Re: Blocking Access to Non-domain computers

From: Rob Hughes (rob_at_robhughes.com)
Date: 08/24/04

Next message: BugTraq: "RE: Images being pulled in Outlook 2003 even though don't downloa d pictures is set?"

Previous message: Andreas: "Re: Blocking Access to Non-domain computers"
In reply to: Brian Gehrke: "Blocking Access to Non-domain computers"
Next in thread: Steven A. Fletcher: "RE: Blocking Access to Non-domain computers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: security-basics@securityfocus.com
Date: Tue, 24 Aug 2004 05:30:17 -0500

On Thursday 19 August 2004 09:58, Brian Gehrke wrote:
> I am running a W2K domain, using DHCP. Is it possible to block
> non-domain computers from getting an IP address from the DHCP server, so
> they will not be able to access the Internet through the network.
>
> Brian
>

I can see two ways to do this. One, assign all the systems a static lease,
then create an exclusion so that there are no free addresses available. Two,
implement port security at the switches so that only authorized MAC addresses
can connect to the network. But so far as I'm aware, there's no way to limit
DHCP assignments to domain members, as the server has no way to know if
you're a domain member or not until the system has gotten an IP and can send
its credentials.

If someone else has a better idea, I'd love to hear it.

-- 
Recursion: n. See Recursion
---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.
http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------

Next message: BugTraq: "RE: Images being pulled in Outlook 2003 even though don't downloa d pictures is set?"

Previous message: Andreas: "Re: Blocking Access to Non-domain computers"
In reply to: Brian Gehrke: "Blocking Access to Non-domain computers"
Next in thread: Steven A. Fletcher: "RE: Blocking Access to Non-domain computers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: changing domain name
... What exactly do you expect to accomplish by removing/rejoining your DHCP ... servers from/to domain during the rename operation (rather than simply ... keeping them as domain members throughout its duration)? ...
(microsoft.public.windows.server.active_directory)
DHCP ENCRYPTED TO DOMAIN MEMBERS
... We Have a big Client, and we need to implement DHCP security, the security ... consist is the only the domain members can have an IP via DHCP, ...
(microsoft.public.win2000.security)
DHCP ENCRYPTED TO DOMAIN MEMBERS
... We Have a big Client, and we need to implement DHCP security, the security ... consist is the only the domain members can have an IP via DHCP, ...
(microsoft.public.win2000.security)