Re: Secure Server & Services

From: Miha Pihler (mihap-news_at_atlantis.si)
Date: 08/29/04 

Date: Sun, 29 Aug 2004 11:52:15 +0200

Hi,

For now, there is no easy solution to prevent DHCP server issuing IPs to non
domain clients. This is usually a problem when clients come in the office
and want to plug their computer into your LAN. If you are worried about
attacks well you should be. Even without DHCP it is pretty easy to figure
out what IPs you use on your LAN. E.g. if you use Exchange mail server I can
look in header of any e-mail from your organization and find out on what IP
your Exchange server is running)... Now I can pretty much guess what IP I
have to set manually to get access to your LAN and Internet even without
DHCP.

There are few things you can do.
If you only want to prevent access to internet and you don't have problem
with customers browsing your LAN setup a proxy (e.g. ISA server). You can
setup ISA in a way that would require every user to authenticate themselves
before they are granted access to the internet (user need a valid account in
domain or some other database).

If you also want to prevent access to LAN first thing you can do, don't
patch all network outlets to network backbone. Even if someone comes to your
office and plugs his computer with his own cable to the network outlet
he/she still won't have any access to the network.

Next thing you can do is port authentication (IEEE 802.1x). This is probably
not the cheapest solution since you need switches that support IEEE 802.1x.
Next thing you need are clients that are Windows 2000 SP4 or newer. Once the
client connects to the network they have to present authentication
parameters (username and password) and these are checked against e.g. Active
Directory (using IAS - RADIUS)...

You could also setup IPSec policy for your domain. This would prevent any
computer that is not part of domain to communicate with other members of
domain since Kerberos is used for IPSec authentication.
Even if virus infected computer comes to your office and it is not part of
your domain other computers will discard any connection from this computer
since it doesn't use IPSec...

I hope this helps,

Mike

"BOFH" <john.hamilton70@ntlworld.com> wrote in message
news:2pdlclFjhe24U1@uni-berlin.de...
> I have DHCP on the server, it issues addresses to non-domain computers
too,
> which allows them use of the internet. I wish to block this.
>
> I have heard the term 'Domain Verification'...what is it and what can it
do
> for me?
>
>
> BOFH
>
>

Relevant Pages

  • RE: Printing from Win9x clients stops
    ... > and make sure this software does not interfere with SBS Server. ... > clients, please disable it and try again. ... Create a local printer and redirect the port to the network server. ...
    (microsoft.public.windows.server.sbs)
  • Re: ISA Server & a WiFi Hotspot (some DHCP for good measure too)
    ... ISA2k4 is currently not supported on SBS ... To review - you have LAN clients that you want to have ... card for your server. ... > network with 5 client computers. ...
    (microsoft.public.windows.server.sbs)
  • RE: Users Cant Access Documents on Server
    ... Thanks for using the SBS newsgroup. ... As well as we know, if a workstation would not access network shares, then ... Leave the Default Gateway of the internal NIC blank of the server box. ... Clients That Require SMB Signing ...
    (microsoft.public.windows.server.sbs)
  • ie 6.0
    ... > laptop moves from one network to another, its IP address lease might need ... > request might go to a different server that will not extend the lease ... > for a period of time, it will not provide the time to requesting clients. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Solved: FreeBSD as print server w/CUPS + samba + apsfilter
    ... CUPS and Samba so that local (connected to server) printers print ... as network printer amongst Windows 2k/XP clients. ... samba over Win2k network" contained what I had accomplished, ...
    (freebsd-questions)