How can I restrict network to computers only in our domain?

[David Reed]

Hi All!

My question: "I have users who bring in their personal laptops from home,
and plug them into network jacks here. They aren't supposed to. They know
that. How do I PREVENT it? Is there some way I can kick a computer I find
OFF? Permanently restrict it? Or just limit access computers to computers
that are ONLY part of the mydomain.com domain?...even if I have to generate
a "white-list""

I am running a Windows 2003/2000 server environment with AD installed, using
both Windows 2000 SP4 and Windows XP Pro clients.


Thanks!!!



-David
(e-mail address removed)

 

[Shenan Stanley]

My question: "I have users who bring in their personal laptops
from home, and plug them into network jacks here. They aren't supposed
to. They know that. How do I PREVENT it? Is there some way I can kick a
computer I find OFF? Permanently restrict it? Or just limit access
computers to
computers that are ONLY part of the mydomain.com domain?...even if I have
to
generate a "white-list""

I am running a Windows 2003/2000 server environment with AD
installed, using both Windows 2000 SP4 and Windows XP Pro clients.

I guess you are running a DHCP server.. You could limit the DHCP in several
ways - depending on what DHCP server you are running and how you want to
limit things - to only give out addresses to certain machines or with
certain authentication methods, etc.

Of course - it all depends on you running your network as well as the
machines on it. Many groups out there have one department that runs the
network and another that manages the systems that use said network.

 

[David Reed]

Hi Shenan,

Thank-you for your reply. We are in a "one-stop shop" mode here...I'm the
entire IT department, including network/server/desktop support.

Yes, we are using DHCP, on Windows servers.

Could you provide some further information on how to go about what you
suggest?

Thank-you!

-David

 

[Betelgeuse]

See http://www.microsoft.com/technet/itsolutions/network/vpn/quarantine.mspx
for one option.

 

[Betelgeuse]

Oops, that should be:
http://www.microsoft.com/technet/itsolutions/network/nap/default.mspx

 

[David Reed]

Hello,

Thank-you for this...looking it over preliminarily, I'm not sure if this is
what I want or not...but I'm not sure.

My first thought, reading it through, is, "How does the server/AD know that
this computer that it's never seen before is not to be allowed access (an IP
address)?"

-David

 

[Doug Masters]

How many DHCP clients do you have? A lot of trouble/work, but you
could create DHCP reservations for each device. No valid MAC, no IP
address for you.

Are you in a position to complain to management about the problem and
explain the potential problems caused by the actions of some employees
and let them deal with it?

 

[David Reed]

Hi there,

Well, we probably have about 6 servers, 4 "misc." little server/boxes, and
about 100 desktop and laptop clients....it flucutates, but, I wouldn't have
any problem getting the MAC addresses for all these systems, (especially if
I could just garner them using a script or something???) and entering them
in (just have to remember to do same to new systems when they come in!!!).

I don't think I'd have any trouble talking to management about this, and I
think they'd support it, if it:

A> Doesn't cost anything;
B> Doesn't interfere with anyone (else's) work schedule...if I didn't
have to take them away from their machine to do it...

Do you have an idea how to go about this?

-David

 

[David Reed]

Oh, and this may sound silly, but, as a follow-up...

If I have an employee who brings in a computer from home, and I WANT to
allow them access to do that, but ONLY during company working hours (so they
couldn't just plug in and copy off whatever they wanted outside of company
hours)...do you know of any way to restrict that? Other than restricting
their login to business hours only (because our employees are allowed to
work during non-business hours (very flex-time-y)...but we woudln't want
them copying company proprietary data at the time when we'd be most
vulnerable...the non-business hours...

-David

 

[Doug Masters]

Hi there,

Well, we probably have about 6 servers, 4 "misc." little server/boxes, and
about 100 desktop and laptop clients....it flucutates, but, I wouldn't have
any problem getting the MAC addresses for all these systems, (especially if
I could just garner them using a script or something???) and entering them
in (just have to remember to do same to new systems when they come in!!!).

Or change NICs for some reason. CCGetMAC should be able to do the MAC
gathering for you.

I don't think I'd have any trouble talking to management about this, and I
think they'd support it, if it:
A> Doesn't cost anything;
B> Doesn't interfere with anyone (else's) work schedule...if I didn't
have to take them away from their machine to do it...
Do you have an idea how to go about this?

Getting in an employees ass who's breaking policy should be free
The DHCP Reservations process is non-intrusive, you won't have to
bother the users.



Let this thread stew for a couple of days, others may have a better
idea ;-)

 

[Doug Masters]

Oh, and this may sound silly, but, as a follow-up...

If I have an employee who brings in a computer from home, and I WANT to
allow them access to do that, but ONLY during company working hours (so they
couldn't just plug in and copy off whatever they wanted outside of company
hours)...do you know of any way to restrict that? Other than restricting
their login to business hours only (because our employees are allowed to
work during non-business hours (very flex-time-y)...but we woudln't want
them copying company proprietary data at the time when we'd be most
vulnerable...the non-business hours...

