Solved

Group Policy denying access to other network resources

Posted on 2014-01-31
4
279 Views
Last Modified: 2014-02-24
Vendor needs access to the internal network remoting into their PC and controller.  Planning to add user to vpn user group on SonicWall then have them Remote Desktop to their PC on our network (other staff needs to access this PC as well that's why it needs to be on the network).

The vendor will only have access to the ip of the PC and controller from the VPN settings but, if they authenticate on the network, they would be able to browse and see other resources, correct so need something to knock that down.

I dont have a vlan setup.  I didnt want to create another domain.  Any recommendations about securing this scenario?
0
Comment
Question by:cobmo
  • 2
  • 2
4 Comments
 
LVL 3

Expert Comment

by:Ryan Lanham
Comment Utility
By network resources are you talking about shared drives? If so you should have permissions already defined in NTFS. Just ensure that the account you are using does not have access / membership to those groups. If you are using network resources / sharing drive and just giving it to Domain Users you will need to create a new Group Policy  and Corresponding OU. Perhaps crate a new OU in AD called Vendors and apply the GPO.
0
 

Author Comment

by:cobmo
Comment Utility
Not just shares but the ability to browse or access any other PCs, servers, shares, etc OTHER than the PC and controller he needs to see.

Its different than having an EMPLOYEE vpn into their desktop.  This is an unwanted person and trying to accomodate accordingly.  Normally we would have an employee initiate a remote desktop session with vendor and then they would take them to the source.  This is different.  They are asking for 24/7 access to their PC on our network.  I would never allow any such thing but dont really have a choice.
0
 
LVL 3

Accepted Solution

by:
Ryan Lanham earned 500 total points
Comment Utility
I would still consider a separate OU in AD and apply custom Group Policies restricting the access. Create the OU, block inheritance / remove links to any higher up GPO's such as your Default Domain Policy if thats where your mapped drives are stored. Then setup a new Policy in which you restrict network browsing:

User Configuration > Policies > Administrative Templates > Windows Components > Windows Explorer.

These three specifically:

No Computers Near Me in Network Locations
No Entire Network in Network Locations
Remove Map Network Drive and Disconnect Network Drive
0
 

Author Comment

by:cobmo
Comment Utility
Is it possible to leave their PC in a "Workgroup" so that it wouldnt require a domain user account and gpo?  Using the gpo and user account Im ok on the PC but what about the controller device that uses a browser interface to connect?  Is the an exclusion list in the GPO that would allow the PC to then access the controller?
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now