Block all network shares and internal websites to a specific domain user
I have to set up a domain account to be used by visitors to site. This account is to be allowed access to ONE website only - an external website. This account should not be able to access any internal websites or shared network resources.
Using the hardware firewall, I've been able to block access to all but this one external websites, but using group policies, how do I deny all internal websites and network resources to this account (so that shares aren't even seen on the network)?
Thanks
Using the hardware firewall, I've been able to block access to all but this one external websites, but using group policies, how do I deny all internal websites and network resources to this account (so that shares aren't even seen on the network)?
Thanks
ASKER
The problem here is that the user cannot be restricted to any particular PC. This "generic" account that I have to create is for use by any contractors and visitors, and needs to be able to access an external health and safety reporting website from any PC connected to the domain.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm still in discussions with the customer about the best way forward with this.
Thanks for the update. What are your current thoughts?
ASKER
The customer has decided to live with the situation as it is. I have given him an idea of the amount of time and work involved in locking everything down for one specific user, and he does not want to go ahead!
ASKER
Not really a workable solution in my case, but gave me enough information to pass back to my customer.
Security permissions on the shares should be configured to prevent the user account gaining access. This is easy if you follow the principle of least privilege, since you simply don't grant the user membership of the groups which grant access to each share.
The internal websites are harder. If they use authentication, configure that authentication such that the user is denied access. However, if they do not use authentication, you could use Group Policy to lock down e.g. Internet Explorer to make such sites restricted, but this is not without flaws, because the user could easily bring their browser (such as on a USB stick) and bypass the restrictions.
A better approach would be to avoid using the machine to provide any security, and instead configure this in the network. Since no internal resources are required at all, I would jail the machine into a VLAN with no other machines and from which you can firewall the traffic such that no access to internal machines is permitted. If the machine must be domain joined, you can open minimal firewall ports for communication with the DCs, and no more.