Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Restrict windows fileshare by IP or hostname

Posted on 2013-01-10
6
Medium Priority
?
1,745 Views
Last Modified: 2013-01-16
We have a Windows 2008 file server that has some shares on it and access to these shares is controlled by NTFS permissions. However there is one share that has a special requirement that it should not be accessible remotely . We have used 2008 GPO preferences to map the drive based on source IP's and groups so when users who have access to this share connect remotely via Citrix they do not get this share mapped but they are still able to click on a link or UNC into the share. Is there any way to restrict this share itself to internal IP or hostname of their computer only?

Eg:

Dir: c:\shared_folder shared as Share1
allowed hosts: IP address, IP range or Computer name &
allowed users: DOMAIN\SecurityGroup

Access should be allowed if both conditions are met. I am not sure if this is possible. Thanks for your help
0
Comment
Question by:nassr101
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 9

Expert Comment

by:djsharma
ID: 38766308
0
 

Author Comment

by:nassr101
ID: 38766360
Thanks for replying. I am not sure if restricted groups is the solution. I do not need to control or modify access to groups on the server. I need to restrict access to a share based on where the user is connecting from.

Internal LAN IP = allow access
Remote access IP = deny access

Not sure if this is possible at all.
0
 
LVL 25

Expert Comment

by:Coralon
ID: 38769400
Is that server used for anything else from the Citrix environment?

If it is not, you could put in a dummy host entry to prevent it from being easily 'found'.  

Another option might be tinkering with IPSec.. but that's more than I have ever done.

Another option that springs to mind.. maybe add that particular server to the untrusted sites zone?

Coralon
0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 
LVL 12

Accepted Solution

by:
TomRScott earned 1500 total points
ID: 38769529
Start with hiding the share by appending "$" to the share name. And changing the share name at the same time is recommended.

That will stop the GUI "clicking" for all but administrators. BUT, those that know or can guess the share name can still map the drive using a command line.

This may be a start. However, it is really security through obscurity and obviously not the ultimate solution.

Depending on the bandwidth requirements of this and the other shares and resources available on the server you could use Hyper-V and create a guest server for the cost of another OS, dedicating one or more CPU cores and some RAM from the now virtual host server.  That done, you could then dedicate the guest server to that one share (and others like it to follow) and block all remote traffic to it from the remote zones at the Citrix host.

The latter does cost an OS ($) and some resources but is a more vanilla configuration.

 - Tom
0
 

Author Comment

by:nassr101
ID: 38769588
Thanks Tom, it is certainly a good work around. I will leave the question open for a couple of days to see if someone else can suggest something else. Cheers.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 38769965
The only possibility to restrict by IP would be to block/allow the file and print service ports by specific IP or subnet when accessing remotely by VPN or other means, however where you are using Citrix/RDP they are the same LAN so that rules that possibility out.

The only other option would be if a 3rd party add-on exists that monitors IP's and controls connections, but I personally have never seen one that would do that.  Usually access is controlled by user name and associated NTFS/security permissions on the file/folder.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question