locking out unauthorized computers

I'm trying to prevent corporate data theft. I fear someone could bring a
laptop from home, plug it into our network, use their domain username and
password to connect to the server, copy sensitive data to their laptop, then
go home with the data. Can I prevent them from logging into the domain from
PC's that are not in the domain? I'm running Windows Server 2003 on the
server and mostly XP on the clients.

Dave Cattapan <(E-Mail Removed)> wrote:
> I'm trying to prevent corporate data theft. I fear someone could
> bring a laptop from home, plug it into our network, use their domain
> username and password to connect to the server, copy sensitive data
> to their laptop, then go home with the data. Can I prevent them from
> logging into the domain from PC's that are not in the domain? I'm
> running Windows Server 2003 on the server and mostly XP on the
> clients.

Depends on your budget, skill set, and requirements.

You can prevent unauthorized computers from connnecting to the network at
all, if you've got a fancy-enough Ethernet switch that can handle that.
These ain't extremely cheap, nor simple to manage, though.

You can also prevent users from connecting USB thumb drives/hard drives or
burning CDs via group policy. It seems more likely that someone would bring
in a thumb drive than a laptop, to me.

You should have a written company policy in place which all users must sign,
and which spells out what is allowed and what is forbidden. Set up a logon
banner so that the users have to click OK ("...acknowledging your agreement
to abide by Company X's computer use policy, yaddayaddayadda").

Make sure your server/network equipment is not physically accessible to
anyone but IT staff & your users aren't admins on their own PCs, too.

Regularly tested backups & realtime full email archives are also a good
thing to have if you're worried about this sort of thing.

Cisco ACS will do that for you. This overview may have more information.

Cisco Access Control Server
http://www.howtocisco.com/cisco/howto/acs0.htm

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com


"Dave Cattapan" <(E-Mail Removed)> wrote in message
news0AC90A3-6BA6-4E76-9D80-(E-Mail Removed)...
> I'm trying to prevent corporate data theft. I fear someone could bring a
> laptop from home, plug it into our network, use their domain username and
> password to connect to the server, copy sensitive data to their laptop,
> then
> go home with the data. Can I prevent them from logging into the domain
> from
> PC's that are not in the domain? I'm running Windows Server 2003 on the
> server and mostly XP on the clients.

Dave Cattapan wrote:
> I'm trying to prevent corporate data theft. I fear someone could bring a
> laptop from home, plug it into our network, use their domain username and
> password to connect to the server, copy sensitive data to their laptop, then
> go home with the data. Can I prevent them from logging into the domain from
> PC's that are not in the domain? I'm running Windows Server 2003 on the
> server and mostly XP on the clients.

I am guessing here and maybe someone can chime in on the details,
but is it possible to setup A/D to put a computer into a specific
default OU the first time it connects to the corporate network?

If so, would it not be possible to make the GPO for that
OU super restrictive until the user notifies a domain
admin to move the new authenticated system to another OU?

Just an idea..

moncho

moncho <(E-Mail Removed)> wrote:
> Dave Cattapan wrote:
>> I'm trying to prevent corporate data theft. I fear someone could
>> bring a laptop from home, plug it into our network, use their domain
>> username and password to connect to the server, copy sensitive data
>> to their laptop, then go home with the data. Can I prevent them from
>> logging into the domain from PC's that are not in the domain? I'm
>> running Windows Server 2003 on the server and mostly XP on the
>> clients.
>
> I am guessing here and maybe someone can chime in on the details,
> but is it possible to setup A/D to put a computer into a specific
> default OU the first time it connects to the corporate network?
>
> If so, would it not be possible to make the GPO for that
> OU super restrictive until the user notifies a domain
> admin to move the new authenticated system to another OU?
>
> Just an idea..
>
> moncho

Well ...no. Conncting a computer to the network has nothing to do with
joining it to the domain. And the existing user account to which the OP
refers, wouldn't be limited by anything you had in a computer OU anyway.

Hi,

Why not turn aan the Auditing on the resources of a specifics server, I
think not all the resources are worth stilling!

"Lanwench [MVP - Exchange]" wrote:

> moncho <(E-Mail Removed)> wrote:
> > Dave Cattapan wrote:
> >> I'm trying to prevent corporate data theft. I fear someone could
> >> bring a laptop from home, plug it into our network, use their domain
> >> username and password to connect to the server, copy sensitive data
> >> to their laptop, then go home with the data. Can I prevent them from
> >> logging into the domain from PC's that are not in the domain? I'm
> >> running Windows Server 2003 on the server and mostly XP on the
> >> clients.
> >
> > I am guessing here and maybe someone can chime in on the details,
> > but is it possible to setup A/D to put a computer into a specific
> > default OU the first time it connects to the corporate network?
> >
> > If so, would it not be possible to make the GPO for that
> > OU super restrictive until the user notifies a domain
> > admin to move the new authenticated system to another OU?
> >
> > Just an idea..
> >
> > moncho
>
> Well ...no. Conncting a computer to the network has nothing to do with
> joining it to the domain. And the existing user account to which the OP
> refers, wouldn't be limited by anything you had in a computer OU anyway.
>
>
>
>

Shahin <(E-Mail Removed)> wrote:
> Hi,
>
> Why not turn aan the Auditing on the resources of a specifics server,
> I think not all the resources are worth stilling!

You want to audit all file reads/copies and actually *read* those logs to
find the needle in the haystack? Not me!

>
> "Lanwench [MVP - Exchange]" wrote:
>
>> moncho <(E-Mail Removed)> wrote:
>>> Dave Cattapan wrote:
>>>> I'm trying to prevent corporate data theft. I fear someone could
>>>> bring a laptop from home, plug it into our network, use their
>>>> domain username and password to connect to the server, copy
>>>> sensitive data to their laptop, then go home with the data. Can I
>>>> prevent them from logging into the domain from PC's that are not
>>>> in the domain? I'm running Windows Server 2003 on the server and
>>>> mostly XP on the clients.
>>>
>>> I am guessing here and maybe someone can chime in on the details,
>>> but is it possible to setup A/D to put a computer into a specific
>>> default OU the first time it connects to the corporate network?
>>>
>>> If so, would it not be possible to make the GPO for that
>>> OU super restrictive until the user notifies a domain
>>> admin to move the new authenticated system to another OU?
>>>
>>> Just an idea..
>>>
>>> moncho
>>
>> Well ...no. Conncting a computer to the network has nothing to do
>> with joining it to the domain. And the existing user account to
>> which the OP refers, wouldn't be limited by anything you had in a
>> computer OU anyway.

This may be what you are looking for.

http://www.microsoft.com/technet/net...poverview.mspx

I am hoping to add this functionality once we upgrade to Windows 2008
AD.

use IPSEC with certs to access your file servers. A foreign computer will
not be able to connect to your file server.
Please note MS does not recommends IPSEC between domain client computer
(other than Vista) and DC.
Check Cable Guy for server isolation.

Regards,

-Alex


"Dave Cattapan" <(E-Mail Removed)> wrote in message
news0AC90A3-6BA6-4E76-9D80-(E-Mail Removed)...
> I'm trying to prevent corporate data theft. I fear someone could bring a
> laptop from home, plug it into our network, use their domain username and
> password to connect to the server, copy sensitive data to their laptop,
> then
> go home with the data. Can I prevent them from logging into the domain
> from
> PC's that are not in the domain? I'm running Windows Server 2003 on the
> server and mostly XP on the clients.