VPN users have full access

Toggle sidebar Toggle sidebar
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

I have some users on our very small network (Win 2000
Server with IAS for the gateway, and Win 2003 server
behind for all other services) who only access our
network by VPN.
The users have dial-in access enabled in AD (although
they will actually connect over the internet) and they
are not even members of the domain users group - just a
new group that only has rights to one share.
However connecting to the VPN as these users gives me
full access to all directories and files on the network
even if I explicitly deny access. Help! Any ideas
appreciated!
 
O

ozone

Distinguished
May 3, 2004
51
0
18,630
Archived from groups: microsoft.public.win2000.security (More info?)

When the user logs in, use a prog that will show the group membership for
that login. Some use the SID and others use login name... You may see that
they are part of a dial-in group or a default group that is giving them more
access rights. Also, use an ACL dump prog to check the ACL's on the
directories and files in question to see who actually has access to them...

HTH
Ozone
"David Armstrong" <anonymous@discussions.microsoft.com> wrote in message
news:2806701c46410$311a2d70$a401280a@phx.gbl...
> I have some users on our very small network (Win 2000
> Server with IAS for the gateway, and Win 2003 server
> behind for all other services) who only access our
> network by VPN.
> The users have dial-in access enabled in AD (although
> they will actually connect over the internet) and they
> are not even members of the domain users group - just a
> new group that only has rights to one share.
> However connecting to the VPN as these users gives me
> full access to all directories and files on the network
> even if I explicitly deny access. Help! Any ideas
> appreciated!
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Maybe they are not authenticating as you think. When they are connected to the
share that they should not have access, look in Computer Management/shared
folders/sessions to see how they are connected. Keep in mind that you can use
Remote Access Policies in ras to create input/output filters to restrict access
to lan computers based on IP address. --- Steve


"David Armstrong" <anonymous@discussions.microsoft.com> wrote in message
news:2806701c46410$311a2d70$a401280a@phx.gbl...
> I have some users on our very small network (Win 2000
> Server with IAS for the gateway, and Win 2003 server
> behind for all other services) who only access our
> network by VPN.
> The users have dial-in access enabled in AD (although
> they will actually connect over the internet) and they
> are not even members of the domain users group - just a
> new group that only has rights to one share.
> However connecting to the VPN as these users gives me
> full access to all directories and files on the network
> even if I explicitly deny access. Help! Any ideas
> appreciated!
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom