dejected
asked on
Restrict access to LAN share if connected via RDP over a VPN
Daft question of the day but here goes:
We have a network share in our AD domain containing confidential data that should not be accessed outside of our office.
We have a couple of users who need access to that share as part of their role but who also need to connect remotely to their Windows 7 PC using our Windows 2008 R2 Remote Access Server by VPN and Remote Desktop Connection.
We want to prevent them accessing the confidential data share if they are connected over the VPN. Is there a way of doing that?
We have a network share in our AD domain containing confidential data that should not be accessed outside of our office.
We have a couple of users who need access to that share as part of their role but who also need to connect remotely to their Windows 7 PC using our Windows 2008 R2 Remote Access Server by VPN and Remote Desktop Connection.
We want to prevent them accessing the confidential data share if they are connected over the VPN. Is there a way of doing that?
ASKER
Thanks Kimputer
Sorry I wasn't clear - it is the second scenario. They don't always need the confidential share but they do need to remote in to perform other aspects of their roles that do not require access to that share - we do not want them remoting in to do any processing of the confidential data. This is further complicated by these users being VERY resistant to any administrative or procedural impediments to them carrying out their work.
I was thinking more along the lines of can the PC tell if it is being accessed remotely rather than physically and if so adjust gpos or login scripts so that the share doesn't appear and any means to connect to it are disabled e.g. Map Network Drive. It does sound improbable but the alternative is implementing Control 6.2.2 - Teleworking of ISO27001 - ouch!
Sorry I wasn't clear - it is the second scenario. They don't always need the confidential share but they do need to remote in to perform other aspects of their roles that do not require access to that share - we do not want them remoting in to do any processing of the confidential data. This is further complicated by these users being VERY resistant to any administrative or procedural impediments to them carrying out their work.
I was thinking more along the lines of can the PC tell if it is being accessed remotely rather than physically and if so adjust gpos or login scripts so that the share doesn't appear and any means to connect to it are disabled e.g. Map Network Drive. It does sound improbable but the alternative is implementing Control 6.2.2 - Teleworking of ISO27001 - ouch!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You could create a separate user accounts for them with VPN/RDP access + all the other required access levels and deny access to the shares. But make sure to /restrict /adjust gpos or login scripts so that the share doesn't appear for these user accounts, when RDP/VPN.
Zac.
Zac.
If the users need the share (you said so) and then they go out of the office and you do not want them to have access to the share (you said so), you need to realize they can purloin the data in the office, so protecting it out of the office is largely a waste of time. Daft - as you said so.
ASKER
Thanks all - I've marked Kimputer's as the solution as they've confirmed that there is no way to choose gpo's or scripts or otherwise not mount/dismount the share based on type of login (physical or remote). The idea would have been if logged in remotely they don't get the confidential share but can work normally otherwise - they only use the share a couple of times per day. I think it is sledgehammer and nut time.
please note to disable sharing disks and validate that they can't copy the file from RDS and paste it on their computers
simple vpn if you have it with a different subnet then and with only routing to RDS is enabled, then they can't use windows explorer to access the paths of the shares , and only can do that within RDS
simple vpn if you have it with a different subnet then and with only routing to RDS is enabled, then they can't use windows explorer to access the paths of the shares , and only can do that within RDS
Just make sure the VPN clients get their IP address from a pool, and have that pool input in the firewall as an exception to deny traffic (in the SMB/File Sharing rule).
You should know, information will always get out if someone really wants to, including copying the data to usb, or heck, even taking pics of their screen. That's just how life is, if you give them access, even read only, the information is already out.
If you meant, in the office they can access the share, but if they use VPN to take over their own computer, and suddenly the share should be disabled, that's a totally different story. How can they do their work even without that data? The "problem" with remote control is, that it's meant to work as if they're right there in the office.