[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 292
  • Last Modified:

Group Policy denying access to other network resources

Vendor needs access to the internal network remoting into their PC and controller.  Planning to add user to vpn user group on SonicWall then have them Remote Desktop to their PC on our network (other staff needs to access this PC as well that's why it needs to be on the network).

The vendor will only have access to the ip of the PC and controller from the VPN settings but, if they authenticate on the network, they would be able to browse and see other resources, correct so need something to knock that down.

I dont have a vlan setup.  I didnt want to create another domain.  Any recommendations about securing this scenario?
0
cobmo
Asked:
cobmo
  • 2
  • 2
1 Solution
 
Ryan LanhamCommented:
By network resources are you talking about shared drives? If so you should have permissions already defined in NTFS. Just ensure that the account you are using does not have access / membership to those groups. If you are using network resources / sharing drive and just giving it to Domain Users you will need to create a new Group Policy  and Corresponding OU. Perhaps crate a new OU in AD called Vendors and apply the GPO.
0
 
cobmoIT ManagerAuthor Commented:
Not just shares but the ability to browse or access any other PCs, servers, shares, etc OTHER than the PC and controller he needs to see.

Its different than having an EMPLOYEE vpn into their desktop.  This is an unwanted person and trying to accomodate accordingly.  Normally we would have an employee initiate a remote desktop session with vendor and then they would take them to the source.  This is different.  They are asking for 24/7 access to their PC on our network.  I would never allow any such thing but dont really have a choice.
0
 
Ryan LanhamCommented:
I would still consider a separate OU in AD and apply custom Group Policies restricting the access. Create the OU, block inheritance / remove links to any higher up GPO's such as your Default Domain Policy if thats where your mapped drives are stored. Then setup a new Policy in which you restrict network browsing:

User Configuration > Policies > Administrative Templates > Windows Components > Windows Explorer.

These three specifically:

No Computers Near Me in Network Locations
No Entire Network in Network Locations
Remove Map Network Drive and Disconnect Network Drive
0
 
cobmoIT ManagerAuthor Commented:
Is it possible to leave their PC in a "Workgroup" so that it wouldnt require a domain user account and gpo?  Using the gpo and user account Im ok on the PC but what about the controller device that uses a browser interface to connect?  Is the an exclusion list in the GPO that would allow the PC to then access the controller?
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now