Re: Secure Server & Services

From: Miha Pihler (mihap-news_at_atlantis.si)
Date: 08/29/04 

Date: Sun, 29 Aug 2004 22:34:49 +0200

Domain verification is not a term I am familiar with in a context to what
you are looking for. Also if you run a search on Microsoft or Google it
doesn't give any useful result to what you are looking for.

Where did you hear this term and in what context?

Mike

"BOFH" <john.hamilton70@ntlworld.com> wrote in message
news:2pes2dFjsmqqU1@uni-berlin.de...
> Thanks Mike...
>
> Could you tell me what 'Domain Verification' is?
>
> I am so desperate to stop non-domain equipment from accessing my network.
>
> "Miha Pihler" <mihap-news@atlantis.si> wrote in message
> news:umoPh3ajEHA.3972@tk2msftngp13.phx.gbl...
> > Hi,
> >
> > For now, there is no easy solution to prevent DHCP server issuing IPs to
> non
> > domain clients. This is usually a problem when clients come in the
office
> > and want to plug their computer into your LAN. If you are worried about
> > attacks well you should be. Even without DHCP it is pretty easy to
figure
> > out what IPs you use on your LAN. E.g. if you use Exchange mail server I
> can
> > look in header of any e-mail from your organization and find out on what
> IP
> > your Exchange server is running)... Now I can pretty much guess what IP
I
> > have to set manually to get access to your LAN and Internet even without
> > DHCP.
> >
> > There are few things you can do.
> > If you only want to prevent access to internet and you don't have
problem
> > with customers browsing your LAN setup a proxy (e.g. ISA server). You
can
> > setup ISA in a way that would require every user to authenticate
> themselves
> > before they are granted access to the internet (user need a valid
account
> in
> > domain or some other database).
> >
> > If you also want to prevent access to LAN first thing you can do, don't
> > patch all network outlets to network backbone. Even if someone comes to
> your
> > office and plugs his computer with his own cable to the network outlet
> > he/she still won't have any access to the network.
> >
> > Next thing you can do is port authentication (IEEE 802.1x). This is
> probably
> > not the cheapest solution since you need switches that support IEEE
> 802.1x.
> > Next thing you need are clients that are Windows 2000 SP4 or newer. Once
> the
> > client connects to the network they have to present authentication
> > parameters (username and password) and these are checked against e.g.
> Active
> > Directory (using IAS - RADIUS)...
> >
> > You could also setup IPSec policy for your domain. This would prevent
any
> > computer that is not part of domain to communicate with other members of
> > domain since Kerberos is used for IPSec authentication.
> > Even if virus infected computer comes to your office and it is not part
of
> > your domain other computers will discard any connection from this
computer
> > since it doesn't use IPSec...
> >
> > I hope this helps,
> >
> > Mike
> >
> > "BOFH" <john.hamilton70@ntlworld.com> wrote in message
> > news:2pdlclFjhe24U1@uni-berlin.de...
> > > I have DHCP on the server, it issues addresses to non-domain computers
> > too,
> > > which allows them use of the internet. I wish to block this.
> > >
> > > I have heard the term 'Domain Verification'...what is it and what can
it
> > do
> > > for me?
> > >
> > >
> > > BOFH
> > >
> > >
> >
> >
>
>

Relevant Pages

  • RE: Wireless Security Notes and Findings (from this list and other places)
    ... There are two general areas of wireless security: Authentication and ... authentication standard that works with wireless networks. ... client computer runs a client program to connect to the network with a ...
    (Security-Basics)
  • Re: IP address assignment problem
    ... I have a little problem and seek for ur thoughts, let's assume I'm in a very open environment where everyone can very easily try to get his/her laptop on the network and IP addresses are assigned by a DHCP server and we are in a domain environment, how do I prevent machines that are not part of our domain to be assigned an IP address? ... This approach doesn't stop your rogue clients from connecting to other clients, but merely doesn't give them the information they normally need to do so. ... Using 802.1x, your workstations authenticate through the switch to a radius server before they are allowed any connectivity. ... This authentication can use X.509 certificates, computer account credentials from AD, or whatever else you'd normally configure radius to authenticate with. ...
    (Focus-Microsoft)
  • Re: implementing roles in OOP......
    ... >>differently based on some context. ... Then Message would only handle responsibilities that were ... I'm applying my own understanding of network messaging systems for lack ... It is a selection algorithm. ...
    (comp.object)
  • Re: Kerberos machine authentication - apparent authentication failures
    ... When you joined your computer to the domain your wireless network card was ... denied access until you can authenticate to a domain controller as a user. ... While kerberos is the default authentication protocol of choice, ...
    (microsoft.public.windows.server.security)
  • RE: 802.1x, Computers, Wired Security
    ... client to use EAP-TLS. ... Authentication-Provider = Windows ... Wired 802.1X Authentication failed. ... Network Adapter: Broadcom NetXtreme Gigabit Ethernet - Packet Scheduler ...
    (microsoft.public.windows.server.active_directory)