|
Posted by Steven L Umbach on November 24, 2005, 8:55 pm
Please log in for more thread options
Cool. Thanks for the info! --- Steve
> Hi Steve,
>
> Sorry I meant to mention it but I forgot. Yes in most cases I use ISA
> server and IPSec. It is also a very good way to force people to be part of
> domain.
>
> I had one case some time ago where employees didn't want to be part of
> domain. They said it was too restrictive and they didn't like the idea of
> administrator going through their PCs.
> What we did with their IT is set up ISA server and made a policy that only
> computers that are members of domain can surf the web. Now it was up to
> the users if they want to be part of domain. Now that they are part of
> domain they get patched, they get antivirus and they can surf the
> internet...
>
> --
> Mike
> Microsoft MVP - Windows Security
>
>> "When I do this for a customer, I usually also disable
>> access to Internet from clients that are not members of domain... If user
>> still brings computer to the network and the computer will get IP address
>> assigned, but it can't talk to anyone."
>>
>> Hey Mike how are you doing that - to block access for a non domain
>> computer to the internet. Via ISA server and ipsec or ?? Thanks ---
>> Steve
>>
>>> Hi,
>>>
>>> Currently there is no easy way of doing this. You get DHCP IP by
>>> broadcasting the need for IP. DHCP was not designed with goal of
>>> assigning IP addresses to only specific computer (or devices) but to any
>>> device that requests it.
>>>
>>> There are few solutions out there -- but more or less all of them (can)
>>> cost quite a bit.
>>> - first one to mention is 802.1x where you authenticate computer on
>>> switch port. For this to work you need switch that supports
>>> authentication and enough ports to connect every PC to one of these
>>> ports. Next, you need to setup RADIUS server and certificates etc... In
>>> the end you need clients that know how to work with 802.1x (e.g. Windows
>>> 2000 SP4 or later).
>>> - another option would be to build IPSec policy. In this case you use
>>> your existing infrastructure (if you have Active Directory set up). What
>>> the policy defines is that only computers joined to domain can talk
>>> among themselves. Any computer not member of domain (or that does not
>>> have appropriate certificate) will not be able to talk to other
>>> computers that members of domain. When I do this for a customer, I
>>> usually also disable access to Internet from clients that are not
>>> members of domain... If user still brings computer to the network and
>>> the computer will get IP address assigned, but it can't talk to anyone.
>>>
>>> Last option that I also highly recommend is to write a corporate policy
>>> where you prohibit connection of any device that is not a property of
>>> your company to company network. Of course you must define what
>>> consequences are and your management must sign such policy.
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> <Stryder Honeymonkey> wrote in message
>>>> Hi All,
>>>>
>>>> I'm trying to prevent users in my office from bringing PCs and laptops
>>>> from home, plugging them into the office network, and ending up on the
>>>> same IP subnet as our other office PCs.
>>>>
>>>> I'm thinking maybe I can use machine certificates to somehow
>>>> authenticate valid PCs to the DHCP server before an IP address is
>>>> handed out?
>>>>
>>>> Is my thinking right on this, or is there a better way to accomplish
>>>> what I want?
>>>>
>>>> Your help is appreciated!
>>>> 'monkey
>>>
>>>
>>
>>
>
>
| 
XML Sitemap