VPN - Restrict Users Access ??

[Frank]

HI,
We are running Windows 2000 Server, fully service packed..

We have created a group called 'Remote VPN Users'

We have created 3 users, they have been assigned to this group.

The Group has been denied access to all folders except 1.

This works fine when the users logs on internally, they can only
access there folder, nothing else.

Yet if they VPN in, they have full network access !! WHY ?

How can I restrict them to just there folder ! ???

Thanks

 

[Steven L Umbach]

Next time they are connected to a server check Computer
Management./shared folders/sessions [or net sessions] to see exactly how
they are connected - guest perhaps. Be sure guest account is disabled on
your servers if not already and try removing the everyone group from share
permissions on shares you have created, replacing that group with
authenticated users. Keep in mind that an explicit allow permission will
override an inherited deny permission in ntfs. You can also create/modify a
rras policy that allows vpn users access to only certain ip addresses on the
network. -- Steve

 

[Frank]

When the user logs in it shows Sessions shows:

USER: SERVER$
COMPUTER: Servers IP
TYPE: Windows
Guest: NO


Why is it showing Server$ ?? not the Remote User ??

Any help, Please !!

Next time they are connected to a server check Computer
Management./shared folders/sessions [or net sessions] to see exactly how
they are connected - guest perhaps. Be sure guest account is disabled on
your servers if not already and try removing the everyone group from share
permissions on shares you have created, replacing that group with
authenticated users. Keep in mind that an explicit allow permission will
override an inherited deny permission in ntfs. You can also create/modify a
rras policy that allows vpn users access to only certain ip addresses on the
network. -- Steve

HI,
We are running Windows 2000 Server, fully service packed..

We have created a group called 'Remote VPN Users'

We have created 3 users, they have been assigned to this group.

The Group has been denied access to all folders except 1.

This works fine when the users logs on internally, they can only
access there folder, nothing else.

Yet if they VPN in, they have full network access !! WHY ?

How can I restrict them to just there folder ! ???

Thanks

 

[Steven L Umbach]

Frank. Are you using a domain. Is the server you are talking about
also the rras/vpn server? If using a domain, is that server also a member of
the domain? --- Steve

 

[Frank]

We only have one server, this is a Windows 2000 Server, with Active
Directory, RRAS, DHCP, DNS etc...

Help !

Thanks

 

[Steven L Umbach]

Frank. If you have not done so and it will not interefere with any
applications, on the shares they can access [try testing one], remove the
everyone group from ntfs permissions and replace it with authenticated
users. Also test this on one share - add the three users to the ntfs
permissions with an explicit deny. Are the users logging to the domain over
the vpn, or do the log onto their local machine and then log into the
vpn. -- Steve

 

[Steven L Umbach]

I believe that should work fine as long as they are logging on with
their user credentials. Try enabling auditing for account log on and log on
events on the rras/domain controller and on any of the computers that they
are not supposed to be able to access to see exactly how they are being
authenticated. It would be interesting to see if you add those users to the
ntfs permissions as explicit deny to see what happens. I am going to try to
duplicate your scenario on my W2K vpn later today to see what happens. ---
Steve

The 3 users are running Windows 98 or XP Home, they are not logging on
to thier PC,


They are connecting to the Internet via ADSL, then using DialUp
Networking to VPN into the office..

The username & password they are using is the one we have created in
Active Users and Domains.

We have created a small batch file that uses RASDIAL to allow then to
login easily:

rasdial office user1 password /domain:test
(names changed)

So now they don't need to go inot DialUp Networking and click on the
connectiod icon !

Shoudl this work ?

Thanks

Frank. If you have not done so and it will not interefere with any
applications, on the shares they can access [try testing one], remove the
everyone group from ntfs permissions and replace it with authenticated
users. Also test this on one share - add the three users to the ntfs
permissions with an explicit deny. Are the users logging to the domain over
the vpn, or do the log onto their local machine and then log into the
vpn. -- Steve

We only have one server, this is a Windows 2000 Server, with Active
Directory, RRAS, DHCP, DNS etc...

Help !

Thanks



On Thu, 17 Jul 2003 14:12:07 GMT, "Steven L Umbach"

Frank. Are you using a domain. Is the server you are talking about
also the rras/vpn server? If using a domain, is that server also a

member
of

the domain? --- Steve

HI,
We are running Windows 2000 Server, fully service packed..

We have created a group called 'Remote VPN Users'

We have created 3 users, they have been assigned to this group.

The Group has been denied access to all folders except 1.

This works fine when the users logs on internally, they can only
access there folder, nothing else.

Yet if they VPN in, they have full network access !! WHY ?

How can I restrict them to just there folder ! ???

