|
Access Control |
[Top] [Previous] [Next] | |||||||||
The Access Control function is an auxiliary security mechanism in NetMan Desktop Manager. Use this feature whenever logins are not explicit; for example, with anonymized access by anonymous users. With the Access Control program you can define groups that are permitted to access your NetMan Desktop Manager system. You can use it to control access either by all groups defined, or by all users and groups not defined in the Access Control configuration. This feature regulates access control on the basis of AD user groups or IP addresses/host names. For IP addresses or host names, you can define permitted and excluded addresses and groups. For permitted IP address and host ranges, you can further define which user names are permitted access. In this manner you can create sophisticated systems of rules to prevent unauthorized access. NetMan Access Control is recommended in particular for use in systems that allow anonymous users. Even with anonymized login, this program gives you control over who can log in and who cannot.
When defining groups and access privileges, keep in mind that the administrator always has access to your NetMan Desktop Manager system. Do not advertently block administrator accounts from running NetMan Client, as this would block access to the NetMan Desktop Manager administrative programs.
With the default settings, the Access Control utility is not active. You can activate and configure it in the NetMan section of the NetMan Settings, on the Access control page:
To use Access Control, tick the box next to Activate access control for NetMan Client. For information on the options available on this page, see "NetMan Settings/NetMan/Access control".
To specify IP address ranges, use CIDR notation (for example, "192.168.0.0/16" rather than "192.168.0.0.-192.168.255.255").
Two sample configurations of the Access Control feature are presented in the following:
Example 1
You want to make applications available on a Remote Desktop Session Host for a specific group of users without requiring the users to log in on this server, and for this reason have implemented anonymous user accounts. At the same time, you want to limit access according to client station IP address.
In this scenario, Access Control is implemented for the AD user group "NMAnon":
With the settings shown above, the user names for the anonymous users (NMANON001, NMANON002, etc.) are replaced by the three IP-based user names. These are more useful than strictly anonymous user names; for example, for recording application usage and for granting permissions, because users can be identified at least with regard to IP address or host name. At the same time, the users HHIPANON and HHANON can be allocated to normal user groups with permission to run certain NetMan Scripts.
If you delete the third rule (with the IP range defined as 0.0.0.0/0), only computers that have IP addresses within one of the first two ranges are granted access.
Example 2
You want to grant access for all Active Directory Service (ADS) users while at the same time limiting or denying access for users with local accounts. To do this, you can define ADS users as the configured group, and have the access control rules applied to the groups that are not configured:
Now, when a user with a local account runs NetMan – for example, "Administrator" on station XYZ – that user is either assigned the HHANON user ID (rather than "Administrator" or "XYZ\Administrator") or, depending on the IP address, denied access altogether.