Avatar of dejected
 asked on

Restrict access to LAN share if connected via RDP over a VPN

Daft question of the day but here goes:

We have a network share in our AD domain containing confidential data that should not be accessed outside of our office.

We have a couple of users who need access to that share as part of their role but who also need to connect remotely to their Windows 7 PC using our Windows 2008 R2 Remote Access Server by VPN and Remote Desktop Connection.

We want to prevent them accessing the confidential data share if they are connected over the VPN. Is there a way of doing that?
VPNRemote AccessActive Directory

Avatar of undefined
Last Comment

8/22/2022 - Mon

Assuming you mean no access to this share from the computer where they initiate this VPN connection and not remove access on the PC they're trying to remote access, as otherwise, how can do they their job?
Just make sure the VPN clients get their IP address from a pool, and have that pool input in the firewall as an exception to deny traffic (in the SMB/File Sharing rule).
You should know, information will always get out if someone really wants to, including copying the data to usb, or heck, even taking pics of their screen. That's just how life is, if you give them access, even read only, the information is already out.

If you meant, in the office they can access the share, but if they use VPN to take over their own computer, and suddenly the share should be disabled, that's a totally different story. How can they do their work even without that data? The "problem" with remote control is, that it's meant to work as if they're right there in the office.

Thanks Kimputer

Sorry I wasn't clear - it is the second scenario. They don't always need the confidential share but they do need to remote in to perform other aspects of their roles that do not require access to that share - we do not want them remoting in to do any processing of the confidential data. This is further complicated by these users being VERY resistant to any administrative or procedural impediments to them carrying out their work.

I was thinking more along the lines of can the PC tell if it is being accessed remotely rather than physically and if so adjust gpos or login scripts so that the share doesn't appear and any means to connect to it are disabled e.g. Map Network Drive. It does sound improbable but the alternative is implementing Control 6.2.2 - Teleworking of ISO27001 - ouch!

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Zacharia Kurian

You could create a separate user accounts for them with VPN/RDP access + all the other required access levels and deny access to the shares. But make sure to /restrict /adjust gpos or login scripts so that the share doesn't appear for these user accounts, when RDP/VPN.

Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes

If the users need the share (you said so) and then they go out of the office and you do not want them to have access to the share (you said so), you need to realize they can purloin the data in the office, so protecting it out of the office is largely a waste of time. Daft - as you said so.

Thanks all - I've marked Kimputer's  as the solution as they've confirmed that there is no way to choose gpo's or scripts or otherwise not mount/dismount the share based on type of login (physical or remote). The idea would have been if logged in remotely they don't get the confidential share but can work normally otherwise - they only use the share a couple of times per day. I think it is sledgehammer and nut time.

please note to disable sharing disks and validate that they can't copy the file from RDS and paste it on their computers
simple vpn if you have it with a different subnet then and with only routing to RDS is enabled, then they can't use windows explorer to access the paths of the shares , and only can do that within RDS
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.