If no one is watching over their shoulder they could thug data any time
they brought their personal device to the office, or copy it to CD/DVD,
jump-drive, etc.....

 

[Guest]

On a small/medium internal LAN you'd be better using fixed IP addresses
anyway, they tend to be more reliable and allow you to monitor goings-on by
reference to IP address. (In a recent pornsurfing investigation we were glad
we did so. The evidence from the proxy logs pointed to three IPs in the same
department, one belonging to a director's computer (!) and he was logged-on
at the time with his normal user-account too, so there was no getting out of
it. )

The fact that misuse CAN be traced is often a better deterrent than any
amount of lockdown. The latter can be got round, but the risk of being logged
(and being given subtle hints that it IS possible to do so) is what makes
them behave.

If there's no DHCP (Or it points to an out-of-subnet scope) then the casual
visitors won't get in unless they know a thing or two about configuring
networks. Which they most likely don't.

If the issue is Internet misuse (as above) then install a logging proxy, and
bar port 80 at the router so tha all (non-SSL) traffic has to go via the
proxy.

In any case, users shouldn't have fileserver access unelss they've logged-on
with a valid user/pass combination. If the password is being misused (e.g.
being given to an outside person) then that is a security issue that you need
to address anyway.

Finally, if you MUST restrict access on a PC-by-PC basis, I'd suggest a
managed hub. Many of these will allow you to restrict the MAC addresses which
are allowed to connect. A major pain to manage, though as you'll be forever
updating settings.

 

[Robert Moir]

Hi All!

My question: "I have users who bring in their personal laptops from
home, and plug them into network jacks here. They aren't supposed
to. They know that. How do I PREVENT it? Is there some way I can
kick a computer I find OFF? Permanently restrict it? Or just limit
access computers to computers that are ONLY part of the mydomain.com
domain?...even if I have to generate a "white-list""

I am running a Windows 2003/2000 server environment with AD
installed, using both Windows 2000 SP4 and Windows XP Pro clients.

Read up on Radius authentication for switches. This makes a lot of
assumptions about the ability of your network infrastructure and requires
you to install and learn some new stuff but can work.

Whatever you do, it absolutely needs to be supported by 'management'. If
you don't have that, you'll turn this whole issue into a game of cat and
mouse between you and the users, and they won't take your network security
seriously at all.

One other question, which might not sound like it matters much but which
is important in my eyes for understanding and coping with the problem is :

~~~why?~~~

Why are users bringing their computers in from home and using them on your
business network? If they know they are not supposed to, why are they
ignoring that? What is the problem they are trying to solve, is it an
'appropriate' problem for them to be solving at work, and if so can any
steps be taken to solve it another way?

Answering those questions for yourself might tell you a great deal about
what you need to do next.

--
--
Rob Moir, Microsoft MVP for Security
Blog Site - http://www.robertmoir.com
Virtual PC 2004 FAQ -
http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
I'm always surprised at "professionals" who STILL have to be asked:
"Have you checked (event viewer / syslog)".

 

[David Reed]

*grin* Tell me something I don't know!!!

So far, I haven't found a real good way to restrict as I SHOULD, without
interfereing at a level that would be unacceptable, even to the head boss
(President)...

 

[shimonyk]

A starting point might be to give all the legitamate computers static
addresses and turn off dhcp.
This will help stop casual users from hooking up their virus infected
personal laptops to the network. Anyone with some computer savy and
malicious intent would still be able to set a static IP to connect, but
it is very dificult to stop a malicious person with physical access.

 

[Doug Masters]

Not as good of an idea as reservations since he has 100+ workstations
to deal with.

a) he would have to physically go to each workstation and disrupt their
work.
b) any future IP change would require touching each workstation again.

With reservations he can make any change he wants at a single point,
like what DNS server(s) to use. Clients are still DHCP (and get the
benefits of that), they just always get the same IP address.

 

[jorhja]

Hi all, well why dont we try to use a IP SEC policy?, with Kerberos
authentication.
Costs nothing, dont affect the user experience ...
Implement it via GPO.

http://support.microsoft.com/default.aspx?scid=kb;en-us;816514
or
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/ispstep.mspx
Will get you started!

Good luck, regards
Jörgen Hjärtenflo

 

[David Reed]

Hi Jorhja,

I've been wanting to dig into IP SEC more...I'll check into this...thanks
for the links!

-David

Hi all, well why dont we try to use a IP SEC policy?, with Kerberos
authentication.
Costs nothing, dont affect the user experience ...
Implement it via GPO.

http://support.microsoft.com/default.aspx?scid=kb;en-us;816514
or
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/ispstep.mspx
Will get you started!

Good luck, regards
Jörgen Hjärtenflo