Restricting VPN clients

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Tony Su (anonymous_at_discussions.microsoft.com)
Date: 03/07/04 

Date: Sun, 7 Mar 2004 05:10:15 -0800

Since VPN clients are authenticated and authorized using
Windows Authentication, the Domain credentials you use can
be used to restrict or permit access to resources.

Your concern about remote, unmanaged Users connecting into
your network is valid. Take a look at Microsoft's
Quarantine solution. When the user dials into your
network, before the User is authorized RRAS runs a script
that queries the client for the existence of particular
files and programs... so for instance you can require
remote users to have AV, an up to date AV definition file
and service pack/patch level. If the User is missing
anything, instructions are provided what is required
before trying again.

Tony Su

>-----Original Message-----
>We have ISA configured to allow incoming VPN connections.
> Is there a way to limit what can each VPN client (or a
group
> of VPN clients) do while it is connected? VPN clients
are
> authenticated through their domain credentals, so for
example
> is it possible that domain user "joe" could only
access particular
> terminal server on our internal network while
connected via VPN while
> user "dan" could access all hosts on the internal
netowork?
> Since it will be possible that VPN clients will be
infected by
> viruses (we dont have control over their laptops, they
use laptops
> to surf the Internet from their homes and their
laptops coule be unpatched)
> and a particularry big threat are those infected with
new generation
> of viruses like Nachi and Blaster.
> Therefore we thought of restricting *ALL* VPN clients
access to
> ports on our internal network hosts that those viruses
use
> (effectively eliminating the use of file shares on
hosts in
> internal network).
> Is it possible to limit VPN clients like that?
>
> Drazen
>.
>

Relevant Pages

  • =?Utf-8?Q?Re:_can=C2=B4t_communicate_vpn?=
    ... I have already creted the rule which allow VPN clients to have access to ... The ping only reaches the ISA. ... >> Does this only happen with local authentication? ...
    (microsoft.public.isa.vpn)
  • Re: VPN over wireless
    ... All VPN clients can use ... something local to provide authentication, such as the MAC address, IP ... without using external software a wifi link is probably more secure than then wired. ... Says the one on wired lan with the wifi currently switched off.. ...
    (alt.internet.wireless)
  • Re: ssh and hosts.allow; purpose of ssh
    ... Even within your internal network. ... Don't forget the authentication:) I say that because I often do myself, ... knowing what you're connecting too can be as useful to the client as knowing ... what you're connecting from can be to the server. ...
    (comp.security.ssh)
  • Re: Scripts over VPN
    ... I think the wildcard would be what permissions the user has on their local machine when connecting. ... They would need sufficient permission to do whatever the script does. ... you would need your WINS server properly assigned in the DHCP scope that the VPN clients pull addresses from. ...
    (microsoft.public.windows.server.sbs)
  • PIX 515e & Cisco VPN client. Split-tunnel limit of 50?
    ... I am using a PIX 515e running 6.3and windows/linux vpn clients ... corporate internal network. ... discrete "internal" subnets which are being passed to the pix by OSPF. ... technical solution to the problem. ...
    (comp.dcom.sys.cisco)