Securing on incoming modem connection from accessing the network

[Les Desser]

I am trying to set up a POP3 server on W2K and allow users to dial in
via the modem to collect their mail. I do not want to allow them to be
able to do anything else while connected.

I have set up an incoming connection and it all works fine except that
the user can still issue a "net use" command and connect to a shared
drive on the network.

On the properties of the Incoming Connection > TCP/IP properties I have
removed the tick from "Allow callers to access my local area network"
and still they can get to my network shares.

Also, on the Networking Components I have tried to remove the tick from
"File and Printer sharing" but it does not let me - the only option is
to stop the "server" process which then kills *all* network activity.
Why cannot I stop this just for this connection? For the LAN connection
I can remove the tick without any bother.

Thanks.

 

[daytripper]

I am trying to set up a POP3 server on W2K and allow users to dial in
via the modem to collect their mail. I do not want to allow them to be
able to do anything else while connected.

I have set up an incoming connection and it all works fine except that
the user can still issue a "net use" command and connect to a shared
drive on the network.

On the properties of the Incoming Connection > TCP/IP properties I have
removed the tick from "Allow callers to access my local area network"
and still they can get to my network shares.

Also, on the Networking Components I have tried to remove the tick from
"File and Printer sharing" but it does not let me - the only option is
to stop the "server" process which then kills *all* network activity.
Why cannot I stop this just for this connection? For the LAN connection
I can remove the tick without any bother.

Thanks.

You could put all of the dial-in users into a unique Group, then update the
existing shares permissions to not include that Group...

 

[Les Desser]

You could put all of the dial-in users into a unique Group, then update the
existing shares permissions to not include that Group...

Thanks! Done and works. I thought of that weeks ago when planning this
but promptly forgot about it when I saw the option to dis-allow callers
on the local network. I wonder what that option actually does?

Just one further point. I have tried the net use command on the
administrative share (e.g. $e) in place of the share name. It comes up
asking for a password and no matter what I type in it fails - which is
good. I just wonder if it is of any practical use to access drives that
do not have a share defined or is it just for the systems own use.

 

[daytripper]

Thanks! Done and works. I thought of that weeks ago when planning this
but promptly forgot about it when I saw the option to dis-allow callers
on the local network. I wonder what that option actually does?

Just one further point. I have tried the net use command on the
administrative share (e.g. $e) in place of the share name. It comes up
asking for a password and no matter what I type in it fails - which is
good. I just wonder if it is of any practical use to access drives that
do not have a share defined or is it just for the systems own use.

All I know is (or with all I know) it won't let even an admin get to the
$shares, so the answer has pretty much been made for us - and frankly, I think
that's a very good thing. I'd just assume to have control over what can and
cannot be touched from the lan...

cheers

/daytripper

 

[Les Desser]

All I know is (or with all I know) it won't let even an admin get to
the $shares, so the answer has pretty much been made for us - and
frankly, I think that's a very good thing. I'd just assume to have
control over what can and cannot be touched from the lan...

Thanks. I will sleep much better