1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

Deny Access - Sort of

Discussion in 'Windows Security' started by Lawson Poling, May 20, 2009.

  1. Lawson Poling

    Lawson Poling Guest

    I am looking to "Deny Access To This Server From The Network" across multiple
    servers for a single User Group. However... If there is a way to do this and
    still allow them to print through the servers, that would be great. Otherwise
    I'll have to set up those folks to print directly to a printer, or set up a
    different print server for them. I also would like to confirm that if I do
    make the Deny setting change, will the Users in the specified User Group
    still be able to authenticate to the network through those servers?
    Thanks!
     
    Lawson Poling, May 20, 2009
    #1
  3. secured2k@antispm.msn.com

    secured2k@antispm.msn.com Guest

    What are you trying to block?
    There are security policies to block access, but for printing to a print
    server, users will need access to authenticate and printer share. You could
    set permissions to deny on file shares (if any) and allow on the printers.

    This URL may have more information you are looking for:




    "Lawson Poling" <LawsonPoling@discussions.microsoft.com> wrote in message
    news:87A3E846-57A6-4CD0-A2C6-759E83502C55@microsoft.com...<!--coloro:blue--><span style="color:blue <!--/coloro-->
    >I am looking to "Deny Access To This Server From The Network" across
    >multiple
    > servers for a single User Group. However... If there is a way to do this
    > and
    > still allow them to print through the servers, that would be great.
    > Otherwise
    > I'll have to set up those folks to print directly to a printer, or set up
    > a
    > different print server for them. I also would like to confirm that if I do
    > make the Deny setting change, will the Users in the specified User Group
    > still be able to authenticate to the network through those servers?
    > Thanks! <!--colorc--><!--/colorc-->
     
    secured2k@antispm.msn.com, May 20, 2009
    #2
  4. Special Access

    Special Access Guest

    On Wed, 20 May 2009 11:57:01 -0700, Lawson Poling
    <LawsonPoling@discussions.microsoft.com> wrote:
    <!--coloro:blue--><span style="color:blue <!--/coloro-->
    >I am looking to "Deny Access To This Server From The Network" across multiple
    >servers for a single User Group. However... If there is a way to do this and
    >still allow them to print through the servers, that would be great. Otherwise
    >I'll have to set up those folks to print directly to a printer, or set up a
    >different print server for them. I also would like to confirm that if I do
    >make the Deny setting change, will the Users in the specified User Group
    >still be able to authenticate to the network through those servers?
    >Thanks!<!--colorc--><!--/colorc-->

    If you are trying to stop them from accessing the server, why not use
    "deny logon locally" and/or "deny logon interactively" to prevent
    this? They can still use the printers and file shares, just can't
    logon directly to the server.

    Otherwise, what are you trying to stop? there may be other ways of
    doing that than what you are doing above.

    Mike
     
    Special Access, May 20, 2009
    #3
  5. Lawson Poling

    Lawson Poling Guest

    Thanks to both of you for your reply. I want to block access to all existing
    Shares containing sensitive data for a specific User Group. I did that
    manually by using the 'Deny Access' Share permission, but this does not
    resolve potential issues for newly created Shares going forward, or from
    having sensitive data placed into existing Shares that does not currently
    have sensitive data in them.

    We're figuring a fire-and-forget solution would be best i.e. Deny access to
    the server altogether, with the exception of allowing printing and
    authenticating to the network.

    Thanks again.

    Lawson...

    "Lawson Poling" wrote:
    <!--coloro:blue--><span style="color:blue <!--/coloro-->
    > I am looking to "Deny Access To This Server From The Network" across multiple
    > servers for a single User Group. However... If there is a way to do this and
    > still allow them to print through the servers, that would be great. Otherwise
    > I'll have to set up those folks to print directly to a printer, or set up a
    > different print server for them. I also would like to confirm that if I do
    > make the Deny setting change, will the Users in the specified User Group
    > still be able to authenticate to the network through those servers?
    > Thanks!<!--colorc--><!--/colorc-->
     
    Lawson Poling, May 21, 2009
    #4
  6. secured2k@antispm.msn.com

    secured2k@antispm.msn.com Guest

    Proper administration of creating new shares is what is really needed to
    ensure they are not insecure when created. You could create a single root
    share and not allow others to make new shares. Instead allow them to create
    subfolders. This way you can set permissions on the root folder only.

    Also, if you don't want them to have access, set an NTFS permission to deny
    access to the group on your volumes containing the data.

