Re: Allowing authorized remote users
From: S. Pidgorny
Date: 10/02/04
- Next message: Mac: "Javascript Bookmarks"
- Previous message: PA Bear: "Re: Kazaa.Irc.SpyBot12.RoyLomag:"
- In reply to: Mark: "Allowing authorized remote users"
- Next in thread: Mark: "Re: Allowing authorized remote users"
- Reply: Mark: "Re: Allowing authorized remote users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 2 Oct 2004 09:43:53 +1000
Mark,
This is an interesting question. I'd say that you can implement controls
that will check the client system SOE (standard operating environment)
compliance, but you can't really make sure that the client PC is a corporate
laptop.
Take this scenario: a client PC is cloned using Norton Ghost, for example.
Likely, any authorisation token that is stored on the system is also cloned.
If you have physical access to the client system, you have it all.
Having said that, I'd suggest you to look into Windows 2003 Network Access
Quarantine feature:
http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx
Together with IAS, 802.1x and other standards and technologies, the
quarantine will be a part of the Netfork Access Protection policy platform:
When NAP becomes a product, it will be able to incorporate functionality of
existing 3rd-party solutions, as extensions. An example of such solution is
Trend Micro Network VirusWall, a virus-centric app with some policy
enforcement features.
Also don't forget aboud good old network IDS, that will allow you to monitor
suspicious activities by the RAS users. The best product
(http://www.snort.org) costs nothing, runs well on Windows and is a good
addition to the corporate RAS gateway.
You're welcome with further questions.
-- Svyatoslav Pidgorny, MVP, MCSE -= F1 is the key =- "Mark" <Mark@discussions.microsoft.com> wrote in message news:2D3DABED-9AD3-4952-AA02-A3EA40886BEA@microsoft.com... > We want to prevent our remote users from using their home pc to dial-up into > our network. Instead, we prefer them to use one of the company's laptop > which we have patched and locked it down. Is there a way with > Windows2000/2003 to register our company provided laptops on the network and > only accept those when a user dials in? When a user trys to dial-up using > their home pc, we like for Windows2000/2003 to reject the request because it > knows it's not a registered company laptop. > > Thanks in advance.
- Next message: Mac: "Javascript Bookmarks"
- Previous message: PA Bear: "Re: Kazaa.Irc.SpyBot12.RoyLomag:"
- In reply to: Mark: "Allowing authorized remote users"
- Next in thread: Mark: "Re: Allowing authorized remote users"
- Reply: Mark: "Re: Allowing authorized remote users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
