Re: Secure Server & Services
From: BOFH (john.hamilton70_at_ntlworld.com)
Date: 08/30/04
- Next message: Oli Restorick [MVP]: "Re: Secure Server & Services"
- Previous message: BOFH: "Re: Secure Server & Services"
- In reply to: BOFH: "Re: Secure Server & Services"
- Next in thread: Oli Restorick [MVP]: "Re: Secure Server & Services"
- Reply: Oli Restorick [MVP]: "Re: Secure Server & Services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 30 Aug 2004 00:15:32 +0100
I have the company laptops under a unique OU, can I implement IPSEC just for
that OU?
Ooooh headaches heacaches...users users
"BOFH" <john.hamilton70@ntlworld.com> wrote in message
news:2pf4lsFjugagU1@uni-berlin.de...
> Can you point me to any documentation on this subject?
>
> All I need is a basic setup to deny any machine that isnt on the domain...
>
>
>
> "Oli Restorick [MVP]" <oli@mvps.org> wrote in message
> news:uMy75#gjEHA.3896@TK2MSFTNGP10.phx.gbl...
> > IPSec is the ideeal solution here, but it does take some setting up and
> > careful consideration of what traffic you want to use IPSec for.
> >
> > If you just want to make it difficult for people to use non-domain
> members,
> > consider using IPSec to make the most commonly-accessed resource
> accessible
> > only by domain members. You can use IPSec AH with Kerberos to do this.
> If
> > you're not careful, though, it's very easy to set an IPSec policy with
> Group
> > Policy that it prevents communication with your domain controllers.
From
> > here, you have no way to undo this, so be careful and do plenty of
> testing.
> >
> > Sometimes a technical solution is not always the best for those who
breach
> > company policy. The most likely reason that your staff don't want to be
> > domain members is that they plug their laptops into their home networks
> and
> > mistakenly believe that if they're joined to the domain, they won't be
> able
> > to do this. Since these machines are outside your control, you have no
> way
> > to patch them against vulnerability-of-the-day and no way to ensure they
> get
> > patched. It won't be long before your network gets the next Blaster,
> > Sasser, Nimda, Code Red or Slammer unless you get support from your
> managers
> > to stop this happening. It's not really about being BOFH, it's about
> > protecting your company and protecting yourself, because no doubt the
> > fingers will be pointing at you rather than the idiots with the laptops
> when
> > the next worm hits your network.
> >
> > Hope this helps
> >
> > Oli
> >
> >
> > "BOFH" <john.hamilton70@ntlworld.com> wrote in message
> > news:2peuf8FjhcllU1@uni-berlin.de...
> > > It was an answer from another newgroup when I asked the same
> > > question...and
> > > I searched for it too with no useful results. Must have been a flight
> of
> > > fancy!
> > >
> > > How do I filter MAC addresses? (Another reply)
> > >
> > > I have 6 Windows 2003 servers, serving 250 or so PCs and 60 laptops.
> Its
> > > the damn laptops I have a problem with as some staff refuse to be a
> member
> > > of the domain. Being a BOFH I want to enforce company policy and
> restrict
> > > access to network resources and internet if they plug it in.
> > >
> > > Thanks for all your help :)
> > >
> > > "Miha Pihler" <mihap-news@atlantis.si> wrote in message
> > > news:eaw7legjEHA.1048@tk2msftngp13.phx.gbl...
> > >> Domain verification is not a term I am familiar with in a context to
> what
> > >> you are looking for. Also if you run a search on Microsoft or Google
it
> > >> doesn't give any useful result to what you are looking for.
> > >>
> > >> Where did you hear this term and in what context?
> > >>
> > >> Mike
> > >>
> > >> "BOFH" <john.hamilton70@ntlworld.com> wrote in message
> > >> news:2pes2dFjsmqqU1@uni-berlin.de...
> > >> > Thanks Mike...
> > >> >
> > >> > Could you tell me what 'Domain Verification' is?
> > >> >
> > >> > I am so desperate to stop non-domain equipment from accessing my
> > > network.
> > >> >
> > >> > "Miha Pihler" <mihap-news@atlantis.si> wrote in message
> > >> > news:umoPh3ajEHA.3972@tk2msftngp13.phx.gbl...
> > >> > > Hi,
> > >> > >
> > >> > > For now, there is no easy solution to prevent DHCP server issuing
> IPs
> > > to
> > >> > non
> > >> > > domain clients. This is usually a problem when clients come in
the
> > >> office
> > >> > > and want to plug their computer into your LAN. If you are worried
> > > about
> > >> > > attacks well you should be. Even without DHCP it is pretty easy
to
> > >> figure
> > >> > > out what IPs you use on your LAN. E.g. if you use Exchange mail
> > >> > > server
> > > I
> > >> > can
> > >> > > look in header of any e-mail from your organization and find out
on
> > > what
> > >> > IP
> > >> > > your Exchange server is running)... Now I can pretty much guess
> what
> > > IP
> > >> I
> > >> > > have to set manually to get access to your LAN and Internet even
> > > without
> > >> > > DHCP.
> > >> > >
> > >> > > There are few things you can do.
> > >> > > If you only want to prevent access to internet and you don't have
> > >> problem
> > >> > > with customers browsing your LAN setup a proxy (e.g. ISA server).
> You
> > >> can
> > >> > > setup ISA in a way that would require every user to authenticate
> > >> > themselves
> > >> > > before they are granted access to the internet (user need a valid
> > >> account
> > >> > in
> > >> > > domain or some other database).
> > >> > >
> > >> > > If you also want to prevent access to LAN first thing you can do,
> > > don't
> > >> > > patch all network outlets to network backbone. Even if someone
> comes
> > > to
> > >> > your
> > >> > > office and plugs his computer with his own cable to the network
> > >> > > outlet
> > >> > > he/she still won't have any access to the network.
> > >> > >
> > >> > > Next thing you can do is port authentication (IEEE 802.1x). This
is
> > >> > probably
> > >> > > not the cheapest solution since you need switches that support
IEEE
> > >> > 802.1x.
> > >> > > Next thing you need are clients that are Windows 2000 SP4 or
newer.
> > > Once
> > >> > the
> > >> > > client connects to the network they have to present
authentication
> > >> > > parameters (username and password) and these are checked against
> e.g.
> > >> > Active
> > >> > > Directory (using IAS - RADIUS)...
> > >> > >
> > >> > > You could also setup IPSec policy for your domain. This would
> prevent
> > >> any
> > >> > > computer that is not part of domain to communicate with other
> members
> > > of
> > >> > > domain since Kerberos is used for IPSec authentication.
> > >> > > Even if virus infected computer comes to your office and it is
not
> > > part
> > >> of
> > >> > > your domain other computers will discard any connection from this
> > >> computer
> > >> > > since it doesn't use IPSec...
> > >> > >
> > >> > > I hope this helps,
> > >> > >
> > >> > > Mike
> > >> > >
> > >> > > "BOFH" <john.hamilton70@ntlworld.com> wrote in message
> > >> > > news:2pdlclFjhe24U1@uni-berlin.de...
> > >> > > > I have DHCP on the server, it issues addresses to non-domain
> > > computers
> > >> > > too,
> > >> > > > which allows them use of the internet. I wish to block this.
> > >> > > >
> > >> > > > I have heard the term 'Domain Verification'...what is it and
what
> > > can
> > >> it
> > >> > > do
> > >> > > > for me?
> > >> > > >
> > >> > > >
> > >> > > > BOFH
> > >> > > >
> > >> > > >
> > >> > >
> > >> > >
> > >> >
> > >> >
> > >>
> > >>
> > >
> > >
> >
> >
>
>
- Next message: Oli Restorick [MVP]: "Re: Secure Server & Services"
- Previous message: BOFH: "Re: Secure Server & Services"
- In reply to: BOFH: "Re: Secure Server & Services"
- Next in thread: Oli Restorick [MVP]: "Re: Secure Server & Services"
- Reply: Oli Restorick [MVP]: "Re: Secure Server & Services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
