Re: Granting access based on user location

From: Roger Abell (
Date: 08/13/05

Date: Sat, 13 Aug 2005 07:15:27 -0700

Well, the web access part is likely simple if you have a web
dev in house, as the client properties of the browsing client
will give you pretty much all you would need to tell if they
are on local network, vpn'd in, or using the public interface
on internet, and the server-side could then tune what is given
in the browser rendering as appropriate.
For the other access it sounded as if you need to distinguish
between only locally attached or vpn'd in. If you could isolate
the shares on to different servers and then for example use
IPsec on the server with the sensitive shares that should not
be available when vpn'd in so that server will not speack with
the IPs your vpn gives out . . .
There are likely other, and possibly more simple ways, but
given your sketch of requirements these are what first came
to mind. The alternatives will also vary based on info you
did not provide, such as what vpn solution is in use, do you
use IAS for auth, etc..

Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"vidro" <> wrote in message
> I need to set security based on location and machine.
> Scenario:
> A user has an account on the Cooperate network  and his laptop has account
> on Corporate network.
> While on the local area network, this user can access Information from
> folder A,B,C on a server
> When the user  goes mobile with his laptop the user needs to be
> to only seeing info from folder A and B
> If the same user goes to a computer that is not apart of the Corporate
> network  he needs to be constrained to only folder A.
> The user, when not on the local network, will be using the Internet to
> attaching to the Corporate network.
> There are 2 methods to attach to information via the internet; either thru
> VPN or a WEB server.
> If the user is using his laptop it will most likely be VPN,
> If he is on a different p.c. he will need to go  to the Corporate WEB
> At the same time I do not want to give users the ability access
> from a non-company p.c. threw a VPN connection.
> Any help in implementing such a security scheme would be greatly