Announcement

Collapse
No announcement yet.

restrict network access by gpo

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • restrict network access by gpo

    Hi,

    i'm looking for way to restrict user net access by mean of gpo,
    when loging in to a specific ts server.

    i'm using
    win 2000 server, with ad 2000


    Thanks.

  • #2
    Re: restrict network access by gpo

    what exactly are you trying to restrict access on the network?
    Need to be more descriptive with your goal

    Comment


    • #3
      Re: restrict network access by gpo

      all network access.

      once the user is logged on to the TS
      i dont want him to be able to connect to any other computer on the net.

      Comment


      • #4
        Re: restrict network access by gpo

        you mean internet or on you're local network?
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: restrict network access by gpo

          Erez,

          What you are trying to do defeats the purpose of TS and such restrictions do not exist by default but you can be creative and work your way around it.
          What I mean is that, No you can per say restrict full network access for a specific user using GPO, but u can close the access point

          Do begin with you can hide 'My network places', 'Run' so on and so forth.

          Comment


          • #6
            Re: restrict network access by gpo

            Originally posted by Dumber
            you mean internet or on you're local network?
            any net,
            once the user is logged, he wont be able to get network access,
            so he would be able to use only the resouorces which are on the computer

            Comment


            • #7
              Re: restrict network access by gpo

              Originally posted by Kunal
              Erez,

              What you are trying to do defeats the purpose of TS and such restrictions do not exist by default but you can be creative and work your way around it.
              What I mean is that, No you can per say restrict full network access for a specific user using GPO, but u can close the access point

              Do begin with you can hide 'My network places', 'Run' so on and so forth.
              well,

              that wont be good enough as i wont the user to be able to use the run command,
              and maybe access to the internet , but not to the local networks...

              Comment


              • #8
                Re: restrict network access by gpo

                I'm confused!

                First you want NO network access (including the internet)
                Then you want internet access but no local network access

                You could stop local network access to other computers by having no shared resources (or hidden shares only). You cannot cut of local network access completely otherwise your TS connection will be cut off too

                Tom
                Tom Jones
                MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                PhD, MSc, FIAP, MIITT
                IT Trainer / Consultant
                Ossian Ltd
                Scotland

                ** Remember to give credit where credit is due and leave reputation points where appropriate **

                Comment


                • #9
                  Re: restrict network access by gpo

                  You use IPSec to cut the server off from all servers except logon... depends on how your network is setup and what services run where...
                  Server 2000 MCP
                  Development: ASP, ASP.Net, PHP, VB, VB.Net, MySQL, MSSQL - Check out my blog http://tonyyeb.blogspot.com

                  ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                  Comment


                  • #10
                    Re: restrict network access by gpo

                    Originally posted by Ossian
                    I'm confused!

                    First you want NO network access (including the internet)
                    Then you want internet access but no local network access

                    You could stop local network access to other computers by having no shared resources (or hidden shares only). You cannot cut of local network access completely otherwise your TS connection will be cut off too

                    Tom
                    I'm sorry, it was my mistake, first i didnt want net access at all but then i thought that opening access to the internet would be a good idea.

                    as to having no shared resources, is as bad idea, as i alreay have shares on other servers that i dont want to disbale.

                    i mean cutting net access out from the server except for the ts session ofcourse.

                    Comment


                    • #11
                      Re: restrict network access by gpo

                      Originally posted by tonyyeb
                      You use IPSec to cut the server off from all servers except logon... depends on how your network is setup and what services run where...
                      ok.
                      can i use that for a specific user?

                      Comment


                      • #12
                        Re: restrict network access by gpo

                        No it is by machine only.
                        Server 2000 MCP
                        Development: ASP, ASP.Net, PHP, VB, VB.Net, MySQL, MSSQL - Check out my blog http://tonyyeb.blogspot.com

                        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                        Comment


                        • #13
                          Re: restrict network access by gpo

                          Im getting more confused.
                          First TS, now per user Based.

                          place the machine into a DMZ with it's own DC for validation.
                          Then he can't access the local resources as long as you shutdown you're firewall.

                          IPsec does need very much testing before you're implement it!
                          Marcel
                          Technical Consultant
                          Netherlands
                          http://www.phetios.com
                          http://blog.nessus.nl

                          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                          "No matter how secure, there is always the human factor."

                          "Enjoy life today, tomorrow may never come."
                          "If you're going through hell, keep going. ~Winston Churchill"

                          Comment


                          • #14
                            Re: restrict network access by gpo

                            Originally posted by Dumber
                            IPsec does need very much testing before you're implement it!
                            I'm using basic block all of certain servers which was quite easy to setup. Reversing it is more complicated in my opinion!
                            Server 2000 MCP
                            Development: ASP, ASP.Net, PHP, VB, VB.Net, MySQL, MSSQL - Check out my blog http://tonyyeb.blogspot.com

                            ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                            Comment


                            • #15
                              Re: restrict network access by gpo

                              When talking about TS: so why don't you strip down user rights via GP nad then set fake proxy server in the IE (and allow exceptions for example for Intranet). User won't have any chance to change it and won't have also rights top install another browser like Firefox ...

                              maybe i didn't understand your goal, u'r changing questions too fast

                              Comment

                              Working...
                              X