Restricting access to shared folder by IP address.

[nektar]

How do I grant access to local folder based on IP address?

I want to share my D volume only to another computer at my home via its local IP address (10.0.0.2 in this case). It will be shared as read only network folder (with some subfolders which cannot be accessed at all), and I will need to map it as a drive in the other PC. And if someone appear to connected to my router via Wi-Fi, he won't be able to access my shared folders (given the fact that his IP address is something like 10.0.0.3 or 10.0.0.5).

I already set the drive to be shared as read only by Authenticated Users (I made a non-admin user to be logged in to my PC), but apparently anyone who knows my username and password may access the files.

Is there any kind of network policies which allow only to a specific user in specific IP address to view and read my shared folder?

Thanks a lot...

 

[samuria]

Is the IP static as if it's via DHCP it would change. Is it just via Wi-Fi your blocking on a lot of routers there is an option called user isolation or similar this blocks all Wi-Fi from seeing local PC

 

[nektar]

It is the local IP address of the computer. Not the external one, given by the ISP.
(Appears in "ipconfig /all" command as IPv4 address.)

For example, I have 4 devices connected to my router at home (by LAN or WiFi).

1. PC for storage and work - Local IP: 10.0.0.1.
2. PC for music / films / gaming / multimedia - Local IP: 10.0.0.2.
3. Printer - Local IP: 10.0.0.3
4. My Phone (via WiFi) - Local IP: 10.0.0.4

I want to share a folder at the work PC (10.0.0.1), only to be seen and accessed by the multimedia PC (10.0.0.2).

 

[Alejandro85]

As far as I know, there is no built-in option for restricting access based on client IP, but rather only on user/password, then setting permissions on those. Windows will accept all connections from anywhere, as long as they provide the proper credentials.

You could use a firewall to restrict incoming connections on port 445 (the one used for the shared folders though the SMB protocol) only from specific hosts. Windows firewall for example is certainly capable of doing so. This however will block access entirely for those IPs, not only specific users.

I think, however, that your approach is not ideal at all. Putting a block on a particular IP address is not too complicated to bypass (any computer can choose its local address as long as it's not used). Moreover, in your first post you mention some things that may indicate deeper security problems than just an IP control:

And if someone appear to connected to my router via Wi-Fi

A better question would be, why would anyone be allowed into your wifi at all? If your router is only a private network, keep it private, put a strong password on it and don't share that with anyone you don't trust. Anyone else will be simply unable to even enter your local network, therefore unable to even see the computer hosting the protected shares.

but apparently anyone who knows my username and password may access the files.

Yes, that's totally correct. Problem is, nobody but you should ever know your password. That's true for every password you set (for instance, if I knew your SevenForums password, I would be able to impersonate you here). It seems to me that you protect your passwords only lightly and don't care with sharing them freely, so that's the main thing I would do is to proper ensure that your credentials are secret, as every system would assume that they are secret.
If you think that anyone knows your password, just change it and ensure only you know it. Doing so will prevent anyone else but you from accessing your computer.

 

[Barman58]

If you have the correct type of Router on your system you could add a whitelist of devices that are allowed to connect to your network. This list would not be based on the IP address of devices but on the MAC address which uniquely identifies every network capable device on the planet, (IP addresses in certain circumstances can be the same in different locations ).

The users would still need to know the SSID (name of the wireless you broadcast), plus the password,but would also have to be on the list of devices allowed to access.
You can change the name of the service and the password often which will help but MAC filtering will prevent access for anyone even if they have the credentials correct but are not an allowed laptop, phone, PC or game console

If you choose to go this route you would need to discover the MAC address of each network device you wish to allow and add it to the list of allowed devices. For full cover you would need to do this for Wireless ports and Ethernet Posts even if they are on the same system (laptops are normally this way Desktops less so.

If you can provide the full information of your router I will check to see if this is possible and the steps needed if this is so. if this is a unit supplied by your internet provider you may have to do a little research, Check the website of your Provider, but if you use a router from one of the actual manufacturers it should be straightforward

 

[Alejandro85]

This list would not be based on the IP address of devices but on the MAC address which uniquely identifies every network capable device on the planet, (IP addresses in certain circumstances can be the same in different locations ).

The users would still need to know the SSID (name of the wireless you broadcast), plus the password,but would also have to be on the list of devices allowed to access.
You can change the name of the service and the password often which will help but MAC filtering will prevent access for anyone even if they have the credentials correct but are not an allowed laptop, phone, PC or game console

MAC address filtering is known to be a very weak protection. For one, MACs aren't unique at all, but in rare cases can be duplicated. Moreover, they only need to be unique in a given network segment, certainly not globally unique.
But the real problem is that MAC addresses are really trivial to change with readily available software for every platform. In wifi, the MAC is also sent in plaintext before encryption takes place, so anyone can learn what MACs are actually valid, making it easy to bypass any filter if you really want. The SSID is also public and anyone can learn it. That's why my suggestion was to put the only secrecy in the password, that are mean to be secret anyway.

MAC filtering can maybe deter a few people (certainly many home users) but if you seriously care about security, you need to look into more serious methods.