Re: Granting access based on user location
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 08/22/05
- Next message: Andrew Hayes: "Re: Grant Object Access"
- Previous message: Roger Abell: "Re: Grant Object Access"
- In reply to: vidro: "Re: Granting access based on user location"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 21 Aug 2005 22:50:49 -0700
As far as I know the server does not make the distinction.
As I indicated, if you can share things sufficient to the needs in
an authenticated IIS web, then the server-side code of the web
can examine the info about the browsing client, which will then
include the authenticated account and the browser's IP.
As for shares, what I said was to look at whether you can isolate
the sensitive on a separate server and then use IPsec to control
what IPs that server will speak with.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "vidro" <vidro@discussions.microsoft.com> wrote in message news:197D4950-53F2-45EB-8661-AB26C1A7FA8D@microsoft.com... > You're right. I think I got side tracked with machine security, trying to > figure out a way of stopping LAN users from going home to their home p.c. and > creating a VPN account even if they had authority to VPN with a company > laptop. > > To the original issue; Logon accounts being the same, how does the server > identify a local computer accessing information versus a VPN connection > access information? > > > > "Roger Abell" wrote: > > > "vidro" <vidro@discussions.microsoft.com> wrote in message > > news:56A1168B-04E4-47DE-82EF-64CED93148C7@microsoft.com... > > > Capture MAC for authentication? > > > but how to authenticate it and against what? > > > > > > > I realize you replied to my post, but you lost me? > > From where did Capture MAC for authentication come into it? > > > > -- > > Roger > > > > > "Roger Abell" wrote: > > > > > > > Well, the web access part is likely simple if you have a web > > > > dev in house, as the client properties of the browsing client > > > > will give you pretty much all you would need to tell if they > > > > are on local network, vpn'd in, or using the public interface > > > > on internet, and the server-side could then tune what is given > > > > in the browser rendering as appropriate. > > > > For the other access it sounded as if you need to distinguish > > > > between only locally attached or vpn'd in. If you could isolate > > > > the shares on to different servers and then for example use > > > > IPsec on the server with the sensitive shares that should not > > > > be available when vpn'd in so that server will not speack with > > > > the IPs your vpn gives out . . . > > > > There are likely other, and possibly more simple ways, but > > > > given your sketch of requirements these are what first came > > > > to mind. The alternatives will also vary based on info you > > > > did not provide, such as what vpn solution is in use, do you > > > > use IAS for auth, etc.. > > > > > > > > -- > > > > Roger Abell > > > > Microsoft MVP (Windows Security) > > > > MCSE (W2k3,W2k,Nt4) MCDBA > > > > "vidro" <vidro@discussions.microsoft.com> wrote in message > > > > news:993D5714-187C-4200-B683-B203121241E8@microsoft.com... > > > > > I need to set security based on location and machine. > > > > > Scenario: > > > > > > > > > > A user has an account on the Cooperate network and his laptop has > > account > > > > > on Corporate network. > > > > > While on the local area network, this user can access Information from > > > > > folder A,B,C on a server > > > > > When the user goes mobile with his laptop the user needs to be > > > > constrained > > > > > to only seeing info from folder A and B > > > > > If the same user goes to a computer that is not apart of the Corporate > > > > > network he needs to be constrained to only folder A. > > > > > > > > > > The user, when not on the local network, will be using the Internet to > > > > > attaching to the Corporate network. > > > > > There are 2 methods to attach to information via the internet; either > > thru > > > > > VPN or a WEB server. > > > > > If the user is using his laptop it will most likely be VPN, > > > > > If he is on a different p.c. he will need to go to the Corporate WEB > > > > site. > > > > > > > > > > At the same time I do not want to give users the ability access > > > > information > > > > > from a non-company p.c. threw a VPN connection. > > > > > > > > > > Any help in implementing such a security scheme would be greatly > > > > appreciated. > > > > > > > > > > > > > > > > > > > > > > >
- Next message: Andrew Hayes: "Re: Grant Object Access"
- Previous message: Roger Abell: "Re: Grant Object Access"
- In reply to: vidro: "Re: Granting access based on user location"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
Loading
