How to disable drive mapping by VPN users?

09-02-2004, 03:19 PM

Hi Guys,
One of my clients has come up with a strange request. They have sales reps
that work in and out of the Office. They want them to work as normal in the
office but when they dial in to the network via VPN they want to restrict
the usage to a terminal server only. I can handle all their requests
regarding the terminal server but they don't want the reps to be able to map
network drives or browse anything on the server or any other server. I can
remove the functionality once they are logged into the terminal server but
how can I stop them from doing a "Map Network Drive" or a NET USE once they
have a VPN connection to the server.

So basically I need to setup accounts the work normally when connected to
the LAN but can not see or map drives when they dial in via VPN. The VPN is
terminated at the terminal server running windows 2003.

Any ideas ?

AS

09-02-2004, 03:45 PM

Hi,

I am not sure of your VPN setup (do you use RRAS, how many network cards
does server have, etc), but I think you should be able to use IP filters
(e.g. RRAS filters) where you could block everything but TCP port 3389 to
TS. Anything else (e.g. drive mapping) would be blocked by this filters...

Mike

"AS" <as@home> wrote in message
news:OX%23Vw%(E-Mail Removed)...
> Hi Guys,
> One of my clients has come up with a strange request. They have sales reps
> that work in and out of the Office. They want them to work as normal in
the
> office but when they dial in to the network via VPN they want to restrict
> the usage to a terminal server only. I can handle all their requests
> regarding the terminal server but they don't want the reps to be able to
map
> network drives or browse anything on the server or any other server. I can
> remove the functionality once they are logged into the terminal server but
> how can I stop them from doing a "Map Network Drive" or a NET USE once
they
> have a VPN connection to the server.
>
> So basically I need to setup accounts the work normally when connected to
> the LAN but can not see or map drives when they dial in via VPN. The VPN
is
> terminated at the terminal server running windows 2003.
>
> Any ideas ?
>
> AS
>
>
>

09-02-2004, 04:37 PM

Yes they use RRAS, the VPN is terminated at the terminal server also, has
one network card. Would the IP filters take effect after the VPN has been
established so I don't need to allow VPN/login ports etc ?

"Miha Pihler" <mihap-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> I am not sure of your VPN setup (do you use RRAS, how many network cards
> does server have, etc), but I think you should be able to use IP filters
> (e.g. RRAS filters) where you could block everything but TCP port 3389 to
> TS. Anything else (e.g. drive mapping) would be blocked by this filters...
>
> Mike
>
> "AS" <as@home> wrote in message
> news:OX%23Vw%(E-Mail Removed)...
> > Hi Guys,
> > One of my clients has come up with a strange request. They have sales
reps
> > that work in and out of the Office. They want them to work as normal in
> the
> > office but when they dial in to the network via VPN they want to
restrict
> > the usage to a terminal server only. I can handle all their requests
> > regarding the terminal server but they don't want the reps to be able to
> map
> > network drives or browse anything on the server or any other server. I
can
> > remove the functionality once they are logged into the terminal server
but
> > how can I stop them from doing a "Map Network Drive" or a NET USE once
> they
> > have a VPN connection to the server.
> >
> > So basically I need to setup accounts the work normally when connected
to
> > the LAN but can not see or map drives when they dial in via VPN. The VPN
> is
> > terminated at the terminal server running windows 2003.
> >
> > Any ideas ?
> >
> > AS
> >
> >
> >
>
>

09-02-2004, 04:52 PM

When VPN clients connect and get private IP ... are these IPs from e.g.
"special" range that would be used just by VPN clients? If this was the case
I think you could use IP filters (I never tried this on one NIC, I always
had two).

Mike

"AS" <as@home> wrote in message
news:ekeE$(E-Mail Removed)...
> Yes they use RRAS, the VPN is terminated at the terminal server also, has
> one network card. Would the IP filters take effect after the VPN has been
> established so I don't need to allow VPN/login ports etc ?
>
> "Miha Pihler" <mihap-(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi,
> >
> > I am not sure of your VPN setup (do you use RRAS, how many network cards
> > does server have, etc), but I think you should be able to use IP filters
> > (e.g. RRAS filters) where you could block everything but TCP port 3389
to
> > TS. Anything else (e.g. drive mapping) would be blocked by this
filters...
> >
> > Mike
> >
> > "AS" <as@home> wrote in message
> > news:OX%23Vw%(E-Mail Removed)...
> > > Hi Guys,
> > > One of my clients has come up with a strange request. They have sales
> reps
> > > that work in and out of the Office. They want them to work as normal
in
> > the
> > > office but when they dial in to the network via VPN they want to
> restrict
> > > the usage to a terminal server only. I can handle all their requests
> > > regarding the terminal server but they don't want the reps to be able
to
> > map
> > > network drives or browse anything on the server or any other server. I
> can
> > > remove the functionality once they are logged into the terminal server
> but
> > > how can I stop them from doing a "Map Network Drive" or a NET USE once
> > they
> > > have a VPN connection to the server.
> > >
> > > So basically I need to setup accounts the work normally when connected
> to
> > > the LAN but can not see or map drives when they dial in via VPN. The
VPN
> > is
> > > terminated at the terminal server running windows 2003.
> > >
> > > Any ideas ?
> > >
> > > AS
> > >
> > >
> > >
> >
> >
>
>

09-08-2004, 10:31 AM

u could create them a different username for dialin and then only allow VPN
access with this, but deny them permissions on the shares?

"AS" <as@home> wrote in message
news:OX%23Vw%(E-Mail Removed)...
> Hi Guys,
> One of my clients has come up with a strange request. They have sales reps
> that work in and out of the Office. They want them to work as normal in
> the
> office but when they dial in to the network via VPN they want to restrict
> the usage to a terminal server only. I can handle all their requests
> regarding the terminal server but they don't want the reps to be able to
> map
> network drives or browse anything on the server or any other server. I can
> remove the functionality once they are logged into the terminal server but
> how can I stop them from doing a "Map Network Drive" or a NET USE once
> they
> have a VPN connection to the server.
>
> So basically I need to setup accounts the work normally when connected to
> the LAN but can not see or map drives when they dial in via VPN. The VPN
> is
> terminated at the terminal server running windows 2003.
>
> Any ideas ?
>
> AS
>
>
>

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Drive mapping	obnetadmin	Windows Networking	2	09-25-2007 01:44 PM
Mapping users on mount	Captain Dondo	Linux Networking	1	09-30-2005 12:28 AM
Mapping up a drive via VPN	CD	Windows Networking	0	08-19-2004 06:36 AM
Drive mapping	Trev	Windows Networking	1	07-17-2004 10:39 PM
Drive mapping	Richard	Windows Networking	1	07-04-2003 10:34 PM