Re: Granting access based on user location
From: vidro (vidro_at_discussions.microsoft.com)
Date: Thu, 18 Aug 2005 10:05:04 -0700
Capture MAC for authentication?
but how to authenticate it and against what?
"Roger Abell" wrote:
> Well, the web access part is likely simple if you have a web
> dev in house, as the client properties of the browsing client
> will give you pretty much all you would need to tell if they
> are on local network, vpn'd in, or using the public interface
> on internet, and the server-side could then tune what is given
> in the browser rendering as appropriate.
> For the other access it sounded as if you need to distinguish
> between only locally attached or vpn'd in. If you could isolate
> the shares on to different servers and then for example use
> IPsec on the server with the sensitive shares that should not
> be available when vpn'd in so that server will not speack with
> the IPs your vpn gives out . . .
> There are likely other, and possibly more simple ways, but
> given your sketch of requirements these are what first came
> to mind. The alternatives will also vary based on info you
> did not provide, such as what vpn solution is in use, do you
> use IAS for auth, etc..
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "vidro" <email@example.com> wrote in message
> > I need to set security based on location and machine.
> > Scenario:
> > A user has an account on the Cooperate network and his laptop has account
> > on Corporate network.
> > While on the local area network, this user can access Information from
> > folder A,B,C on a server
> > When the user goes mobile with his laptop the user needs to be
> > to only seeing info from folder A and B
> > If the same user goes to a computer that is not apart of the Corporate
> > network he needs to be constrained to only folder A.
> > The user, when not on the local network, will be using the Internet to
> > attaching to the Corporate network.
> > There are 2 methods to attach to information via the internet; either thru
> > VPN or a WEB server.
> > If the user is using his laptop it will most likely be VPN,
> > If he is on a different p.c. he will need to go to the Corporate WEB
> > At the same time I do not want to give users the ability access
> > from a non-company p.c. threw a VPN connection.
> > Any help in implementing such a security scheme would be greatly