General discussion

Locked

Restrict access to network for a server

By trackme ·
Hello,
I have a server located in the trusted network. one of my vendors want to access that server from his remote office via terminal services for support services

Now if i give him TS access , from there he can reach all my other servers in my trusted network,

Is there way i can restrict that remote user to reach my server alone and also restrict him from reaching any other resources. I can have multiple NIC cards in the server and assign a diferent IP to that NIC card. But at the same time this server should be able to reach other resources like other servers and able to serve users.

I cant move my server to DMZ either since it will affect my trusted network users

Is there a way so that when that user logs in, he cant reach any where other resource than into the server. i mean litterlay for that user ,

it should behave like a standalone machine with no network access other than the server for this user or for this terminal service connection intitiated from the remote IP.

If not via User name , is there any other way we can think off

Regards
Anantha

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by 3xp3rt In reply to Restrict access to networ ...

I think the solution is to create a local user who connects to this computer locally. This user if isn?t in AD, he can?t browse the network, but you can allocate to him the necessary rights for server?s service.

Collapse -

by E.Eliveld In reply to Restrict access to networ ...

Hello,

You could change the port number of the TS on the box.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
- PortNumber (REG_DWORD) = XXXX (decimal)

Combine with the use of filtering on Ports and IP numbers.

Regards,

EE

Collapse -

by CG IT In reply to Restrict access to networ ...

humm, there are two "modes" to terminal services on a Windows server box. administration and application. the first "mode" is self evident. The second mode is for hosting an application on a server that users will access to perform their daily tasks without them having the program installed on their desktops.

If a vendor wants access via terminal services, the question is, is the access for administering the network if so, is the vendor authorized. If not, well then, you don't grant him the access. If it's to access an application residing on a terminal services server, granting access does not specificaly provide access all other network resources.

There are many ways to restrict users access to resources in a Windows Active Directory environment [is this an Active Directory environment?].

As a simple example: one method would be to create a security group that only has rights of access to one particular server on the network. Put the user in that security group. That user will then have access to only those resources that the security group has been granted access. Active Directory will then process the access rights based upon group membership.

Collapse -

by trackme In reply to Restrict access to networ ...

Hi,
thanks for your reply,but i'm not sure how you want me to do here.

Do you mean to create a account and give this account to the vendor to connect via TS. In that case i guess , once the user is via TS, he can connect to any internal resources right , leave alone windows network, i have some webservers and other tools right,

He can still access that, my intention here is to allow the user to connect to the server and from there he should not be able to reach any where outside, meaning for this user, the system should act like a standalone PC

is this possible, if not via username, is there any other way i can try like containg via NIC card etc;

Collapse -

by -Q-240248 In reply to Restrict access to networ ...

I don't think TS is the answer the vendor is looking for. I think they want remote control access and if this is indeed the case, install a web-access program on the server such as GotoMyPC or other eweb access, and strictly control access by leaving the service off and having controlled usernames for access. I would even try to create ACLS to/from that server.

Back to Security Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums