How to password protect access to win network resources?

V

Vladimir Kivva2015-05-31 11:14:22

Computer networks

Vladimir Kivva, 2015-05-31 11:14:22

Domain. Server 2008k2. By default, users have access to the shared folder via a mapped network drive, or they can log in by typing \\server\. As in most cases, everyone is organized.
But the transparent authorization function must be turned off, more precisely like this: if the PC is blocked, then it is impossible to get to network resources without a separate password entry.

Suggested to make OpenVPN to the server via GUI+password without a certificate. In this case, how to organize it correctly so that there is a decent speed, and only SMB traffic goes through the VPN, and not the entire Internet and the rest of the software?
I saw policies in the domain that disable the ability to authorize network resources via NTLM, but it did not work out. Even if it did, how long would access remain allowed? Before the user exits? Will this affect the operation of group policies?

In other words: User A found out the login password of user B, sat down at his PC, got into his environment, but cannot get access to network resources without a second password.

Reply

Answer the question

In order to leave comments, you need to log in

5 answer(s)

A

Anton, 2015-05-31
@zionkv

well lift NAS on a virtualka or separately standing NAS - and get rid of the rights of users.
pysy: do not enter NAS into the domain) authorization is built-in)

E

Eugene, 2015-05-31
@yellowmew

if the PC is blocked, then it is no longer possible to access network resources without a separate password entry.

this moment more?

Seen in the policy domain

.
So the network is peer-to-peer or?
As a rule, in a peer-to-peer network, access to the network resources of the server is made by user accounts created on the server.
On client sites, connect network drives using the login-password of the account from the server.
If the user account on the server is blocked, access to the folder, respectively, will also be disabled.

A

Alexander, 2015-05-31
@NeiroNx

Make scripts for user login and logout events.
1.If the username of the local PC matches the username on the remote PC, then by selecting the sharing model as "Normal - users authenticate as themselves" - then you can access resources without entering a password.
2. Use Active Directory(Domain) to manage policies and rights.

N

nApoBo3, 2015-05-31
@nApoBo3

We expand the situation, user a found out both passwords of user b. What's next? Three passwords?
Do two-factor authentication. Let them carry the keys with them, do not leave them in computers.
You can even make keys with temporary passwords, ie. keychain that gives each time a new pincode.
If you need two passwords, put a non-domain file resource, and put other passwords there, but IMHO this is a strange solution, why then a domain?

S

Sergey, 2015-06-01
@edinorog

Maybe I'm dumb? Correct me if so! So ... the user is working in the domain and network folders are available to him with access specifically for his account. He walked away and the computer automatically locked after a couple of minutes. Then an attacker comes up and enters the peeped password of the user and gets into Windows. Why reset something? I can not understand. To enter the same password twice?)