How to block CIFS (mounting) access for certain users in Windows Server 2012 R2?

Question

There is a CIFS server running (out of my direct control). It only accepts incoming connections from the other server in question, running on Windows Server 2012 R2, but besides that the CIFS server does not (seem) to care about other access control.

Now on that second server (the Windows server), there are multiple users. Some of those users should be able to connect to the CIFS server. Some other users should not be allowed to access it at all.

How can I restrict access to the CIFS server from the Windows server securely? I have tried blocking access to the ports required to connect to (any) CIFS server through Windows Firewall, but that firewall does not support outbound rules for just a subset of users, so I can only either block access for all users or none at all.

I would rather not install a third party firewall, nor block access using the IP address of the CIFS server as it is not guaranteed that the CIFS server its IP address never changes.

Answer 1

It sounds like you're trying to work around a political problem with a technical solution.

The "right" (IMHO) way to do this is to stop trying to hack up user specific outbound firewall rules and just implement proper user/group based security directly on the file server so it doesn't matter where the users are coming from. Only the designated users can access the resources.

The political hurdles preventing you from implementing proper file server security are where you should expend your effort. Short of that, it will likely be just as effective to create an "official policy" that only X users can use the file server. And anyone caught breaking policy will have appropriate actions taken.