My company needs to allow an employee from another company into our network and give him access to our development servers. The problem is we do not want him to be able to access anything else on the network besides those two servers. Not even be able to ping or view them.
The configuration is as follows.
User will connect to the network using a VPN. Once connected he will setup a remote desktop session to two of our servers. From these sessions, inside our network we do not want him to be able to view the other servers or PC's on the network.
Currently the network is not subnetted. The network has one router and two swtiches. We could buy another router and subnet the network but this does not solve the problem of him being able to view, access and ping the other computers.
The problem also is that the PC's have to be able to access the two servers that he is accessing while him not being able to access them.
Thank you for your time and suggestions and any help in advance!
The problem is, you're giving the user remote desktop access to a machine, which itself has access to resources he needs while using that desktop. In short, you want him to have access, and you don't want him to have access. I'm not sure this is possible, they're mutually exclusive requirements.
What you might do is create a VM that he connects to, and thus control what’s passed to the VM from the host (the one that has greater access). Using the VM, you may be able to isolate the VM sufficiently that all he really sees is the VM (of course) and host. The VM could act as a sort of proxy to the resources he needs, hiding the details and limiting his access to only those resources.
To be honest, I haven't thought this completely through, this is just off the top of my head, but I think this is where I would concentrate my efforts if it was my problem because the fact he’s using a remote desktop almost forces you to. A lot would depend on the VM as far as the breadth of features applicable to your specific needs. I use VirtualBox for desktop purposes, but of course there are heavy duty solutions like VMware, Microsoft's own virtualization products, etc.
P.S. You might also want to consider Hamachi for your VPN in this particular case. This would allow you keep him completely off your company’s own VPN. He’d connect over the 5.x.x.x network using a named network of your choosing. That *really* isolates him to the VM rather than mucking w/ your company VPN and perhaps inadvertently introducing security risks.