Results 1 to 13 of 13
  1. #1
    2 Star Lounger
    Join Date
    May 2002
    Posts
    152
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Remote workers access rights - SBS 2008

    Is it possible to configure Terminal Services within SBS2008, so a user who accesses a network server from the office where the physical network is located, but also remotely, has different access rights in each case?

    The scenario I wish to implement is one where there would be areas of the server drives which they would not be able to access remotely, but would be able to when they are in the office.

    Thanks in anticipation.

    Neil

  2. #2
    Platinum Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,743
    Thanks
    7
    Thanked 242 Times in 230 Posts
    I can't see how this can be done. Access is controlled by NTFS permissions and these are tied to the user SID.
    You could create a second ID for remote access, but I can't see that going down well with the users.

    cheers, Paul

  3. #3
    2 Star Lounger
    Join Date
    May 2002
    Posts
    152
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Thanks for the reply, Paul. My IT guys says much the same thing, but I honestly can't imagine that I am the only company proprietor who feels uncomfortable letting a worker have access to the full drive and directories they can access when physically at work, from the comfort of their own home!

    The argument goes that if the data / drives are sensitive, then why give permission to the worker to access these when in work?

    I accept this, but I also think that there is a huge difference between accessing data in the workplace with colleagues / supervisors all around, to dialling in and downloading form the comfort of your home, with no-one around!

    Surely the IT industry must have come across this dual-rights desire amongst other of their business customers....

    .... or maybe it is just me!!

    Anyone else got any clever ideas?

    Thanks

    Neil

  4. #4
    Platinum Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,743
    Thanks
    7
    Thanked 242 Times in 230 Posts
    We usually restrict what users can do via the remote connection, e.g. no downloading of documents, but it's actually easier to email them from work anyway.
    If you need staff to work from home you could set up remote access to launch only the required application, but copy / paste still works so you haven't really gained much.
    Welcome to the quandary that is secure remote access!

    cheers, Paul

  5. #5
    2 Star Lounger
    Join Date
    May 2002
    Posts
    152
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Well it certainly is a quandary, Paul! Thanks for your replies.

    I'd still be very interested to learn how other companies work around this issue...

    Neil

  6. #6
    New Lounger
    Join Date
    Dec 2009
    Location
    Salem, MA US
    Posts
    17
    Thanks
    0
    Thanked 0 Times in 0 Posts
    If you don't block USB/removable/CDRW at the office, it won't matter what remote access they have.

  7. #7
    Platinum Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,743
    Thanks
    7
    Thanked 242 Times in 230 Posts
    Neil, I do this for a living and there are no clever ideas that will fix the problem. If your users have access to network resources, it is impossible to restrict access when logging on via a particular machine unless that machine is not on the network.

    cheers, Paul

  8. #8
    2 Star Lounger
    Join Date
    May 2002
    Posts
    152
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Thanks Paul. That's exactly what my IT Manager tells me (and he's called Paul too!!).

    Maybe something for networking software engineers to consider for the future tho'? (not that I expect any of them will be reading this!).

    Cheers

    Neil

  9. #9
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    20,621
    Thanks
    2
    Thanked 627 Times in 560 Posts
    The problem with that approach is that most people expect to be identified as a who they are and have privileges accordingly. They expect to be able to work & access data the same way no matter where they are. Certain restrictions on data downloading are acceptable security issues but if you restrict data access you predetermine their effectiveness away from the office.

    If you need to control access and identity there are ways of doing that pretty effectively. But remember that as you ratchet up security it generally becomes much more expensive to implement and much more of a pain for the end user.

    Joe

  10. #10
    New Lounger
    Join Date
    Dec 2009
    Location
    Fresno, California, USA
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Sorry to be a killjoy, but as a disabled veteran whose personal i nformation was put at risk when VA employees took laptops home to do work, and then "lost" them, I'm not a fan of employees taking "company" stuff home with them. I'm aware that employers tend to like workaholics, but there comes a point where security has to trump productivity...
    I don't usually comment in the Windows Secrets Lounge, but this isuue hits me where I live!
    Dave
    David Finster
    United Church of Christ Minister, Retired
    Member, International Conference of War Veteran Ministers
    Chaplain and Life Member, Vietnam Veterans of America Chapter 933
    Life Member, Disabled American veterans

  11. #11
    4 Star Lounger pccoyle's Avatar
    Join Date
    Apr 2001
    Location
    Auckland, Auckland, New Zealand
    Posts
    535
    Thanks
    3
    Thanked 2 Times in 2 Posts
    The questions of permissions and access is one which IT managers can control, but the action of control then creates problems for end users that usually, in my experience, lead to the removal of the controls by management dictate. USB drives etc make data ditribution a nightmare for IT, as large numbers of users require a USB port ot sync portable devices. Limiting access to say Outlook web Interface is one option - so a user can have the work needed available in an email, and can then create and save work at the remote site to either bring in via a laptop, or send in via email.
    Last edited by pccoyle; 2011-02-17 at 13:49.
    Paul Coyle
    Approach love and cooking with reckless abandon

  12. #12
    New Lounger
    Join Date
    Nov 2010
    Location
    Lower Mainland, BC Canada
    Posts
    14
    Thanks
    0
    Thanked 1 Time in 1 Post

    lockout by ip

    hi, can you logout by ip address? I'm not familiar with term service but does it have ability to figure out if the ip of the request client is not within the company's ip address range, it will just block the accessing of the data. Or give the user a different user name/account when they are using at home. eg: at work sign in as joe and home joe-home.


    Quote Originally Posted by neil View Post
    Is it possible to configure Terminal Services within SBS2008, so a user who accesses a network server from the office where the physical network is located, but also remotely, has different access rights in each case?

    The scenario I wish to implement is one where there would be areas of the server drives which they would not be able to access remotely, but would be able to when they are in the office.

    Thanks in anticipation.

    Neil

  13. #13
    2 Star Lounger
    Join Date
    Feb 2010
    Location
    Coon Rapids, Mn
    Posts
    127
    Thanks
    12
    Thanked 1 Time in 1 Post
    Ever hear of Results Only Work Enivronment (ROWE)? Program started at Best Buy Headquarters by Jody Thompson and Cali Ressler, now a book and a look at the future. Work from anywhere, at anytime. My department of 3000 people has fully implemented the program, results are great, workers happier, lives better balanced and no security breaches of any kind - we use Net Motion for mobile connectivity, instant messaging and email for communication, are developing video conferencing for meetings and more. It is a challenge for those of us of a certain age to adapt to the idea of people not in our sight line actually working, but using their protocols we established clear results for which staff are accountable. It is the way of the future, less investment in infrastructure, reduced congestion on our freeways, improved productivity and higher morale. And, I was never actually standing at my staff's desks to be sure they were working when they were mostly right outside my office. We've been at a year now. There are solutions out there for security and connectivity as well as productivity measures. People working from home is not going away from what I read, it continues to trend upward. The good news to that is there will be ever-increasing ideas about how to accomplish your objectives without compromising the security of your data. :^) gene

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •