Re: Secure Server & Services
From: Oli Restorick [MVP] (oli_at_mvps.org)
Date: 08/29/04
- Next message: BOFH: "Re: Secure Server & Services"
- Previous message: Oli Restorick [MVP]: "Re: Secure Server & Services"
- In reply to: BOFH: "Re: Secure Server & Services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 29 Aug 2004 22:36:48 +0100
Perhaps the term you were thinking of was "domain isolation".
Microsoft have just published some documentation on this.
http://www.microsoft.com/technet/itsolutions/msit/security/ipsecdomisolwp.mspx
Cheers
Oli
"BOFH" <john.hamilton70@ntlworld.com> wrote in message
news:2pes2dFjsmqqU1@uni-berlin.de...
> Thanks Mike...
>
> Could you tell me what 'Domain Verification' is?
>
> I am so desperate to stop non-domain equipment from accessing my network.
>
> "Miha Pihler" <mihap-news@atlantis.si> wrote in message
> news:umoPh3ajEHA.3972@tk2msftngp13.phx.gbl...
>> Hi,
>>
>> For now, there is no easy solution to prevent DHCP server issuing IPs to
> non
>> domain clients. This is usually a problem when clients come in the office
>> and want to plug their computer into your LAN. If you are worried about
>> attacks well you should be. Even without DHCP it is pretty easy to figure
>> out what IPs you use on your LAN. E.g. if you use Exchange mail server I
> can
>> look in header of any e-mail from your organization and find out on what
> IP
>> your Exchange server is running)... Now I can pretty much guess what IP I
>> have to set manually to get access to your LAN and Internet even without
>> DHCP.
>>
>> There are few things you can do.
>> If you only want to prevent access to internet and you don't have problem
>> with customers browsing your LAN setup a proxy (e.g. ISA server). You can
>> setup ISA in a way that would require every user to authenticate
> themselves
>> before they are granted access to the internet (user need a valid account
> in
>> domain or some other database).
>>
>> If you also want to prevent access to LAN first thing you can do, don't
>> patch all network outlets to network backbone. Even if someone comes to
> your
>> office and plugs his computer with his own cable to the network outlet
>> he/she still won't have any access to the network.
>>
>> Next thing you can do is port authentication (IEEE 802.1x). This is
> probably
>> not the cheapest solution since you need switches that support IEEE
> 802.1x.
>> Next thing you need are clients that are Windows 2000 SP4 or newer. Once
> the
>> client connects to the network they have to present authentication
>> parameters (username and password) and these are checked against e.g.
> Active
>> Directory (using IAS - RADIUS)...
>>
>> You could also setup IPSec policy for your domain. This would prevent any
>> computer that is not part of domain to communicate with other members of
>> domain since Kerberos is used for IPSec authentication.
>> Even if virus infected computer comes to your office and it is not part
>> of
>> your domain other computers will discard any connection from this
>> computer
>> since it doesn't use IPSec...
>>
>> I hope this helps,
>>
>> Mike
>>
>> "BOFH" <john.hamilton70@ntlworld.com> wrote in message
>> news:2pdlclFjhe24U1@uni-berlin.de...
>> > I have DHCP on the server, it issues addresses to non-domain computers
>> too,
>> > which allows them use of the internet. I wish to block this.
>> >
>> > I have heard the term 'Domain Verification'...what is it and what can
>> > it
>> do
>> > for me?
>> >
>> >
>> > BOFH
>> >
>> >
>>
>>
>
>
- Next message: BOFH: "Re: Secure Server & Services"
- Previous message: Oli Restorick [MVP]: "Re: Secure Server & Services"
- In reply to: BOFH: "Re: Secure Server & Services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
