Solved

Lock Down Network Discovery from Remote Vendor

Posted on 2014-04-17
6
324 Views
Last Modified: 2014-05-03
I have a new server running Windows 2008 R2 with Remote Desktop enabled. This server was  setup for a vendor to access through a vpn connection and they have local admin rights on this computer only.  My goal is to prevent the remote users from seeing any other system on the domain. What would be the best solution to accomplish this? If its group policy, which policy do I need to enable to lock this system down?


Thanks
smartin0924
0
Comment
Question by:smartin0924
6 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40007472
Enable Access Based Enumeration on your network shares what a user can't see they can't access.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40007560
To do what you are trying to do, place your server in DMZ network if you already have where environment is already locked down

Then only open required ports from DMZ server to production network with required servers only

The same thing can be achieved through Antivirus software as well (Symantec , Mcafee can do this) if you don't have DMZ network, in that case you can place AV rules to block NetBIOS broadcast, local resources in RDP, block application installation.
Also you can use GPO to block many items and effectively decide what logged on user can do and can't do

Now your vendor can logon to server through VPN and can access only logged on server and can't see most of the production network

Mahesh.
0
 
LVL 12

Expert Comment

by:Infamus
ID: 40007923
I would just create a separate vlan and put the server there.


Then you can control what it can or cannot access using access-list.

You will also need a firewall rule to block the vpn user from accessing other servers, of course.  (if you are using firewall vpn)
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 1

Accepted Solution

by:
smartin0924 earned 0 total points
ID: 40013923
None of the provided answers are an option at this time. There has to be some way to prevent users from seeing other computers on the network.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40027933
You can try with disabling workstation and Computer browser service so that users cannot see other computers on network and also same time cannot access them as well.

You can deploy this change through GPO \ local group policy (Gpedit.msc)
0
 
LVL 1

Author Closing Comment

by:smartin0924
ID: 40039029
The answers provided did not solve my problem.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now