How to Limit what remote users can do

pts.
Tags:
Remote management
Security
Hi there, we use a Cisco VPN solution with windows IAS on 2003 servers. The clients connect via Cisco 4.x clients that authenticate to our Domain Controllers over RadiusIAS against their AD accounts. Problem is it's far too open. I am increasingly under pressure to allow 3rd party contractors vpn access. I want to be able to limit those accounts or groups they are a member of so they can only access certain computers, ip address' or a range of ip's. I think I may be able to do it using 1sa server 2004 but that requires using dual nics which is a no-no with our network operations guys. suggestions pls? Mac

Answer Wiki

Thanks. We'll let you know when a new response is added.

Why do your operations people have a problem with dual NICs? It’s a pretty standard arrangement for things like dedicated firewalls. A router is actually 2+ NICs with a computer between, and cable/DSL “modems” are just a computer with an Ethernet NIC and a cable/HSPL NIC. At home I use an old Dell server running Linux with the built-in NIC connected to a cable modem and 3 add-on NICs to connect my other computers to as a firewall/router/web server/ftp server/ICS.

However, if you can’t get around their limitations, you will need them to do the work of setting up special groups and permissions for the outside people to have limited access to the network. You need to have a meeting with the people who want third party access added and the IT people present, so that something can be worked out that makes everyone happy. IT is putting up the barriers, IT needs to come up with the solution.

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Preytell
    I'm assuming that you are using a Cisco VPN 3000 or some such device. The device itself can enforce rules on traffic per user, user group, etc. Check out this link for a quick howto. http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_book09186a00803ec0ac.html
    0 pointsBadges:
    report
  • Maclanachu
    Thx guys, re the vpn 3000 we do use that of a fashion in some solutions. But only where the 3rd party is coming in on a static IP. Most will not. re the dual NICs, well they are Cisco guys mainly and see the config as insecure and unnecessary and how crap MS is at secuirty etc. etc. I do have certain groups that I have set up for deny access but the problem is previous bozos have enabled shares giving access to the everyone group. Which makes it harder to manage bc I'd have to find them all. Better to restrict in the first instance where they can go at all, rather then deny what they can do when they get there if u know what I mean. Mac
    0 pointsBadges:
    report
  • Mistoffeles
    True, but you really ought to go back and clean up all of those "everyone" shares, and soon, regardless of what you do about third party access. (honestly, all my bells and whistles immediately went off when I read about that ;) )
    0 pointsBadges:
    report
  • Maclanachu
    thx again, Oh I know! I have gone through all the shares on the servers and have rapped the knuckles of the developers and anyone else who took such a lazy way out. But there are some users who may have such shares on their own pcs. I certainly don't let them do that anymore. (Local admin permission is very rare these days!) But there may be some legacy stuff that I don't know about. So again, deny where they can go in the first instance prevents this becoming a problem. rgds Mac. PS Argentina for the WC. Ukraine outside bet to make the Semi's!
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following