Re: Restricting VPN access

Problem here was cached credentials.

If you are logged into your network with User ID A; then move your computer
outside of the internal network; Connect into the internal network using
User ID B over VPN.

User ID B is explicitly listed in deny access on items. User ID A has full
control over the item.

You can access the items because your cached credential allows it. Even
though the VPN user ID(User ID B) is explicitly denied.

This probably would not occur in the real world, but it makes testing things
a real bitch.

--Matt




"Matt Sullivan" <matt@xxxxxxxxxxxxxxxxxxxxxxx> schreef in bericht
news:uBrADh0KGHA.2040@xxxxxxxxxxxxxxxxxxxxxxx
Finally got the VPN access working using ISA 2004 sp1. Now we would like
to restrict access for a specific domain account to one serveron the
internal network.

Here are the things I tried:
1. using Active directory users & computers. right-clicking on a machine
and denying access to a particular user. This appears to do nothing.

2. Going to a shared drive which we want to restrict access to. going to
the permissions for the share. removing everyone and adding specific
users(even adding deny access to the account we want to restrict). This
doesn't do anything either.

I've tried having the vpn user log out and back in to see if that helped.
It didn't.

The user I have testing this is logged into a laptop with a valid domain
account. He then uses an external connection and VPNs into the network
authenticating with the restricted account info. It has crossed my mind
that his valid domain account could be affecting the authentication, but
I would be surprised if windows would use the other authentication
without asking.

I admit I am a developer, not a network admin(doing this because all the
other developers here don't want to and we don't really have a network
admin). The steps I tried are admittedly naive, but the documentation on
how to get this working is either terrible or non-existent. So far the
documentation I have read gives the 1000 ft view of how things operate.
These are great until things break or don't work. Then you have no idea
where/how to begin fixing them.

I'd appreciate any help anyone can provide.
--Matt





.

Relevant Pages

  • Re: Trusted SQL Connections & NT AUTHORITYNETWORK SERVICE
    ... SYSTEM account in terms of the credentials it uses on the network. ... hitting a SQL Server on the same machine as the web app. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Problem: No Network Connections under Guest Account
    ... The Guest Account on my other computer seems to ... Sounds like you might have more of an issue with your network than with the ... network connection settings. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: ATTN : Microsoft - Security Event 529....Second Request for help....
    ... According to the events, the logon ... failure is from the local machine account. ... disconnected from the network. ... Security Event ID 529 is a failure audit for logon/logoff. ...
    (microsoft.public.windows.server.sbs)
  • Re: Problem: No Network Connections under Guest Account
    ... The Guest Account on my other computer seems to ... Sounds like you might have more of an issue with your network than with the ... network connection settings. ...
    (microsoft.public.windowsxp.security_admin)
  • RE: Writing to a network share
    ... probably running into the "double hop" issue, where impersonation will not work across two network hops. ... An unhandled exception occurred during the execution of the current web request. ... Highlight the ASP.NET account, and check the boxes for the desired access. ... I've changed machine.config process model to the SYSTEM account. ...
    (microsoft.public.dotnet.security)