Solved

How to give a temporary remote user limited access to network files

Posted on 2014-01-14
13
381 Views
Last Modified: 2014-01-16
Environment is windows 2003 domain.

We have need for a temporary outside user to have access to only one set of our network folders. I have created a user ID for this user.

How can I prevent them from having access to anything else including areas that can normally be accessed by "Authenticated Users".

Or perhaps, how can I remove this user from "Authenticated Users"?
0
Comment
Question by:TMITECHS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 23

Assisted Solution

by:Patrick Bogers
Patrick Bogers earned 250 total points
ID: 39780240
Hi

Authenticated users are users who have authenticated to the domain controller.

This outside user does work on premises? In that case you do not create a domain users account on the DC but a local user account on the file server where the folder resides.

Create a security group on that box called 'outside users' and make the new user a member for that group.
Once done delete all memberships beside the outside users and give this group appropiate rights on th folder you want to. This pretty covers your issue i suppose.
0
 
LVL 3

Assisted Solution

by:fredvr666
fredvr666 earned 50 total points
ID: 39780242
You cannot remove the user from Authenticated Users it's a builtin group.
The only way is joning the user to a group and then deny the rights on a directory or file to that group
0
 

Author Comment

by:TMITECHS
ID: 39780282
To: Patricksr1972

This sounds good but will that user now be able to RDC into our network to access the files they need?

To: fredvr666

Thanks I needed that confirmation that I could not remove a user from Auth Users.
But with the method you describe I need to deny all shares at high level and then grant access at one low level folder. Does this seem right? I don' want to risk overwriting my vast array of permissions.
0
The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

 
LVL 5

Assisted Solution

by:Jullez
Jullez earned 200 total points
ID: 39780302
How is the user connecting to your network, VPN or Terminal server?  Or by "temp outside user" you mean, that he is on-premise user? You did mention RDC. Please specify.
0
 
LVL 23

Accepted Solution

by:
Patrick Bogers earned 250 total points
ID: 39780303
Hi again,

By explaining what authenticated users define i thought you would understand you cannot alter it. Avoiding it is possible by my solution since you dont authenticate against the DC but a local machine.

About RDP, yes it can IF a) you have an RDP forward in place for this fileserver and b) if you add the new user on the fileserver to be member of the Remote Desktop Users group.

Small note, it is not very good design to have rights distributed to shares based on 'authenticated users'. You see this now.
Better design is to 'group' people in security groups like:
Accountingpeople in security group Accounting, give this group rights to accounting shares.
Helpdesk people in group Helpdeskusers and same policy applies.

This way you cover all your shares and can safely delete the 'authenticated users' permissions from all custom shares.
0
 

Author Comment

by:TMITECHS
ID: 39780323
Patricksr1972
Thanks I will try it.

Jullez
The remote user will connect by Terminal Server.
Although, VPN is not out of the question.
0
 
LVL 23

Assisted Solution

by:Patrick Bogers
Patrick Bogers earned 250 total points
ID: 39780334
I need to correct myself here, 'authenticated users' are also local users accounts.

In that case i would try to configure the guest account (which never belongs to authenticated users) for this outside user.

So add guest account to the security group  'outside users'
Plus add guest to the remote desktop users (this i have never tried to do)
0
 
LVL 5

Assisted Solution

by:Jullez
Jullez earned 200 total points
ID: 39780340
If Terminal Server, you can lock down the shared drives. Usually on shared drives, I remove all the permissions and the assign Admin and user rights as needed, avoiding user "everyone" and "authenticated" users. You could also map specific drives just for that user when they start the terminal session, blocking browsing "up". On the terminal server you can lock that temp user in a way that he will only see the desktop, and NTFS+Share permissions will give him very minimal access.
0
 

Author Comment

by:TMITECHS
ID: 39780402
Thanks both, more good info!

J  How to block "browsing up"?
0
 
LVL 5

Expert Comment

by:Jullez
ID: 39780458
Depending on the OS you are using on the file server, you could enable Access Based Enumeration.  This is a feature, enabled at the volume level, that allows you to 'see' only things that you have access to. It should prevent the temp user from being able to get to those top level folders.
0
 

Author Comment

by:TMITECHS
ID: 39780466
thanks.
I will try these things.

I will likely award points tomorrow after some testing.
0
 
LVL 23

Expert Comment

by:Patrick Bogers
ID: 39780491
Good luck.
0
 

Author Closing Comment

by:TMITECHS
ID: 39785707
Although not completely resolved for me, I appreciate this info that I believe will lead to a solution that I can live with.
0

Featured Post

The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question