0

This might be a little far fetched and might not be possible.

I have a virtual machine that will have files on that I don't want people to be able to transfer off - they are allowed access, I just want them staying put with no copying. With that in mind, is it possible to restrict a VM's network access so that I could still allow RDP connections (port 3389) but block network access (i.e shares etc) when logged into that machine?

Im running Xenserver 6.2 and the VM is running Windows 2012 with RDS enabled.

webnoob
  • 455
  • 2
  • 16
  • 35
  • It's definitely possible to restrict network connections to RDP-only, but if they can read the file, they can copy the file if they're determined enough. Never underestimate the determination of lazy people to be lazy. – John Aug 08 '14 at 11:34
  • Ok, well at least it's possible. RDS handles copy pasting text, Im just trying to stop them copying entire files. End of the day, there is nothing stopping them from taking a photo of the data and doing something with it but I need to make it as impractical as possible. – webnoob Aug 08 '14 at 11:38

2 Answers2

1

Yes it is possible, you should add firewall rules to Open vSwitch like;

ovs-ofctl add-flow xenbr0 "dl_src={mac-address} priority=39000 dl_type=0x0800 nw_dst={ip-address} idle_timeout=65000 action=normal"
ovs-ofctl add-flow xenbr0 "dl_src={mac-address} priority=38000 dl_type=0x0800 nw_src=ANY idle_timeout=65000 action=drop"

You put your servers that needs to be secured mac address to {mac-address} and you put the IPs you want the server to reach to {ip-address}.

First add all IP addresses you want to connect then add DROP rule.

Note: Dont forget to add source also by using nw_src

For more info please visit; Ovs Manual

Harun Baris Bulut
  • 455
  • 1
  • 8
  • 20
  • I can't see anything on this that would only allow access on port 3389 (for RDP). Will it handle that? – webnoob Aug 08 '14 at 13:32
  • There are parameters for that, did you check OvS Manual for that ? – Harun Baris Bulut Aug 08 '14 at 14:31
  • Yes and I'm sorry to say I don't really follow their examples. I posted another question about it here: http://serverfault.com/questions/619018/how-do-i-block-all-access-to-machine-except-port-3389-using-open-vswitch – webnoob Aug 08 '14 at 14:36
  • Care to share which params I should use? The docs show a few for ports and I can't get any to work. – webnoob Aug 08 '14 at 23:00
0

When you use an rdp connection, you still need to use an account to log in. That account can be restricted to stop access to files.

Glen
  • 211
  • 1
  • 3
  • I only want to restrict them on this machine and windows doesn't support this. If I allow access to the user using GPO then the user can still use UNC paths to send files off the server. – webnoob Aug 08 '14 at 11:55