We help IT Professionals succeed at work.

Restrict access to LAN share if connected via RDP over a VPN

dejected
dejected asked
on
Daft question of the day but here goes:

We have a network share in our AD domain containing confidential data that should not be accessed outside of our office.

We have a couple of users who need access to that share as part of their role but who also need to connect remotely to their Windows 7 PC using our Windows 2008 R2 Remote Access Server by VPN and Remote Desktop Connection.

We want to prevent them accessing the confidential data share if they are connected over the VPN. Is there a way of doing that?
Comment
Watch Question

Commented:
Assuming you mean no access to this share from the computer where they initiate this VPN connection and not remove access on the PC they're trying to remote access, as otherwise, how can do they their job?
Just make sure the VPN clients get their IP address from a pool, and have that pool input in the firewall as an exception to deny traffic (in the SMB/File Sharing rule).
You should know, information will always get out if someone really wants to, including copying the data to usb, or heck, even taking pics of their screen. That's just how life is, if you give them access, even read only, the information is already out.

If you meant, in the office they can access the share, but if they use VPN to take over their own computer, and suddenly the share should be disabled, that's a totally different story. How can they do their work even without that data? The "problem" with remote control is, that it's meant to work as if they're right there in the office.

Author

Commented:
Thanks Kimputer

Sorry I wasn't clear - it is the second scenario. They don't always need the confidential share but they do need to remote in to perform other aspects of their roles that do not require access to that share - we do not want them remoting in to do any processing of the confidential data. This is further complicated by these users being VERY resistant to any administrative or procedural impediments to them carrying out their work.

I was thinking more along the lines of can the PC tell if it is being accessed remotely rather than physically and if so adjust gpos or login scripts so that the share doesn't appear and any means to connect to it are disabled e.g. Map Network Drive. It does sound improbable but the alternative is implementing Control 6.2.2 - Teleworking of ISO27001 - ouch!
Commented:
There are no dynamic GPO's or login scripts that differentiate from login type. While Windows knows how it's logged in (see eventlog, login type 2  vs 10), there's no back and forth communication with the PC and server concerning this info. A GPO is valid or not, there's no "enable for login type 10" option.
Personally, I'd set up some more PC's (or VM's) and let them remote to there. That seems to be the easiest (thought not very cost effective) way.
Zacharia KurianAdministrator- Data Center & Network

Commented:
You could create a separate user accounts for them with VPN/RDP access + all the other required access levels and deny access to the shares. But make sure to /restrict /adjust gpos or login scripts so that the share doesn't appear for these user accounts, when RDP/VPN.


Zac.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
If the users need the share (you said so) and then they go out of the office and you do not want them to have access to the share (you said so), you need to realize they can purloin the data in the office, so protecting it out of the office is largely a waste of time. Daft - as you said so.

Author

Commented:
Thanks all - I've marked Kimputer's  as the solution as they've confirmed that there is no way to choose gpo's or scripts or otherwise not mount/dismount the share based on type of login (physical or remote). The idea would have been if logged in remotely they don't get the confidential share but can work normally otherwise - they only use the share a couple of times per day. I think it is sledgehammer and nut time.

Commented:
please note to disable sharing disks and validate that they can't copy the file from RDS and paste it on their computers
simple vpn if you have it with a different subnet then and with only routing to RDS is enabled, then they can't use windows explorer to access the paths of the shares , and only can do that within RDS