How to block file copy function transfer through the VPN.

  • Thread starter Thread starter Sam Mok
  • Start date Start date
S

Sam Mok

Hi Sir/Miss,

I had just build up a VPN for my company with a windows 2003 server.
But my company only want the users who can connect to our VPN for just
remote desktop function.
We don't want the users to use our file server's resources.
I had tried to block by IP Filter function from the "Routing and remote
access" policies.
But after many tires, I also failed to do it.

Anybody can in help? Thanks so much.

Sam Mok
 
Sam said:
I had just build up a VPN for my company with a windows 2003 server.
But my company only want the users who can connect to our VPN for just
remote desktop function.
We don't want the users to use our file server's resources.
I had tried to block by IP Filter function from the "Routing and remote
access" policies.
But after many tires, I also failed to do it.

Anybody can in help? Thanks so much.
Click to expand...

Just to verify - you do know that if they can map drives on their remote
desktop - then through that they can copy files to their local computers
too - right? No need to map the drives directly (from their laptop/home
PC/remote location.) Remote Desktop can let their local resources pass
through.

So can you define what it is you are trying to prevent? Is it that ability?
Is it mapping the drive shares directly? Something else?
 
Hi Shenan Stanley,

Thanks for your helps, my company just don't want the users to copy any
files from our server. But we can let the remote users to login our terminal
server.
How can I do? Thanks so much.

Sam Mok
 
Hi Shenan Stanley,

My company just don't want the remote users to copy any files to their
notebook or home pc from our server. But we can let them to login our
terminal server for jobs need.
How can we do? Thanks so much.

Sam Mok
 
Sam said:
Hi Sir/Miss,

I had just build up a VPN for my company with a windows 2003 server.
But my company only want the users who can connect to our VPN for just
remote desktop function.
We don't want the users to use our file server's resources.
I had tried to block by IP Filter function from the "Routing and remote
access" policies.
But after many tires, I also failed to do it.

Anybody can in help? Thanks so much.

Sam Mok
Click to expand...

Why do you permit outsiders entry into your network as though they were
located at work? Even if coming through a VPN, the outside hosts should be
placed in a less-privileged zone. That zone dictates to which servers those
hosts may connect, like to the Exchange server, the company "news" server
(or where any company-wide info is retained), and perhaps to some other
common company servers. The file servers of which you speak could not be
reached from that outer-zone. Users that needed to access servers outside
that zone's list would have to get permission and then allowed to connect to
those inner-zone hosts.

I have done domain administration but I have used VPN coming into my company
which puts me in a security zone will less permissions that my workstation
at my work desk. I can get at Exchange and other common web servers while
in that throttled zone and to get to other hosts meant I had to get
permission and get on some list of servers to add my host as having
permission to connect to them. This is a security issue but I suspect you
need to speak with a domain admin rather than a security expert regarding
how to setup the security zone for those VPN connections coming from the
outside.
 
Hi VanguardLH,

My company just don't want the remote users to copy any files to their
notebook or home pc from our server. But we can let them to login our
terminal server for jobs need (Such as checking our MRP system informations,
check company's inside mailbox, etc..).
How can we do? Thanks so much.

Sam Mok
 
Hi Sir/Miss,

I had just build up a VPN for my company with a windows 2003 server.
But my company only want the users who can connect to our VPN for just
remote desktop function.
We don't want the users to use our file server's resources.
I had tried to block by IP Filter function from the "Routing and remote
access" policies.
But after many tires, I also failed to do it.

Anybody can in help? Thanks so much.

Sam Mok
Click to expand...

Why not setup the VPN on the Firewall that your company should have
purchased, then you can limit the VPN sessions to specific IP ranges
inside the LAN as well as just RDP TCP 3389.

If your company doesn't have a Firewall that acts as a VPN server then
you should really consider getting a real firewall.
 
A VPN effectively makes the remote user part of your internal network. They
then have whatever rights they would have if logged-on to a computer in the
office itself.

You can, as mentioned, use firewall rules to restrict the ports available to
VPN users.

Although, since you don't actually want remote users to be part of your LAN,
VPN may not be the best solution for you. What you probably need here is
secure tunneling of a single port or range of ports for terminal services,
which could be achieved with utilities such as SSH or Zebedee. There are GPL
and commercial releases of SSH, and Zebedee is a similar and completely free
client/server tunneling implementation.
 
Back
Top