I have setup a Windows service role VPN all right. Next step is limit access of the VPN session user account. Some folders should be denied from client viewing (e.g.: system folders, program files, users profiles), some should be allowed. I don't intend to use Active Directory this time, it isn't enabled.
Could it be select all folders share and ntfs (security tab) permissions with Full Control or Modify to Authenticated Users except the ones I choose to grant access to VPN connection Windows standard user account. Or the other way around?
And remove Users Group from those folders with share and ntfs permissions to Authenticated Users group?
Best Answer
Well, maybe.
Please remember that without AD global security, anything you try to control with file ACLs will only work on the one server that is implementing VPN, i.e. without AD you only have LOCAL accounts for both VPN authentication and the FILE ACLs you wish to set.
AD might be worth considering for this .....
So as long as the VPN and file server are the same machine - you can approach it in this manner, but the biggest trick will be locking OUT access to everything, and only then, turning on access to the little you want VPN to have access (i.e. non ACL security settings like "Traverse Directories" need to be considered too.)
A high level checklist for planning such a PN can be found here: https://technet.microsoft.com/en-us/library/cc725734(v=ws.10).aspx