RE: About MS-Networking security.

From: Cowperthwaite, Eric (eric.cowperthwaite_at_eds.com)
Date: 01/19/04

  • Next message: Dan Bartley: "RE: About MS-Networking security."
    To: Kristi Roose <kroose@vermeermfg.com>, focus-ms@securityfocus.com
    Date: Mon, 19 Jan 2004 13:33:15 -0500
    
    

    You can restrict DHCP addresses by MAC address, although configuring this is
    time consuming.

    The better choice is to use Cisco's products (assuming you are using Cisco
    network hardware) to implement the Extensible Authentication Protocol. This
    allows you to force authentication against your user directories (RADIUS,
    TACACS+, LDAP, ADS, etc.) prior to establishing a network connection and
    getting a DHCP address.

    Eric Cowperthwaite
    Medi-Cal Information Security Officer
    EDS - Operations Solutions
    3215 Prospect Park Drive
    Rancho Cordova, CA 95630

    phone: +01-916-636-1929
    email: Eric.Cowperthwaite@eds.com
    web: http://security.caxix.hcg.eds.com/

    CONFIDENTIALITY NOTICE: This email from EDS is for the sole use of the
    intended recipient and may contain confidential and privileged information.
    Any unauthorized review or use, including disclosure or distribution is
    prohibited. If you are not the intended recipient, please contact the
    sender and destroy all copies of the email.

    > -----Original Message-----
    > From: Kristi Roose [mailto:kroose@vermeermfg.com]
    > Sent: Monday, January 19, 2004 8:04 AM
    > To: focus-ms@securityfocus.com
    > Subject: RE: About MS-Networking security.
    >
    >
    > Does anyone have any solutions to keep a user from plugging
    > into the LAN from inside the company? Is there a way to
    > restrict DHCP addresses by MAC address?
    >
    > Kristi
    >
    >
    > -----Original Message-----
    > From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
    > Sent: Friday, January 16, 2004 7:20 PM
    > To: Wronski, Michael C (MED); Cyber Chiu`; focus-ms@securityfocus.com
    > Subject: RE: About MS-Networking security.
    >
    >
    > Microsoft has a solution where remote users are scanned and
    > verified clean before they are allowed to create a remote
    > session, either using VPN or dialup. Their solution is based
    > on Windows Server 2003. I think Cisco may have a similar
    > solution, at least they should. There may be others as well.
    >
    > Denny
    >
    > -----Original Message-----
    > From: Wronski, Michael C (MED) [mailto:Michael.Wronski@med.ge.com]
    > Sent: Thursday, January 15, 2004 5:22 PM
    > To: 'Cyber Chiu`'; focus-ms@securityfocus.com
    > Subject: RE: About MS-Networking security.
    >
    > This is a common problem with no single solution. No matter
    > what you do, the mobile user is going to be a high risk
    > entity. Education of the user of their ability to cause harm
    > to their own data and the company network is a great start.
    > They need to be aware that their actions can cause
    > catastrophic results. After education, the following are the most
    > important:
    >
    > -Install Personal Firewall and AV on all laptops and make
    > sure you educate the users on the function of the software.
    > -Lock down the configuration so it cant be disabled by the user
    > -Enable aggressive live updates (daily) and scans (daily)
    >
    > -Patching Automation - Before your user leaves the network,
    > their laptops should be patched with the more recent OS updates.
    >
    > -Its best of your laptop users can connect to a "sandbox"
    > network on return to the office or if you can separate all
    > physical connection that belong to mobile users on a sandbox
    > VLAN. This can be difficult to manage depending on your
    > current network design.
    >
    > -M
    >
    >
    > -----Original Message-----
    > From: Cyber Chiu` [mailto:cchiu@hotspur.com.hk]
    > Sent: Sunday, January 11, 2004 3:26 PM
    > To: focus-ms@securityfocus.com
    > Subject: About MS-Networking security.
    >
    >
    >
    >
    > Hi all, I have a question about portable computer security
    > concern. My company have firewall protection, all desktop are
    > behind firewall. However, My saleman need to do their
    > business with a Laptop. When they're in office. They will
    > connect their laptop to our internet.
    >
    > I think it's danger because we don't know it's infected by
    > virus or not. can anyone suggest me what to do?
    >
    > --------------------------------------------------------------
    > ----------
    > ---
    > --------------------------------------------------------------
    > ----------
    > ---
    >
    > --------------------------------------------------------------
    > ----------
    > ---
    > --------------------------------------------------------------
    > ----------
    > ---
    >
    >
    >
    > --------------------------------------------------------------
    > ----------
    > ---
    > --------------------------------------------------------------
    > ----------
    > ---
    >
    >
    >
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > -------------
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Dan Bartley: "RE: About MS-Networking security."