restricting admin to specific machines

Archived from groups: microsoft.public.win2000.security (More info?)

Hiya everyone.

We have a server running TS, etc. We want to be able to admin the server,
but we want the admin to only be allowed from specific computers on the
domain. Since we have some fellows who VPN in, we want to block any admin
access to these machines from the VPN. HOWEVER, they should be able to log
in as regular users.

I.E. Regular user can TS or access machine over VPN or locally.
Admin can TS AND use admin tools from a local PC on the local domain.
Admin can NOT TS OR use admin tools from a remote PC that is VPN'd.

Can this be done?
1 answer Last reply
More about restricting admin specific machines
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    An admin is an admin know matter how they access the computer. You can "try" to
    restrict them however if they want they can reconfigure the restrictions on "that"
    computer. You can disable any users ability to logon to a TS in their account
    properties and also use Remote Access Polices to restrict where a user can go, via
    input/output filters, on the local lan when they access the network via VPN. Ipsec
    can also be used possibly to restrict access to the TS from only authorized
    "computers". For instance the TS could be configured with and ipsec require policy
    [exempting domain controllers by IP address] and only those computers that could
    access it would have an ipsec client/respond policy. If certificates are used for the
    ipsec authentication you could prevent a user that is an administrator on only he
    local computer from obtaining the necessary certificate. The default kerberos
    authentication would work but a local administrator could possibly configure his
    computer to have a compatible ipsec policy then. --- Steve


    "Alex Vladimir" <AlexVladimir@discussions.microsoft.com> wrote in message
    news:179F41A5-D97F-4838-8638-2E4BE3B3BE62@microsoft.com...
    > Hiya everyone.
    >
    > We have a server running TS, etc. We want to be able to admin the server,
    > but we want the admin to only be allowed from specific computers on the
    > domain. Since we have some fellows who VPN in, we want to block any admin
    > access to these machines from the VPN. HOWEVER, they should be able to log
    > in as regular users.
    >
    > I.E. Regular user can TS or access machine over VPN or locally.
    > Admin can TS AND use admin tools from a local PC on the local domain.
    > Admin can NOT TS OR use admin tools from a remote PC that is VPN'd.
    >
    > Can this be done?
    >
Ask a new question

Read More

VPN Servers Windows