Re: Secure Server & Services
From: BOFH (john.hamilton70_at_ntlworld.com)
Date: 08/29/04
- Next message: Miha Pihler: "Re: Secure Server & Services"
- Previous message: Tim Springston [MS]: "Re: failed login attempts"
- In reply to: Miha Pihler: "Re: Secure Server & Services"
- Next in thread: Miha Pihler: "Re: Secure Server & Services"
- Reply: Miha Pihler: "Re: Secure Server & Services"
- Reply: Oli Restorick [MVP]: "Re: Secure Server & Services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 29 Aug 2004 21:19:23 +0100
Thanks Mike...
Could you tell me what 'Domain Verification' is?
I am so desperate to stop non-domain equipment from accessing my network.
"Miha Pihler" <mihap-news@atlantis.si> wrote in message
news:umoPh3ajEHA.3972@tk2msftngp13.phx.gbl...
> Hi,
>
> For now, there is no easy solution to prevent DHCP server issuing IPs to
non
> domain clients. This is usually a problem when clients come in the office
> and want to plug their computer into your LAN. If you are worried about
> attacks well you should be. Even without DHCP it is pretty easy to figure
> out what IPs you use on your LAN. E.g. if you use Exchange mail server I
can
> look in header of any e-mail from your organization and find out on what
IP
> your Exchange server is running)... Now I can pretty much guess what IP I
> have to set manually to get access to your LAN and Internet even without
> DHCP.
>
> There are few things you can do.
> If you only want to prevent access to internet and you don't have problem
> with customers browsing your LAN setup a proxy (e.g. ISA server). You can
> setup ISA in a way that would require every user to authenticate
themselves
> before they are granted access to the internet (user need a valid account
in
> domain or some other database).
>
> If you also want to prevent access to LAN first thing you can do, don't
> patch all network outlets to network backbone. Even if someone comes to
your
> office and plugs his computer with his own cable to the network outlet
> he/she still won't have any access to the network.
>
> Next thing you can do is port authentication (IEEE 802.1x). This is
probably
> not the cheapest solution since you need switches that support IEEE
802.1x.
> Next thing you need are clients that are Windows 2000 SP4 or newer. Once
the
> client connects to the network they have to present authentication
> parameters (username and password) and these are checked against e.g.
Active
> Directory (using IAS - RADIUS)...
>
> You could also setup IPSec policy for your domain. This would prevent any
> computer that is not part of domain to communicate with other members of
> domain since Kerberos is used for IPSec authentication.
> Even if virus infected computer comes to your office and it is not part of
> your domain other computers will discard any connection from this computer
> since it doesn't use IPSec...
>
> I hope this helps,
>
> Mike
>
> "BOFH" <john.hamilton70@ntlworld.com> wrote in message
> news:2pdlclFjhe24U1@uni-berlin.de...
> > I have DHCP on the server, it issues addresses to non-domain computers
> too,
> > which allows them use of the internet. I wish to block this.
> >
> > I have heard the term 'Domain Verification'...what is it and what can it
> do
> > for me?
> >
> >
> > BOFH
> >
> >
>
>
- Next message: Miha Pihler: "Re: Secure Server & Services"
- Previous message: Tim Springston [MS]: "Re: failed login attempts"
- In reply to: Miha Pihler: "Re: Secure Server & Services"
- Next in thread: Miha Pihler: "Re: Secure Server & Services"
- Reply: Miha Pihler: "Re: Secure Server & Services"
- Reply: Oli Restorick [MVP]: "Re: Secure Server & Services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
