| Author |
Message |
lmpbas
Guest
|
 Posted:
Thu Dec 09, 2004 10:24 pm Post subject:
how to restrict dhcp to authenticate domain users ? |
|
|
We are having problem with people bringing their Laptop into the LAN. They
are unable to access the resources but they are able to surf.
How to restrict dhcp to authenticate domain users ?
Any ideas ?
Thanks
lm |
|
| Back to top |
|
 |
Steven L Umbach
Guest
|
| Posted:
Thu Dec 09, 2004 11:15 pm Post subject:
Re: how to restrict dhcp to authenticate domain users ? |
|
|
This is a common question to say the least. One often mentioned strategy is
to create a dhcp scope with only reserved IP addresses for domain computers.
However that will not stop those that manually configure their computers, is
usually not practical if you have more than a few dozen computers, and has
been reported that IP addresses still may be dished out if all reservations
are not currently being used.
The better and best solutions involve the use of switches that can manage
port access by mac address filtering or 802.1x authentication. Mac address
filtering is fairly easy to set up as most switches have a learning mode to
learn the mac addresses of currently connected computers. Mac addresses can
be spoofed but my guess is that none but the most determined and savvy users
will attempt such. 802.1x is the most secure method but requires compatible
operating systems, switches that can use it, Certificate Authority on the
network, and an IAS server on the network. Windows 2003 can do both. The
link below shows how this is done via a short paper from HP.
http://www.hp.com/rnd/pdf_html/guest_vlan_paper.htm
Otherwise I would highly recommend that you consider a network/computer use
policy for all your users outlining what and what can not be done on the
network with a short exploitation of the dangers of an employee laptop
infecting the network and the potential cost to fix. Be sure to spell out
consequences and have employees sign one for their file, one to keep, and
posted in prominent places. From my experience as a manger, you must enforce
this policy or it will not be worthwhile. --- Steve
"lmpbas" <lmpbas@yahoo.com> wrote in message
news:OBd3%23sg3EHA.3336@TK2MSFTNGP11.phx.gbl...
| Quote: | We are having problem with people bringing their Laptop into the LAN. They
are unable to access the resources but they are able to surf.
How to restrict dhcp to authenticate domain users ?
Any ideas ?
Thanks
lm
|
|
|
| Back to top |
|
|
Miha Pihler
Guest
|
| Posted:
Thu Dec 09, 2004 11:23 pm Post subject:
Re: how to restrict dhcp to authenticate domain users ? |
|
|
Hi,
There is no easy way to do this. Clients use broadcasts to discover DHCP
server and there is no authentication process in this.
This would be possible using IEEE 802.1x. "Problem" with this solution is
usually the price and technical implementation. Among other things you need
network switches that support IEEE 802.1x, clients that support it (e.g.
Windows 2000 SP4 or newer operating system) and database to check against
(e.g. active directory). Before client is allowed on the network it has to
authenticate with network switch. If the client sends valid user information
(checked against active directory) the client get e.g. DHCP assigned IP.
There is a known "work-around" in IEEE 802.1x for wired connections.
There are few more things you can do for safety of your network. Don't patch
all network outlets to your network. Patch only the ones in use.
Implement IPSec with Kerberos authentication. Only computers that are in
domain will be able to participate in IPSec protected network (if you
configure it so). So any outside computers that are not members of your
domain would not be able to attack your server or infect them with e.g.
worms/virus.
Note: any domain user can join up to 10 computer to domain.
Write a company policy that prohibits the use of private computer on company
network with consequences if users fail to follow the policy.
Mike
"lmpbas" <lmpbas@yahoo.com> wrote in message
news:OBd3%23sg3EHA.3336@TK2MSFTNGP11.phx.gbl...
| Quote: | We are having problem with people bringing their Laptop into the LAN. They
are unable to access the resources but they are able to surf.
How to restrict dhcp to authenticate domain users ?
Any ideas ?
Thanks
lm
|
|
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Fri Dec 10, 2004 6:41 am Post subject:
Re: how to restrict dhcp to authenticate domain users ? |
|
|
The real problem here is that you have a catch-22: before the
machine has an IP you really cannot tell much about what it is
or what account is in use on it.
One solution that has not been mentioned is use of a quarantine
vlan, to which the dhcp clients have initial access. If subsequent
tests are passed, they are then allowed out, and one of these test
would be that the machine is domain joined or also that machine
local accounts are not available for local login, only domain accts.
Now, if someone can walk into the building lobby and plug in,
and the network is not switched, then the only controls in the
network are MAC based, then they will walk around you sooner
or later, given some time or determination. So, to make a solution
really sound, you need something like 802.1x, and then gate access
with the quarantine vlan.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"lmpbas" <lmpbas@yahoo.com> wrote in message
news:OBd3%23sg3EHA.3336@TK2MSFTNGP11.phx.gbl...
| Quote: | We are having problem with people bringing their Laptop into the LAN. They
are unable to access the resources but they are able to surf.
How to restrict dhcp to authenticate domain users ?
Any ideas ?
Thanks
lm
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in