How to create an account in a domain with access to only 1 folder and RDP login rights?

N

Nday0012020-01-20 16:05:54

Active Directory

Nday001, 2020-01-20 16:05:54

There are 3 file servers on Windows Server 2008R2 (in a domain). You need to give a third-party employee access to a specific folder (D:\Program files\SOFT\) on each file server under one account. The employee will connect using RDP, download a few MB of data, execute the .exe file (defined) and disconnect.
I do not like the option to prescribe NTFS prohibiting rules for each directory, in addition to which one the user will work with.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

I

Ilya Devyatkov, 2020-01-30
@D60WIZARD

Not enough details.
Firstly, as already noted in the comments, the terminal - do you have them?
Or how do you organize RDP?
Those. it will go to each server separately via RDP? Just from the outside? Or can AD Federation Services be configured?
Maybe Claims-provider trust and relying-party trust need to be implemented?
Or Dynamic Access Control with user claim is applicable here.
Folder access - ok. With what permissions?
And at what level of integrity does this "exe" work? Those. there may be different dependencies and requirements for the program in terms of permissions to directories and so on? And then you can not avoid privilege escalation.