Deny access to Network Adapter in Windows

4

1

I have set up a maintenance Network via OpenVPN. However, when I log into a computer (e.g. via remote desktop) and someone else is using it at the same time I have either to accept that she is able to access the VPN once I established the connection, or I need to force her to log off.

Both is suboptimal.

Is it possible to set ACLs to NICs? Or otherwise disable the access to the network for a certain user? I need it on XP and 7, but a solution only working for one of them is already a big enhancement.

Mene

Posted 2012-03-03T13:16:32.080

Reputation: 200

Answers

1

The short answer is no. There is nothing built into Windows to do this.

Could something be written to do it? Absolutely. You would do it by writing a device driver which hooked the winsock calls, determined where they were coming from via the process owner, and then determine if they would allow the call to proceed.

Of course, I doubt you want to do that. Just to make you feel better, nothing like that is on Linux or OS X either. The issue is network code is usually via system calls, and at a kernel level the OS is not aware of 'users.' If your ring 0 code, you can do anything.

EdH

Posted 2012-03-03T13:16:32.080

Reputation: 754

0

Unfortunately ACLs cannot be applied to devices or parts of the Network stack such as TCP/UDP/Raw streams. This is a known issue in Windows, and hopefully will be addressed in a future release.

In the meantime, the best you can do is either take full-control of the box whilst you are using the VPN, or choosing not to use the VPN when someone else is logged in on the machine.

SecurityMatt

Posted 2012-03-03T13:16:32.080

Reputation: 2 857

0

Although this is probably not what you want because of it's high disk space overhead, a work-around could be to run the VPN software and programs you use that require the VPN in a virtual machine running as your local user, so that only you will have access to the VPN connection.

Adam M-W

Posted 2012-03-03T13:16:32.080

Reputation: 483

0

I see two possibilities:

  1. Use a virtual machine that runs in your user-session and use this VM as OpenVPN client. Network access to the OpenVPN server and target network would then only be possible from within the VM - hence only by you.

  2. Another possibility may be (have not tested it) to use the Windows Firewall. In case you are using Windows 7 you could block network traffic to the OpenVPN network by specifying it's IP range. Afterwards you explicitly allow those applications you need. Of course those tools would have to be configured by filesystem ACLs in a away that only you can execute them.

Robert

Posted 2012-03-03T13:16:32.080

Reputation: 4 857

0

OpenVPN has features that let you:

  • use client-side certificates so you know who is connecting to the OpenVPN server end
  • assign a fixed IP address for a given client-side certificate.
  • and other things based on the client-side certificate.

Given this, you can give out a client-side certificate to the user, and then implement firewall policies on the server side and prevent the user from accessing resources they don't need to access.

LawrenceC

Posted 2012-03-03T13:16:32.080

Reputation: 63 487

Asked: 2012-03-03T13:16:32.080

Viewed: 1 100 times

Active: 2012-03-09T15:51:32.353