Re: Granting access based on user location

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 08/13/05


Date: Sat, 13 Aug 2005 07:15:27 -0700

Well, the web access part is likely simple if you have a web
dev in house, as the client properties of the browsing client
will give you pretty much all you would need to tell if they
are on local network, vpn'd in, or using the public interface
on internet, and the server-side could then tune what is given
in the browser rendering as appropriate.
For the other access it sounded as if you need to distinguish
between only locally attached or vpn'd in. If you could isolate
the shares on to different servers and then for example use
IPsec on the server with the sensitive shares that should not
be available when vpn'd in so that server will not speack with
the IPs your vpn gives out . . .
There are likely other, and possibly more simple ways, but
given your sketch of requirements these are what first came
to mind. The alternatives will also vary based on info you
did not provide, such as what vpn solution is in use, do you
use IAS for auth, etc..

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"vidro" <vidro@discussions.microsoft.com> wrote in message
news:993D5714-187C-4200-B683-B203121241E8@microsoft.com...
> I need to set security based on location and machine.
> Scenario:
>
> A user has an account on the Cooperate network  and his laptop has account
> on Corporate network.
> While on the local area network, this user can access Information from
> folder A,B,C on a server
> When the user  goes mobile with his laptop the user needs to be
constrained
> to only seeing info from folder A and B
> If the same user goes to a computer that is not apart of the Corporate
> network  he needs to be constrained to only folder A.
>
> The user, when not on the local network, will be using the Internet to
> attaching to the Corporate network.
> There are 2 methods to attach to information via the internet; either thru
> VPN or a WEB server.
> If the user is using his laptop it will most likely be VPN,
> If he is on a different p.c. he will need to go  to the Corporate WEB
site.
>
> At the same time I do not want to give users the ability access
information
> from a non-company p.c. threw a VPN connection.
>
> Any help in implementing such a security scheme would be greatly
appreciated.
>


Relevant Pages

  • Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
    ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ...
    (Full-Disclosure)
  • Re: VPN with SBS 2003 (not R2) and DSL.
    ... Reading property value for VPN returned OK ... Reading VPN Server Name returned OK ... identical network cards. ... it seems doubtful that SBS will work properly with two NICs ...
    (microsoft.public.windows.server.sbs)
  • RE: VPN Connection Problems
    ... Note that we are able to successfully VPN into the office. ... to browse the network, RDP to the server or even ping the server. ... > This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN clients unable to connect to other resources.
    ... on the SBS 2003 server just not sure where to go for help on it. ... Next time I'm at my home PC, I'll VPN in and see what IP info I'm getting ... client PC on your LAN, you should be able to do so from a remote VPN client, ... get the network path was not found. ...
    (microsoft.public.windows.server.sbs)
  • Re: RRAS as VPN Server Configuration Questions...
    ... Ethernet adapter VPN: ... Name resulotion on VPN Connection issues on DC, ISA, DNS and WINS server as ... Issue in a VPN client ... ... How to Setup Windows, Network, VPN & Remote Access on ...
    (microsoft.public.win2000.ras_routing)