Re: Anyone can browse my network

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 06/30/05 

Date: Thu, 30 Jun 2005 02:17:33 -0700

OK, so I am going to take a different approach.
If they are "just anyone" and they happen to find a jack to
plug into . . .
First, you could prevent them from getting a valid IP by how
you have defined DHCP, or better, use 802.1x.
Next, if they can see the names of files, then you do not have
share level permissions set correctly so that they need to
authenticate and be authorized. If they are able to see the
files' content then you also have not set NTFS permissions
adequately.
If you do not like them browsing and seeing all sorts of
machine names listed, then . . .
Why are the machines in the browse list in the first place?
Only machines that do share are of use in the list, so set
the others as hidden. For the reduced browse list, if you
machines required IPsec based on your AD to talk with
each other, then that rogue non-AD machine that gets plugged
in will not be able to get the browse list (or any other access
to machines in the AD for that matter).
So, for starting points . . .
- review your share and NTFS permissions of what is shared
- rethink how you control DHCP leases, and/or look at 802.1x
- reconsider how MS Networking brower is used and take
  control over this rather than letting it default to all advertising
- consider using the new IPsec guides for domain isolation
also, although not directly implicated by what you have stated
- check the settings for (disallowing) anonymous enumerations 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Kurt" <Kurt@discussions.microsoft.com> wrote in message
news:ABF008DF-1F81-4C57-9E5A-D6E7A2E69A91@microsoft.com...
> Hi,
>
> I have a mixed mode 2000 domain.  we have a firewall in place.
> If someone plugs a laptop into one of our switches.  They can browse my
> entire network.  The can see computers, shares and files.
> Is there a way to stop this?
>
> Thanks
>
> Kurt

Relevant Pages