to come in from every other computer as well! The Scope (IP) options and the Users options bore absolutely no success whatsoever. I'm sorry to say that would seemed like the perfect solution simply does not work. These settings make no difference.
The only headway I was able to make in preventing connections from unwanted parties, was to create a new rule under "Connection Security Rules" and configuring the server to only allow Kerberos authenticated communication from specific IPs. The remote party would have to have a specific IP address, know (somehow) to change their authentication to Kerberos to make file-sharing work and they would have to be a local admin to make that change.
That said, that is by no means a solution to my problem. If anyone knows what it takes to make Windows Firewall actually put those File and Sharing settings into effect, I would really love to hear how.
Thanks in advance.
I spent countless time tinkering with rules, but it just wouldn't work beyond a very limited point. When first enabling the "File and Sharing (SMB-in)" in-bound rule and selecting the "Allow the connection if it is secure" option, the rule successfully rejects all drive-mapping requests to the server. When I specify one specific computer to allow connections from, it does indeed allow that to happen, but it also allows connections to come in from every other computer as well! The Scope (IP) options and the Users options bore absolutely no success whatsoever. I'm sorry to say that would seemed like the perfect solution simply does not work. These settings make no difference.
The only headway I was able to make in preventing connections from unwanted parties, was to create a new rule under "Connection Security Rules" and configuring the server to only allow Kerberos authenticated communication from specific IPs. The remote party would have to have a specific IP address, know (somehow) to change their authentication to Kerberos to make file-sharing work and they would have to be a local admin to make that change.
That said, that is by no means a solution to my problem. If anyone knows what it takes to make Windows Firewall actually put those File and Sharing settings into effect, I would really love to hear how.
Thanks in advance.
While I appreciate what you are trying to do, it appears to complicated and a maintenance problem into the future.
So I continue to think the *best* way to solve your problem is with secure laptop computers for those employees who need them, and that can move into any zone securely.
Since computers are being replaced all the time, the cost of this taken over 2 or 3 years will not be onerous in any way.
..... Thinkpads_User
So I continue to think the *best* way to solve your problem is with secure laptop computers for those employees who need them, and that can move into any zone securely.
Since computers are being replaced all the time, the cost of this taken over 2 or 3 years will not be onerous in any way.
..... Thinkpads_User
Here's a long shot idea...
On the secure_file_server and select workstations create a local or group policy that creates an IPSec policy and is set to only communicate via IPsec. This was if a user tries to access the secure_file_server from a workstation that is not configured for IPSEC the secure_file_server will automatically drop the communications.
Hope this makes sense..
Happy New Year!!!
On the secure_file_server and select workstations create a local or group policy that creates an IPSec policy and is set to only communicate via IPsec. This was if a user tries to access the secure_file_server from a workstation that is not configured for IPSEC the secure_file_server will automatically drop the communications.
Hope this makes sense..
Happy New Year!!!
@compdigit44:
Happy New Year to you as well :)
That is in effect what I was trying to do with the Kerberos authentication settings.
I haven't played with IPSec settings yet, but I'll take a look at them in the coming day or two and report back.
Happy New Year to you as well :)
That is in effect what I was trying to do with the Kerberos authentication settings.
I haven't played with IPSec settings yet, but I'll take a look at them in the coming day or two and report back.
The following links contain information on how to setup a IPSec policy:
http://technet.microsoft.com/en-us/library/cc730656(v=ws.10).aspx
http://www.caryglobal.com/miklos/post/How-to-configure-IPSec-on-Windows-20008---Example-and-detailed-steps.aspx
http://technet.microsoft.com/en-us/library/cc730656(v=ws.10).aspx
http://www.caryglobal.com/miklos/post/How-to-configure-IPSec-on-Windows-20008---Example-and-detailed-steps.aspx
@compdigit44:
Thank you for those links.
I used the final portion of the caryglobal.com article to create Connectivity Rules in Windows Firewall that required all computers that wished to talk to one another to be configured with the correct IPsec passphrase and to be explicitly checked for conforming to the IPsec settings desired.
The only down side is that if I want different data to have different access restrictions, I would need to create a server for each variation.
However, the set up remains clean on the AD side as there are no multiple usernames required per user or anything like that.
Thanks for your help!
Thank you for those links.
I used the final portion of the caryglobal.com article to create Connectivity Rules in Windows Firewall that required all computers that wished to talk to one another to be configured with the correct IPsec passphrase and to be explicitly checked for conforming to the IPsec settings desired.
The only down side is that if I want different data to have different access restrictions, I would need to create a server for each variation.
However, the set up remains clean on the AD side as there are no multiple usernames required per user or anything like that.
Thanks for your help!
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Join & Write a Comment Already a member? Login.
Featured Post
Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.
One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.
Tackle projects and never again get stuck behind a technical roadblock.
Join Now
Work out your groups carefully because a user can be in more than one group (does not have to be) and folder shares can overlap groups.
This all depends on user permissions, so Joe is secure or not secure but not both. A user using a non-secure PC would have to use a different userid.
... Thinkpads_User