    You could go even further an EFS encrypt sensitive data... but this could
    become complicated.

    Or you could just make a new print server (VM Server if needed) or allow
    users to print directly (loss of security/management) as you originally
    stated.


    Mark Brown
    secured2k

    "Lawson Poling" <LawsonPoling@discussions.microsoft.com> wrote in message
    news:5F939C56-C4BD-444B-B117-803B0CD1C04B@microsoft.com...<!--coloro:blue--><span style="color:blue <!--/coloro-->
    > Thanks to both of you for your reply. I want to block access to all
    > existing
    > Shares containing sensitive data for a specific User Group. I did that
    > manually by using the 'Deny Access' Share permission, but this does not
    > resolve potential issues for newly created Shares going forward, or from
    > having sensitive data placed into existing Shares that does not currently
    > have sensitive data in them.
    >
    > We're figuring a fire-and-forget solution would be best i.e. Deny access
    > to
    > the server altogether, with the exception of allowing printing and
    > authenticating to the network.
    >
    > Thanks again.
    >
    > Lawson...
    >
    > "Lawson Poling" wrote:
    ><!--coloro:green--><span style="color:green <!--/coloro-->
    >> I am looking to "Deny Access To This Server From The Network" across
    >> multiple
    >> servers for a single User Group. However... If there is a way to do this
    >> and
    >> still allow them to print through the servers, that would be great.
    >> Otherwise
    >> I'll have to set up those folks to print directly to a printer, or set up
    >> a
    >> different print server for them. I also would like to confirm that if I
    >> do
    >> make the Deny setting change, will the Users in the specified User Group
    >> still be able to authenticate to the network through those servers?
    >> Thanks! <!--colorc--><!--/colorc--><!--colorc--><!--/colorc-->
     
    secured2k@antispm.msn.com, May 21, 2009
    #5
  7. Lawson Poling

    Lawson Poling Guest

    Understood. Thank you very much!

    "secured2k@antispm.msn.com" wrote:
    <!--coloro:blue--><span style="color:blue <!--/coloro-->
    > Proper administration of creating new shares is what is really needed to
    > ensure they are not insecure when created. You could create a single root
    > share and not allow others to make new shares. Instead allow them to create
    > subfolders. This way you can set permissions on the root folder only.
    >
    > Also, if you don't want them to have access, set an NTFS permission to deny
    > access to the group on your volumes containing the data.
    >
    > You could go even further an EFS encrypt sensitive data... but this could
    > become complicated.
    >
    > Or you could just make a new print server (VM Server if needed) or allow
    > users to print directly (loss of security/management) as you originally
    > stated.
    >
    >
    > Mark Brown
    > secured2k
    >
    > "Lawson Poling" <LawsonPoling@discussions.microsoft.com> wrote in message
    > news:5F939C56-C4BD-444B-B117-803B0CD1C04B@microsoft.com...<!--coloro:green--><span style="color:green <!--/coloro-->
    > > Thanks to both of you for your reply. I want to block access to all
    > > existing
    > > Shares containing sensitive data for a specific User Group. I did that
    > > manually by using the 'Deny Access' Share permission, but this does not
    > > resolve potential issues for newly created Shares going forward, or from
    > > having sensitive data placed into existing Shares that does not currently
    > > have sensitive data in them.
    > >
    > > We're figuring a fire-and-forget solution would be best i.e. Deny access
    > > to
    > > the server altogether, with the exception of allowing printing and
    > > authenticating to the network.
    > >
    > > Thanks again.
    > >
    > > Lawson...
    > >
    > > "Lawson Poling" wrote:
    > ><!--coloro:darkred--><span style="color:darkred <!--/coloro-->
    > >> I am looking to "Deny Access To This Server From The Network" across
    > >> multiple
    > >> servers for a single User Group. However... If there is a way to do this
    > >> and
    > >> still allow them to print through the servers, that would be great.
    > >> Otherwise
    > >> I'll have to set up those folks to print directly to a printer, or set up
    > >> a
    > >> different print server for them. I also would like to confirm that if I
    > >> do
    > >> make the Deny setting change, will the Users in the specified User Group
    > >> still be able to authenticate to the network through those servers?
    > >> Thanks! <!--colorc--><!--/colorc--><!--colorc--><!--/colorc-->
    > <!--colorc--><!--/colorc-->
     
    Lawson Poling, May 21, 2009
    #6

Share This Page