1

I have setup a Windows service role VPN all right. Next step is limit access of the VPN session user account. Some folders should be denied from client viewing (e.g.: system folders, program files, users profiles), some should be allowed. I don't intend to use Active Directory this time, it isn't enabled.

Could it be select all folders share and ntfs (security tab) permissions with Full Control or Modify to Authenticated Users except the ones I choose to grant access to VPN connection Windows standard user account. Or the other way around?

And remove Users Group from those folders with share and ntfs permissions to Authenticated Users group?

capum
  • 21
  • 1
  • 5
  • Do you have seperate user profiles for those who use the VPN, or are they the same accounts that should have local access to the files, just not access to those files when connected via VPN? – IceMage Jun 12 '15 at 20:54
  • I will manage to add each user profile for each person who connects VPN session. There is this one VPN client should not have access to all files. So it will have its own user profile. Thats right ? What about Authenticated Users permission group ? – capum Jun 17 '15 at 21:02

1 Answers1

1

Well, maybe.

Please remember that without AD global security, anything you try to control with file ACLs will only work on the one server that is implementing VPN, i.e. without AD you only have LOCAL accounts for both VPN authentication and the FILE ACLs you wish to set.

AD might be worth considering for this .....

So as long as the VPN and file server are the same machine - you can approach it in this manner, but the biggest trick will be locking OUT access to everything, and only then, turning on access to the little you want VPN to have access (i.e. non ACL security settings like "Traverse Directories" need to be considered too.)

A high level checklist for planning such a PN can be found here: https://technet.microsoft.com/en-us/library/cc725734(v=ws.10).aspx

David Nilson
  • 409
  • 2
  • 5
  • +1 "AD might be worth considering for this ....." - Active Directory is designed specifically to address these kinds of issues. Don't be scared, it's not as big of a monster as you may think, but it is as big of a monster as you make it. – IceMage Jun 12 '15 at 20:56
  • IceMage a nightmare as I begin with it? is that true? @David Nilson I tought using firewall to block remote vpn IPv4 addresses for those local vpn network desktops and let the VPN server and file server (which indeed are the same) clear. What are the permission group (applied to both share and ntfs(security tab) permission) to make it lock out ? I didn't test but Can I login multiple VPN client with just one local user profile/acc ? – capum Jun 17 '15 at 20:59