VPN restricted viewing

Hello,

I am trying to set up a VPN for a developer and would like to restrict the
machines that they see on the network. We are running Server 2003, can we do
this with the CMAK wizard? If so could you please give a brief overview or
point me to a good reference?

Thank you,

Denis Crotty

Perhaps setting up a static route for them on their VPN connection will do
the trick.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights

"Denis Crotty" <(E-Mail Removed)> wrote in message
news:A6374A7A-828F-44EE-987A-(E-Mail Removed)...
> I am trying to set up a VPN for a developer and would like to restrict the
> machines that they see on the network. We are running Server 2003, can we
do
> this with the CMAK wizard?

Define "see"

Resource access requires user accounts and passwords. He can not access what
his account isn't given permission to access. It doesn't matter what his
machine can "see" at the Layer 3 & 4 level unless you have resources that
can be accessed by "anonymous" or by "Everyone" although those two are not
the same thing.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

HI Todd,

I'm not too sure of how to go about setting up a static route on their VPN
connection. THe direction I was looking into was ip packet filtering so that
any packets from the source computer would only get to the computer I want
them to "see". But that sounds like the same concept as static routing to me.

Denis

"Todd J Heron" wrote:

> Perhaps setting up a static route for them on their VPN connection will do
> the trick.
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT
> ----------------------------------------------------------------------------
> This posting is provided "as is" with no warranties and confers no rights
>
>
>

HI Phillip, Thank you for the reply.

I realize that they should not be able to access what they do not have
permission to access but we have some shares on the network that are
completely open and we would prefer that the user only be able to find the
computers on the network that we specifically allow them to. Do you have any
suggestions to help us accomplish this?

Denis

"Phillip Windell" wrote:

> "Denis Crotty" <(E-Mail Removed)> wrote in message
> news:A6374A7A-828F-44EE-987A-(E-Mail Removed)...
> > I am trying to set up a VPN for a developer and would like to restrict the
> > machines that they see on the network. We are running Server 2003, can we
> do
> > this with the CMAK wizard?
>
> Define "see"
>
> Resource access requires user accounts and passwords. He can not access what
> his account isn't given permission to access. It doesn't matter what his
> machine can "see" at the Layer 3 & 4 level unless you have resources that
> can be accessed by "anonymous" or by "Everyone" although those two are not
> the same thing.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>

"Denis Crotty" <(E-Mail Removed)> wrote in message
news:050B9988-BD24-4501-90DE-(E-Mail Removed)...
> HI Phillip, Thank you for the reply.
>
> I realize that they should not be able to access what they do not have
> permission to access but we have some shares on the network that are
> completely open and we would prefer that the user only be able to find the
> computers on the network that we specifically allow them to. Do you have
any
> suggestions to help us accomplish this?

Yes.

Don't have shares like that. The problem is not that you have a VPN user,
the problem is that you have shares that are so unrestricted. Base your
security on who people are, not by what technology they connect by.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Denis Crotty" <(E-Mail Removed)> wrote in message
news:ED5B350C-0658-4DD6-9A7C-(E-Mail Removed)...
> HI Todd,
>
> I'm not too sure of how to go about setting up a static route on their VPN
> connection. THe direction I was looking into was ip packet filtering so
that
> any packets from the source computer would only get to the computer I want
> them to "see". But that sounds like the same concept as static routing to
me.

That would be Packet Filtering,...although it would running on top of Layer3
Routing. VPN users would need to be in their own subnet. The routing device
between their subnet and the rest of the LAN would have ACLs configured on
it to create the restrictions. It can be done, but is a lot of work, and
probably a period of trial and error.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

HI Phillip,

Unfortunately that is not a solution for us. As you probably know sometimes
business needs over ride security needs. As this is not possible do you have
any suggestions to accomplish what we are trying to accomplish?

Denis

"Phillip Windell" wrote:

>
> "Denis Crotty" <(E-Mail Removed)> wrote in message
> news:050B9988-BD24-4501-90DE-(E-Mail Removed)...
> > HI Phillip, Thank you for the reply.
> >
> > I realize that they should not be able to access what they do not have
> > permission to access but we have some shares on the network that are
> > completely open and we would prefer that the user only be able to find the
> > computers on the network that we specifically allow them to. Do you have
> any
> > suggestions to help us accomplish this?
>
> Yes.
>
> Don't have shares like that. The problem is not that you have a VPN user,
> the problem is that you have shares that are so unrestricted. Base your
> security on who people are, not by what technology they connect by.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>

Here is an example from Windows on what we think is needed:


http://www.microsoft.com/resources/d...g_VPN_us20.asp

Denis


"Phillip Windell" wrote:

>
> "Denis Crotty" <(E-Mail Removed)> wrote in message
> news:050B9988-BD24-4501-90DE-(E-Mail Removed)...
> > HI Phillip, Thank you for the reply.
> >
> > I realize that they should not be able to access what they do not have
> > permission to access but we have some shares on the network that are
> > completely open and we would prefer that the user only be able to find the
> > computers on the network that we specifically allow them to. Do you have
> any
> > suggestions to help us accomplish this?
>
> Yes.
>
> Don't have shares like that. The problem is not that you have a VPN user,
> the problem is that you have shares that are so unrestricted. Base your
> security on who people are, not by what technology they connect by.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>

"Denis Crotty" <(E-Mail Removed)> wrote in message
news:C33FAC93-0D53-474D-A0FC-(E-Mail Removed)...
> HI Phillip,
>
> Unfortunately that is not a solution for us. As you probably know
sometimes
> business needs over ride security needs.

That may be so,...but i don't think this is one of them. This is quite
simply way, way too easy to fix to accept that as being the condition.

All you have to do is make those shares available to Domain Users (not the
Everyone Group) which is going to be everybody anyway,...then create a user
account to use for the VPN,...create a Group called VPN Users,...add the
user to that Group,...set the Group as the user's "default group" and then
remove them from the Domain Users group. Now all the Domain Users have
access to the shares except for the VPN User because he is only in the VPN
Users Group which doesn't have permission.

If that isn't good enough then create the VPN User and VPN Group the same
way but actually *include* the VPN Group in the permissions to the shares
but set the permission to Denied. Denied always over-rides everything else,
so everyone would have access to the share except for Users who are members
of the VNP Group.

This isn't that difficult,...MS has had years to develope the flexability in
their NTFS permissions system and they aren't going to be that short
sighted.

> As this is not possible do you have
> any suggestions to accomplish what we are trying to accomplish?

I haven't had time to look at the link you gave in the other post yet. But
in another post I commented on a possible solution offered by Todd. However
I think it is much more difficult to make a reality than correcting this
very simple issue that I stated above.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com