RE: Blocking Access to Non-domain computers

From: Barrie Dempster (barrie_at_reboot-robot.net)
Date: 08/29/04

  • Next message: Simon Zuckerbraun: "RE: How can I enable power users on W2k domain to defrag their hard drives??" 
    To: "Steven A. Fletcher" <sfletcher@integrityts.com>
Date: Sun, 29 Aug 2004 19:51:40 +0100

    On Wed, 2004-08-25 at 21:46, Steven A. Fletcher wrote:
    > Certainly! There are a number of products that will do such a thing.
    > Microsoft has had such things for a while now, even going back to the NT
    > 4 days. On NT, they had MS Proxy which has now become Microsoft
    > Internet Security and Acceleration (ISA) Server. There are other
    > products, too, but that is one example.

    This is a correct answer to Raoul's query, although this has nothing to
    do with the OP's question. He is not interested in blocking Internet
    access.
    he wants to "block non-domain computers from getting an IP address from
    the DHCP server"

    There isn't really anyway to do this effectively that i can think of.
    Most of the protocols involved in TCP/IP weren't designed for this sort
    of access control, although you can enhance them with varying
    technologies.

    Your only option for restricting DHCP access is to use MAC address
    filtering (which is trival to bypass) although if you combine this with
    IPSEC, then even if a client does get an IP it will not be seen as _on_
    the network by other clients and servers unless it can gain access to
    the IPSEC layer. Windows has decent built in support for this, I suggest
    having a look at it.

    Raoul, if you are interested in options for blocking net access to
    non-trusted machines, start a new thread and I'll endeavour to answer it
    (would have done so here but it seemed you were just curious if your
    assumption was correct, rather than looking for a definitive answer)

    Regards 

    -- 
Barrie Dempster (zeedo) - Fortiter et Strenue
  http://www.bsrf.org.uk
[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]

  • Next message: Simon Zuckerbraun: "RE: How can I enable power users on W2k domain to defrag their hard drives??"

    Relevant Pages

    • Re: id- 1030 source - Userenv
      ... check your settings on the server and client computers. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
      (microsoft.public.windows.server.sbs)
    • RE: (Very) Slow browsing server shares - Net Work Monitor shows ca
      ... If this issue happen only when browse shared folders on SBS from one XP ... client computer, this will be a client side error. ... click to check the "Hide All Microsoft Services" ... Digitally sign communications (if server ...
      (microsoft.public.windows.server.sbs)
    • Re: My Documents redirect stopped working on one user profile.
      ... Yes but this file server of ours isnt the DC that "sends" out the group ... the problem may be caused by the client computer. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
      (microsoft.public.windows.server.sbs)
    • RE: No Client or Server Desktop Access Through RWW SBS 2003 SP2
      ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... No Client or Server Desktop Access Through RWW SBS 2003 SP2 ...
      (microsoft.public.windows.server.sbs)
    • Re: Regular disconnections from remote web workplace
      ... I can connect to office server and all office clients from home at all times ... be physically working right up until the connection is lost. ... If I enter http://companyip from a client I receive the login screen for the ... Click Services tab and select Hide All Microsoft Services and Disable ...
      (microsoft.public.windows.server.sbs)