Service-only users and hosting

• Previous message: Monty: "Re: Software Firewall solution"
• Next in thread: Roger Abell: "Re: Service-only users and hosting"
• Reply: Roger Abell: "Re: Service-only users and hosting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 23 Jun 2004 21:14:08 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On my Windows 2003 domain, I have some external users who require
only access to services - such as Exchange IMAP, Outlook Web Access,
and FTP. Specifically, I need them to be unable to log on to any
machines, access the internal network through our VPN, or access any
network shares.

So far, I have the former two sorted out: all these users are
ultimately in the "No Console Access" group which has the "Deny logon
locally" and "Deny logon through Terminal Services" user rights (and
"Deny logon as a service", just in case), thus solving the first; and
the RRAS access policies take care of the second.

(Out of curiosity, what *does* "Log on as a batch job" cover?)

The third, on the other hand, I'm having a bit more trouble with.
(Except inasmuch as, thanks to the firewall in the way, no external
user can get an SMB packet into the internal network anyway, but I'd
like a little more than that.) I thought "Deny access to this
computer from the network" was the user right that would prevent
share, etc., access, which it does, but it also prevents the users
from logging on to the services into the bargain...

Any pointers as to how to achieve the one without blocking the other
too?

Thanks in advance,

Alistair

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQNnkjbKJdAU578lOEQIZFQCg+Lnlq/DDu9b8oz1XwrU7W36ikWYAn3E+
RtbyilZw3zl/a1wzOYkwS3FM
=MbJE
-----END PGP SIGNATURE-----

• Previous message: Monty: "Re: Software Firewall solution"
• Next in thread: Roger Abell: "Re: Service-only users and hosting"
• Reply: Roger Abell: "Re: Service-only users and hosting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Secure web proxying. ... >>We have an Exchange server on the internal network and we'd like to ... >>provide external users with secure access to Outlook Web Access. ... (comp.security.misc) Access to server on internal network ... I have a back to back configuration in ISA. ... is a machine which will need to be accessed by external users. ... Do I just publish the server on the first ISA or second ISA ... can't go on the DMZ as it needs to saty on the internal network. ... (microsoft.public.isa.configuration) Re: [SLE] SuSEfirewall2 / pptp ... >My external users must access my internal network and Internetfrom ... >ppp(pptp) ... God said, ... (SuSE) Allowing access to HVAC controller web interface in SBS2003 ... I have a client running SBS2003 Premium w/ISA2000 who would like to ... give access to their web-enabled HVAC controller, ... internal network, to internal and external users to monitor and make ... (microsoft.public.windows.server.sbs) Access own SSL Site ... After publishing a Website in our DMZ through Secure Web Server Publishing ... Rule, external users can reach our site HOWEVER, my own users on our ... Internal network can not. ... (microsoft.public.isa.publishing)