locked
Disable file share access except for a couple computers (not users), Restrict SMB? RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I have 2 Windows 2008 servers, AD file server, terminal server and 10 Vista workstations & Laptops (more workstations coming). All workstations are joined to domain. I want to restrict access to the file shares on the file server to only allow the terminal server access and 2 workstations direct access to the shares. The users only need access to the shares from within the terminal server. We dont want them to have access to the shared from there workstation (to prevent employee data theft). All workstations need access to the sysvol, domain group policies, DHCP, DNS etc. on the AD file server.

    Replacing all the computers and purchasing thin clients is not an option. Plus users take laptops on the road.

    There were 2 proposed solutions. 1. create ipsec between the servers and the 2 workstations that need direct access. Not sure how to do this or if it will work. Or if I attempt it, will I loose complete access from the workstations? I still need to contact AD and sysvol from all workstations. Also would I be able to RDP into the terminal server from any workstation (including TS Web access) if it is part of an ipsec tunnel?

    The other solution was to disable SMB on the workstations and create firewall rules on the AD file server to only allow SMB from the terminal server and 2 workstations into the file server. I have not yet disabled SMB on the workstations. However on the Windows 2008 AD file server firewall rules I did enforce (both inbound and outbound) "allow only secure connections", Apply to all profiles, then selected the specific computers to allow access. I did this to the following services (in firewall inbound/outbound config): “File and print sharing” (NB-datagram-in/out, NB name-in/out, NB session-in/out, SMB-in/out. Also on the following service “Network Discovery” NB-datagram-in/out, NB-name-In/out.

    I can still browse the network shares from all computers by going typing \\servername (AD file server). Am I missing any services in the firewall rules to restrict the ability to browse the shares? If I can get it to finally restrict access to the shares, will I lose the ability to communicate with the AD file server for group policy, netlogon etc.?

    Any help would be greatly appreciated. Thanks

     

    Wednesday, January 13, 2010 11:14 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

     

    Thank you for your post here.

     

    From the description, you want to restrict the access to shared folder on the DC  from the workstations and only allow the file share access from the terminal server and two specific workstations.

     

    I am afraid that you will not able to achieve your goal with either solution 1 and solution 2. There are several aspects  that prevent you from achieving:

     

    @ solutions1

     

    You can create IPsec rule to only allow secured connection to the File & Print sharing  on the DC. However, there is not a method to tell the SYSVOL access from shared data folder.

     

    @ solutions2

     

    You cannot disable the SMB on the workstation. Otherwise, clients will not be able to access the SYSVOL and fails to apply domain GPOs.

     

     

    From my view, I think you should un-join those 8 clients from the domain and leave the terminal server/2 workstations in the domain for data access.

     

    If you have any questions or concerns, please do not hesitate to let us know.

     

     

     

    • Proposed as answer by Vadims PodansMVP Thursday, January 14, 2010 7:29 AM
    • Marked as answer by Miles Li Monday, January 25, 2010 9:09 AM
    Thursday, January 14, 2010 6:48 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Stand up another server to act as your file server and get those shares off of your domain controller. You'll then have a lot more options as to how you secure access to the file shares as you'll no longer have to worry about disrupting access to the SYSVOL share.

    Paul Adare CTO IdentIT Inc. ILM MVP
    • Marked as answer by Miles Li Monday, January 25, 2010 9:09 AM
    Tuesday, January 19, 2010 9:57 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

     

    Thank you for your post here.

     

    From the description, you want to restrict the access to shared folder on the DC  from the workstations and only allow the file share access from the terminal server and two specific workstations.

     

    I am afraid that you will not able to achieve your goal with either solution 1 and solution 2. There are several aspects  that prevent you from achieving:

     

    @ solutions1

     

    You can create IPsec rule to only allow secured connection to the File & Print sharing  on the DC. However, there is not a method to tell the SYSVOL access from shared data folder.

     

    @ solutions2

     

    You cannot disable the SMB on the workstation. Otherwise, clients will not be able to access the SYSVOL and fails to apply domain GPOs.

     

     

    From my view, I think you should un-join those 8 clients from the domain and leave the terminal server/2 workstations in the domain for data access.

     

    If you have any questions or concerns, please do not hesitate to let us know.

     

     

     

    • Proposed as answer by Vadims PodansMVP Thursday, January 14, 2010 7:29 AM
    • Marked as answer by Miles Li Monday, January 25, 2010 9:09 AM
    Thursday, January 14, 2010 6:48 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thank you for clarifying. I could unjoin the computers and re-setup the profiles but then I would be unable to manage the computers through a domain group policy. Also the users could still have direct access to the shares by simply putting in there user name and password (even if they are not part of the domain).

    The owner of the company does not want the users to have direct access to the data because it is a cut throat industry and data theft is common.

    What about creating 2 user names on the domain. One for logging on to the laptop (with explicit deny permissions to the shares) and one for logging on to the terminal server? The user could still potentially log onto the laptop with the terminal server user name.

    Is there a way to filter security permissions by computername instead of username?
    Tuesday, January 19, 2010 5:10 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Is there a way to filter security permissions by computername instead of username?
    No, because shares are accessed using the security context of the user, not the computer account.
    Paul Adare CTO IdentIT Inc. ILM MVP
    Tuesday, January 19, 2010 9:55 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Stand up another server to act as your file server and get those shares off of your domain controller. You'll then have a lot more options as to how you secure access to the file shares as you'll no longer have to worry about disrupting access to the SYSVOL share.

    Paul Adare CTO IdentIT Inc. ILM MVP
    • Marked as answer by Miles Li Monday, January 25, 2010 9:09 AM
    Tuesday, January 19, 2010 9:57 AM