Comments on: How to Limit what remote users can do

By: maclanachu

maclanachu — Wed, 28 Jun 2006 18:01:01 +0000

thx again,

Oh I know! I have gone through all the shares on the servers and have rapped the knuckles of the developers and anyone else who took such a lazy way out. But there are some users who may have such shares on their own pcs. I certainly don’t let them do that anymore. (Local admin permission is very rare these days!) But there may be some legacy stuff that I don’t know about. So again, deny where they can go in the first instance prevents this becoming a problem.

rgds

Mac.
PS Argentina for the WC. Ukraine outside bet to make the Semi’s!

By: mistoffeles

mistoffeles — Tue, 27 Jun 2006 09:56:31 +0000

True, but you really ought to go back and clean up all of those “everyone” shares, and soon, regardless of what you do about third party access. (honestly, all my bells and whistles immediately went off when I read about that )

By: maclanachu

maclanachu — Mon, 26 Jun 2006 19:01:40 +0000

Thx guys,

re the vpn 3000 we do use that of a fashion in some solutions. But only where the 3rd party is coming in on a static IP. Most will not.

re the dual NICs, well they are Cisco guys mainly and see the config as insecure and unnecessary and how crap MS is at secuirty etc. etc.
I do have certain groups that I have set up for deny access but the problem is previous bozos have enabled shares giving access to the everyone group. Which makes it harder to manage bc I’d have to find them all. Better to restrict in the first instance where they can go at all, rather then deny what they can do when they get there if u know what I mean.

Mac

By: preytell

preytell — Mon, 26 Jun 2006 08:50:11 +0000

I’m assuming that you are using a Cisco VPN 3000 or some such device. The device itself can enforce rules on traffic per user, user group, etc.

Check out this link for a quick howto.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_book09186a00803ec0ac.html