Restrict Server Access to Members of a Group Only
Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista
After you have configured the IPsec connection security rules that force client computers to authenticate their connections to the isolated server, you must configure the rules that restrict access to only those computers or users who have been identified through the authentication process as members of the isolated server’s access group.
The way in which you restrict access to the isolated server depends on which version of the Windows operating system the server is running.
If the server is running Windows Server 2008 or Windows Server 2008 R2, then you create a firewall rule that specifies the user and computer accounts that are allowed. The authentication method used in the connection must support the account type specified. Remember that only Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 support user-based authentication.
If the server is running Windows Server 2003 or earlier, you do not use a firewall rule. Instead, you grant the user or computer accounts the Access this computer from the network user right and deny that right to all other accounts.
In this topic:
Create a firewall rule to access isolated servers running Windows Server 2008 or later
Remove default user rights from isolated servers running Windows Server 2003 or earlier
Grant user rights to access isolated servers running Windows Server 2003 or earlier
Administrative credentials
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
To create a firewall rule that grants access to an isolated server running Windows Server 2008 or later
Open the Group Policy Management Console to Windows Firewall with Advanced Security. You must edit the GPO that applies settings to servers in the isolated server zone.
In the navigation pane, right-click Inbound Rules, and then click New Rule.
On the Rule Type page, click Custom, and then click Next.
If you must restrict access to a single network program, then you can select This program path, and specify the program or service to which to grant access. Otherwise, click All programs, and then click Next.
If you must restrict access to only some TCP or UDP port numbers, then enter the port numbers on the Protocol and Ports page. Otherwise, set Protocol type to Any, and then click Next.
On the Scope page, select Any IP address for both local and remote addresses, and then click Next.
On the Action page, click Allow the connection if it is secure. If required by your design, you can also click Customize and select Require the connections to be encrypted. Click Next.
On the Users and Computers page, select the check box for the type of accounts (computer or user) you want to allow, click Add, and then enter the group account that contains the computer and user accounts permitted to access the server.
Warning
Remember that if you specify a user group on the Users page, your authentication scheme must include a method that uses user-based credentials. User-based credentials are only supported on versions of Windows that support AuthIP, such as Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2. Earlier versions of Windows and other operating systems that support IKE v1 only do not support user-based authentication; computers running those versions or other operating systems will not be able to connect to the isolated server through this firewall rule.
To remove default user rights to access an isolated server running Windows Server 2003 or earlier
On the isolated server, click Start, click Administrative Tools, and then click Local Security Policy.
Expand Security Settings, expand Local Policies, and then click User Rights Assignment.
In the navigation pane, double-click Access this computer from the network.
Select Authenticated Users, and then click Remove.
Select Everyone, and then click Remove.
Click OK to save your changes, and close the Local Security Policy window.
To grant user rights to access to an isolated server running Windows Server 2003 or earlier
Open Active Directory Users and Computers.
In the navigation pane, expand YourDomainName, right-click the container that your GPO is linked to, and then click Properties.
Click the Group Policy tab, select your GPO, and then click Edit.
In the Group Policy Object Editor, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then select User Rights Assignment.
In the details pane, double-click Access this computer from the network.
In the Properties dialog box, select Define these policy settings, and then click Add User or Group.
Type the name of the isolated server access group, or click Browse to search for it.
Click OK in each dialog box to close it.
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.