Restrict access to Share to combination of User + Computer

Hello,

I would like to restrict the access to some shares to a combination of User
+ Computer, so that this share can only be accessed when the user logs in on
a specific set of computers.

I have static VLANs in place.

What is the best way to handle this?
- EFS
- IPSEC server/computer isolation
- NAP

Any help would be appreciated,

Hans Hinnekint

"Hans Hinnekint" <hans.hinnekint@gmail.com> wrote in message
news:0DB1E758-62ED-4163-8F91-F191EE609C4D@microsoft.com...
> Hello,
>
> I would like to restrict the access to some shares to a combination of
> User + Computer, so that this share can only be accessed when the user
> logs in on a specific set of computers.
>
> I have static VLANs in place.
>
> What is the best way to handle this?
> - EFS
> - IPSEC server/computer isolation
> - NAP
>
> Any help would be appreciated,
>
> Hans Hinnekint

Hi Hans,

There is no direct way to meet those requirements.

If however you can say that all resources on the sharing machine
should only be accessed from a specific set of machines, then one
can use IPsec to enforce the access only "from these computers"
part and use NTFS/share-level permissions to enforce the access
only "by these users" part. Also, if you want to it is possible to
loosen the "all resources on the sharing machine" by having the
IPsec rules govern only the ports needed for filesharing, leaving
other accesses open to more machines.

I have seen a number of people attempt to meet reqs of your
scenario and the above is about as close as you can get with
the current off-the-shelf Windows.

Roger

Hello Roger,

Thanks, I was afraid I was overlooking something obvious.

Currently we are solving it by putting the server, together with the
machines that need access to it on a separate VLAN and putting a firewal
between this specific VLAN and the regular VLAN on which the DC and regular
servers + computers are located.

But I will keep on looking for something more elegant and dynamical.

Hans
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:OTxJl4jmIHA.2396@TK2MSFTNGP02.phx.gbl...
> "Hans Hinnekint" <hans.hinnekint@gmail.com> wrote in message
> news:0DB1E758-62ED-4163-8F91-F191EE609C4D@microsoft.com...
>> Hello,
>>
>> I would like to restrict the access to some shares to a combination of
>> User + Computer, so that this share can only be accessed when the user
>> logs in on a specific set of computers.
>>
>> I have static VLANs in place.
>>
>> What is the best way to handle this?
>> - EFS
>> - IPSEC server/computer isolation
>> - NAP
>>
>> Any help would be appreciated,
>>
>> Hans Hinnekint
>
> Hi Hans,
>
> There is no direct way to meet those requirements.
>
> If however you can say that all resources on the sharing machine
> should only be accessed from a specific set of machines, then one
> can use IPsec to enforce the access only "from these computers"
> part and use NTFS/share-level permissions to enforce the access
> only "by these users" part. Also, if you want to it is possible to
> loosen the "all resources on the sharing machine" by having the
> IPsec rules govern only the ports needed for filesharing, leaving
> other accesses open to more machines.
>
> I have seen a number of people attempt to meet reqs of your
> scenario and the above is about as close as you can get with
> the current off-the-shelf Windows.
>
> Roger
>
>
>

Estimado amigo , no entiendo nada de lo que dice aqui
"Hans Hinnekint" <hans.hinnekint@gmail.com> escribió en el mensaje de
noticias news:0DB1E758-62ED-4163-8F91-F191EE609C4D@microsoft.com...
> Hello,
>
> I would like to restrict the access to some shares to a combination of
> User + Computer, so that this share can only be accessed when the user
> logs in on a specific set of computers.
>
> I have static VLANs in place.
>
> What is the best way to handle this?
> - EFS
> - IPSEC server/computer isolation
> - NAP
>
> Any help would be appreciated,
>
> Hans Hinnekint

[mannyborges]

The only way to surefire solve this issue is to segment the "trusted" computers and manage the traffic via some form of firewall/router.

Ipsec is the only elegant solution and can be administered via GP.