Announcement

Collapse
No announcement yet.

How to restrict AD users' permissions only when connected via PPTP VPN?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to restrict AD users' permissions only when connected via PPTP VPN?

    Hi All,

    I have been asked to implement something I am not sure is possible. The goal is to have a user be assigned a different set of NTFS permissions when logged into the PPTP VPN as opposed to being in the office on the LAN.

    I am authenticating VPN users through MS RRAS on Windows Server 2003. The domain is a Windows 2008 domain.

  • #2
    Re: How to restrict AD users' permissions only when connected via PPTP VPN?

    I don't think it is possible either.
    NTFS permissions are based on user SIDs and whether the user is logged in locally or remotely via a VPN connection the user SID remains the same.
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: How to restrict AD users' permissions only when connected via PPTP VPN?

      You can do that through ISA Server, so i would presume TMG has the same functionality. A lot of cash to splash just for that though.

      ISA treats VPN users as a seperate network, so you can filter resource access that way. E.g. only allowing access to particular servers and protocols.
      BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
      sigpic
      Cruachan's Blog

      Comment


      • #4
        Re: How to restrict AD users' permissions only when connected via PPTP VPN?

        As cruachan says you can control what they access while connected via VPN but you can't apply a different set of NTFS permissions. You could look into NAP on W2K8 and see what it can do for you in terms of restricting what they access while connected via VPN.

        Comment


        • #5
          Re: How to restrict AD users' permissions only when connected via PPTP VPN?

          Originally posted by cruachan View Post
          You can do that through ISA Server, so i would presume TMG has the same functionality. A lot of cash to splash just for that though.

          ISA treats VPN users as a seperate network, so you can filter resource access that way. E.g. only allowing access to particular servers and protocols.
          That's a different ball game and you are right It can be done that way.
          I am under the impression though the OP is talking about accessing the same resources!
          Caesar's cipher - 3

          ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

          SFX JNRS FC U6 MNGR

          Comment


          • #6
            Re: How to restrict AD users' permissions only when connected via PPTP VPN?

            Originally posted by danbaarts View Post
            Hi All,

            I have been asked to implement something I am not sure is possible. The goal is to have a user be assigned a different set of NTFS permissions when logged into the PPTP VPN as opposed to being in the office on the LAN.

            I am authenticating VPN users through MS RRAS on Windows Server 2003. The domain is a Windows 2008 domain.
            Why do you want to restrict NTFS permissions when using a VPN when they have the appropriate access to the data when in the Office?

            I would recommend setting up auditing, if you are concerned that their access will be abused.

            As mentioned below, restricting access to computers etc internally would be the best way to go. That would help maintain security, especially if the computer they use to access the VPN from has a virus.

            w2k8 gives you NAP, so will help prevent computers accessing from outside that are not patched to an appropriate level.

            Comment

            Working...
            X