Restrict access to Share to combination of User + Computer

[Hans Hinnekint]

Hello,

I would like to restrict the access to some shares to a combination of User
+ Computer, so that this share can only be accessed when the user logs in on
a specific set of computers.

I have static VLANs in place.

What is the best way to handle this?
- EFS
- IPSEC server/computer isolation
- NAP

Any help would be appreciated,

Hans Hinnekint

 

[Roger Abell [MVP]]

Hello,

I would like to restrict the access to some shares to a combination of
User + Computer, so that this share can only be accessed when the user
logs in on a specific set of computers.

I have static VLANs in place.

What is the best way to handle this?
- EFS
- IPSEC server/computer isolation
- NAP

Any help would be appreciated,

Hans Hinnekint

Hi Hans,

There is no direct way to meet those requirements.

If however you can say that all resources on the sharing machine
should only be accessed from a specific set of machines, then one
can use IPsec to enforce the access only "from these computers"
part and use NTFS/share-level permissions to enforce the access
only "by these users" part. Also, if you want to it is possible to
loosen the "all resources on the sharing machine" by having the
IPsec rules govern only the ports needed for filesharing, leaving
other accesses open to more machines.

I have seen a number of people attempt to meet reqs of your
scenario and the above is about as close as you can get with
the current off-the-shelf Windows.

Roger

 

[Hans Hinnekint]

Hello Roger,

Thanks, I was afraid I was overlooking something obvious.

Currently we are solving it by putting the server, together with the
machines that need access to it on a separate VLAN and putting a firewal
between this specific VLAN and the regular VLAN on which the DC and regular
servers + computers are located.

But I will keep on looking for something more elegant and dynamical.

Hans

 

[Jordi Ribas]

Estimado amigo , no entiendo nada de lo que dice aqui