Lock Down Network Discovery from Remote Vendor

I have a new server running Windows 2008 R2 with Remote Desktop enabled. This server was  setup for a vendor to access through a vpn connection and they have local admin rights on this computer only.  My goal is to prevent the remote users from seeing any other system on the domain. What would be the best solution to accomplish this? If its group policy, which policy do I need to enable to lock this system down?


Thanks
smartin0924
LVL 1
smartin0924Asked:
Who is Participating?
 
smartin0924Connect With a Mentor Author Commented:
None of the provided answers are an option at this time. There has to be some way to prevent users from seeing other computers on the network.
0
 
David Johnson, CD, MVPOwnerCommented:
Enable Access Based Enumeration on your network shares what a user can't see they can't access.
0
 
MaheshArchitectCommented:
To do what you are trying to do, place your server in DMZ network if you already have where environment is already locked down

Then only open required ports from DMZ server to production network with required servers only

The same thing can be achieved through Antivirus software as well (Symantec , Mcafee can do this) if you don't have DMZ network, in that case you can place AV rules to block NetBIOS broadcast, local resources in RDP, block application installation.
Also you can use GPO to block many items and effectively decide what logged on user can do and can't do

Now your vendor can logon to server through VPN and can access only logged on server and can't see most of the production network

Mahesh.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
InfamusCommented:
I would just create a separate vlan and put the server there.


Then you can control what it can or cannot access using access-list.

You will also need a firewall rule to block the vpn user from accessing other servers, of course.  (if you are using firewall vpn)
0
 
MaheshArchitectCommented:
You can try with disabling workstation and Computer browser service so that users cannot see other computers on network and also same time cannot access them as well.

You can deploy this change through GPO \ local group policy (Gpedit.msc)
0
 
smartin0924Author Commented:
The answers provided did not solve my problem.
0
All Courses

From novice to tech pro — start learning today.