Unknown workgroup in Microsoft Windows Network

[Bill Board]

Recently a new workgroup/domain appeared in our "Network Neighborhood >
Microsoft Windows Network" We are running Windows 2003 Server with
Windows XP Pro workstations in our network.

Two questions:

1. I only found this by chance when I was looking in Network Neighborhood.
Is there a way that I could be alerted if a new workgroup or domain appear?

2. How can we track this back to who or what IP address device attached to
the network?

Thanks,
Bill

 

[Lanwench [MVP - Exchange]]

Recently a new workgroup/domain appeared in our "Network Neighborhood
with Windows XP Pro workstations in our network.

Two questions:

1. I only found this by chance when I was looking in Network
Neighborhood. Is there a way that I could be alerted if a new
workgroup or domain appear?
2. How can we track this back to who or what IP address device
attached to the network?

Thanks,
Bill

Most likely, someone simply connected a hon-domain-member laptop or PC to
the network once, and it's gone now. The workgroup name will eventually go
away & not be visible. If you want to prevent stuff like this from
happpening in the future, you can either invest in a fancy-shmancy Ethernet
switch that won't give unauthorized computers an IP address, or do the cheap
& cheerful (and less effective) thing - disconnect any unused Ethernet jack
from your switch in the server room/closet/whatnot.

 

[Bill Board]

I guessed some did what you mentioned, but I was thinking perhaps there was
a utility that you give a list of "good" workgroups/domains and if it see
others than what's in its good list it send a notice. This way I could be a
little quicker in finding the person/device.

"Lanwench [MVP - Exchange]"

 

[Lanwench [MVP - Exchange]]

I guessed some did what you mentioned, but I was thinking perhaps
there was a utility that you give a list of "good" workgroups/domains
and if it see others than what's in its good list it send a notice. This
way I could be a little quicker in finding the person/device.

No, not that I know of. You could disable NetBIOS over TCP/IP entirely if
you don't want to see stuff like this. But I'd issue a memo reminding people
not to connect unauthorized computers" and make sure it's part of your
computer use agreement - make employees sign it, even.

"Lanwench [MVP - Exchange]"

Most likely, someone simply connected a hon-domain-member laptop or
PC to the network once, and it's gone now. The workgroup name will
eventually go away & not be visible. If you want to prevent stuff
like this from happpening in the future, you can either invest in a
fancy-shmancy Ethernet switch that won't give unauthorized computers
an IP address, or do the cheap & cheerful (and less effective) thing
- disconnect any unused Ethernet jack from your switch in the server
room/closet/whatnot.

 

[David H. Lipman]

From: "Bill Board" <[email protected]>

| I guessed some did what you mentioned, but I was thinking perhaps there was
| a utility that you give a list of "good" workgroups/domains and if it see
| others than what's in its good list it send a notice. This way I could be a
| little quicker in finding the person/device.
|

There is no such list.

 

[Steve Halvorson]

Use a program like "Look at Lan" it scans an IP range and alerts you (Star
Trek Alert Sound) whenever it discovers a new IP address. You can save your
network profile and it will only alert when something new is connected.

 

[Dobromir Todorov]

Bill,

There used to be a Browser Monitor tool in the Windows NT 4 Resource Kit,
which I believe you should still be able to download.

The tool will show you all the master and backup browsers on your network,
as well as the computers and domains/workgroups they know of. It does not
necessarily say which are "good" - I guess you will still need to review the
list manually.

--
---
HTH,
Dobromir

Visit http://www.iamechanics.com

I guessed some did what you mentioned, but I was thinking perhaps there was
a utility that you give a list of "good" workgroups/domains and if it see
others than what's in its good list it send a notice. This way I could be
a little quicker in finding the person/device.

"Lanwench [MVP - Exchange]"

Most likely, someone simply connected a hon-domain-member laptop or PC to
the network once, and it's gone now. The workgroup name will eventually
go away & not be visible. If you want to prevent stuff like this from
happpening in the future, you can either invest in a fancy-shmancy
Ethernet switch that won't give unauthorized computers an IP address, or
do the cheap & cheerful (and less effective) thing - disconnect any
unused Ethernet jack from your switch in the server room/closet/whatnot.

 

[Anteaus]

A slightly lateral approach, if you turn off the Computer Browser and Server
services on desktops, that will stop users from creating or finding
unauthorised shared resources. It will also improve your security somewhat.

As such it won't stop someone connecting an unauthorised computer, but it
will to some extent mitigate the security risks which that poses.

You can (obviously) only do this if all of your resources are centrally
hosted, it would not be suitable if you (for example) rely on peer-shared
printers.

 

[Lanwench [MVP - Exchange]]

A slightly lateral approach, if you turn off the Computer Browser and
Server services on desktops, that will stop users from creating or
finding unauthorised shared resources. It will also improve your
security somewhat.

Hmmm - no....if you want security, you use NTFS permissions to lock things
down. You can also use hidden shares. Browsing is not a security issue - if
you want to see shares on a server, \\server will show them to you. And if
you turn off the Server service you cannot as an admin remotely manage a PC.

I do generally turn off the Computer Browser on workstations - this works if
you use WINS. But that isn't for reasons of security -it's performance &
browser election issues.

As such it won't stop someone connecting an unauthorised computer,
but it will to some extent mitigate the security risks which that
poses.

How so?

You can (obviously) only do this if all of your resources are
centrally hosted, it would not be suitable if you (for example) rely
on peer-shared printers.

The server service, yes. Computer Browser, no....you can connect to
\\workstation\printer regardless.