Thanks

 

[Steven L Umbach]

I was able to recreate a situation similar to yours on my vpn. This is
what I found out. When you connect to a W2K vpn with logon name/password via
a client connectiod, that username/password is used just to allow you access
to the vpn server. However the logon name/password that you are logged onto
the computer with is what is used to authenticate against network resources.
Many times the two sets of credentials are the same, but in your case they
may not be. You can verify it by looking at the Computer Management/shared
folders/sessions as how connections to a share are being authenticated from
a particular user. You might want to set up a test share just for that
purpose. Yes W98 also has log on credentials - the name/password entered in
networking properties for Microsoft networking. My guess is that you need to
configure your W98 and XP computers to have the proper logon accounts for
when not logging into the domain. -- Steve

The 3 users are running Windows 98 or XP Home, they are not logging on
to thier PC,


They are connecting to the Internet via ADSL, then using DialUp
Networking to VPN into the office..

The username & password they are using is the one we have created in
Active Users and Domains.

We have created a small batch file that uses RASDIAL to allow then to
login easily:

rasdial office user1 password /domain:test
(names changed)

So now they don't need to go inot DialUp Networking and click on the
connectiod icon !

Shoudl this work ?

Thanks

Frank. If you have not done so and it will not interefere with any
applications, on the shares they can access [try testing one], remove the
everyone group from ntfs permissions and replace it with authenticated
users. Also test this on one share - add the three users to the ntfs
permissions with an explicit deny. Are the users logging to the domain over
the vpn, or do the log onto their local machine and then log into the
vpn. -- Steve

We only have one server, this is a Windows 2000 Server, with Active
Directory, RRAS, DHCP, DNS etc...

Help !

Thanks



On Thu, 17 Jul 2003 14:12:07 GMT, "Steven L Umbach"

Frank. Are you using a domain. Is the server you are talking about
also the rras/vpn server? If using a domain, is that server also a

member
of

the domain? --- Steve

HI,
We are running Windows 2000 Server, fully service packed..

We have created a group called 'Remote VPN Users'

We have created 3 users, they have been assigned to this group.

The Group has been denied access to all folders except 1.

This works fine when the users logs on internally, they can only
access there folder, nothing else.

Yet if they VPN in, they have full network access !! WHY ?

How can I restrict them to just there folder ! ???

Thanks

 

[Frank]

Cheers Steve

I'll try this later today, and let you know how I get on !

Thanks

I was able to recreate a situation similar to yours on my vpn. This is
what I found out. When you connect to a W2K vpn with logon name/password via
a client connectiod, that username/password is used just to allow you access
to the vpn server. However the logon name/password that you are logged onto
the computer with is what is used to authenticate against network resources.
Many times the two sets of credentials are the same, but in your case they
may not be. You can verify it by looking at the Computer Management/shared
folders/sessions as how connections to a share are being authenticated from
a particular user. You might want to set up a test share just for that
purpose. Yes W98 also has log on credentials - the name/password entered in
networking properties for Microsoft networking. My guess is that you need to
configure your W98 and XP computers to have the proper logon accounts for
when not logging into the domain. -- Steve

The 3 users are running Windows 98 or XP Home, they are not logging on
to thier PC,


They are connecting to the Internet via ADSL, then using DialUp
Networking to VPN into the office..

The username & password they are using is the one we have created in
Active Users and Domains.

We have created a small batch file that uses RASDIAL to allow then to
login easily:

rasdial office user1 password /domain:test
(names changed)

So now they don't need to go inot DialUp Networking and click on the
connectiod icon !

Shoudl this work ?

Thanks

Frank. If you have not done so and it will not interefere with any
applications, on the shares they can access [try testing one], remove the
everyone group from ntfs permissions and replace it with authenticated
users. Also test this on one share - add the three users to the ntfs
permissions with an explicit deny. Are the users logging to the domain over
the vpn, or do the log onto their local machine and then log into the
vpn. -- Steve

We only have one server, this is a Windows 2000 Server, with Active
Directory, RRAS, DHCP, DNS etc...

Help !

Thanks



On Thu, 17 Jul 2003 14:12:07 GMT, "Steven L Umbach"

Frank. Are you using a domain. Is the server you are talking about
also the rras/vpn server? If using a domain, is that server also a member
of
the domain? --- Steve

HI,
We are running Windows 2000 Server, fully service packed..

We have created a group called 'Remote VPN Users'

We have created 3 users, they have been assigned to this group.

The Group has been denied access to all folders except 1.

This works fine when the users logs on internally, they can only
access there folder, nothing else.

Yet if they VPN in, they have full network access !! WHY ?

How can I restrict them to just there folder ! ???

Thanks