nassr101
asked on
Restrict windows fileshare by IP or hostname
We have a Windows 2008 file server that has some shares on it and access to these shares is controlled by NTFS permissions. However there is one share that has a special requirement that it should not be accessible remotely . We have used 2008 GPO preferences to map the drive based on source IP's and groups so when users who have access to this share connect remotely via Citrix they do not get this share mapped but they are still able to click on a link or UNC into the share. Is there any way to restrict this share itself to internal IP or hostname of their computer only?
Eg:
Dir: c:\shared_folder shared as Share1
allowed hosts: IP address, IP range or Computer name &
allowed users: DOMAIN\SecurityGroup
Access should be allowed if both conditions are met. I am not sure if this is possible. Thanks for your help
Eg:
Dir: c:\shared_folder shared as Share1
allowed hosts: IP address, IP range or Computer name &
allowed users: DOMAIN\SecurityGroup
Access should be allowed if both conditions are met. I am not sure if this is possible. Thanks for your help
ASKER
Thanks for replying. I am not sure if restricted groups is the solution. I do not need to control or modify access to groups on the server. I need to restrict access to a share based on where the user is connecting from.
Internal LAN IP = allow access
Remote access IP = deny access
Not sure if this is possible at all.
Internal LAN IP = allow access
Remote access IP = deny access
Not sure if this is possible at all.
Is that server used for anything else from the Citrix environment?
If it is not, you could put in a dummy host entry to prevent it from being easily 'found'.
Another option might be tinkering with IPSec.. but that's more than I have ever done.
Another option that springs to mind.. maybe add that particular server to the untrusted sites zone?
Coralon
If it is not, you could put in a dummy host entry to prevent it from being easily 'found'.
Another option might be tinkering with IPSec.. but that's more than I have ever done.
Another option that springs to mind.. maybe add that particular server to the untrusted sites zone?
Coralon
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Tom, it is certainly a good work around. I will leave the question open for a couple of days to see if someone else can suggest something else. Cheers.
The only possibility to restrict by IP would be to block/allow the file and print service ports by specific IP or subnet when accessing remotely by VPN or other means, however where you are using Citrix/RDP they are the same LAN so that rules that possibility out.
The only other option would be if a 3rd party add-on exists that monitors IP's and controls connections, but I personally have never seen one that would do that. Usually access is controlled by user name and associated NTFS/security permissions on the file/folder.
The only other option would be if a 3rd party add-on exists that monitors IP's and controls connections, but I personally have never seen one that would do that. Usually access is controlled by user name and associated NTFS/security permissions on the file/folder.
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html