Network Infrastructure

Hi Guys,

Hope Im in the right group.

Im in a stage of fixing my network. This is my current setup.

1. I have an active directory server, which is mydomain.com, wherein
also my DNS and DHCP is located.
2. My subnet is 255.255.255.0

This is my idea.

1. Have these servers: (Need suggestions on these)

a. AD Server with DNS Server - is this a good practice?
b. DHCP Server with ISA Server - is this a good practice?

Other concern:

I want my network to have access limitations. Here is a scenario.

1. In our network, only managers can use their laptop to access our
network and internet. It can be wired or wireless. Unauthorized laptop
should or must not access our network. But from the way the network was
setup, they can access it through wire. I can filter the wireless using MAC
Address filter from the routers. But if they connect through wire and know
how to config TCP/IP they can easily access our network. Can this be
avoided through ISA? Is there a way to filter MAC Address through Active
Directory?

Hope you can help me on this.


Thanks in advance.

Allan

"news.microsoft.com" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> 1. Have these servers: (Need suggestions on these)
>
> a. AD Server with DNS Server - is this a good practice?
> b. DHCP Server with ISA Server - is this a good practice?

No.
a. AD Server with DNS, DHCP, WINS
b. Server with ISA and *nothing*

> 1. In our network, only managers can use their laptop to access our
> network and internet. It can be wired or wireless. Unauthorized laptop
> should or must not access our network. But from the way the network was
> setup, they can access it through wire. I can filter the wireless using
> MAC Address filter from the routers. But if they connect through wire and
> know how to config TCP/IP they can easily access our network. Can this be
> avoided through ISA?

No. Not at all. ISA is a firewall product that sits between the LAN and the
Internet. It has nothing to do with what users do on their own LAN.

> Is there a way to filter MAC Address through Active Directory?

No.
You have a flawed theory. You are tying to keep machines off the LAN instead
of people. AD controls access by *who* the user is,...not what machine they
are on. Share Permissions and NTFS Permission control what resources are
accessable on the LAN and it is based on *who* the user is, not what machine
they are using.

Just because a machine gets a TCP/IP config from DHCP does not mean is has
"access" to the resources on the LAN. Viewing it that way, and trying to
control things at OSI Layers 3 & 2 is the wrong approach.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/p...s/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------

"Phillip Windell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "news.microsoft.com" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> 1. Have these servers: (Need suggestions on these)
>>
>> a. AD Server with DNS Server - is this a good practice?
>> b. DHCP Server with ISA Server - is this a good practice?
>
> No.
> a. AD Server with DNS, DHCP, WINS
> b. Server with ISA and *nothing*
>
>> 1. In our network, only managers can use their laptop to access our
>> network and internet. It can be wired or wireless. Unauthorized laptop
>> should or must not access our network. But from the way the network was
>> setup, they can access it through wire. I can filter the wireless using
>> MAC Address filter from the routers. But if they connect through wire
>> and know how to config TCP/IP they can easily access our network. Can
>> this be avoided through ISA?
>
> No. Not at all. ISA is a firewall product that sits between the LAN and
> the Internet. It has nothing to do with what users do on their own LAN.
>
>> Is there a way to filter MAC Address through Active Directory?
>
> No.
> You have a flawed theory. You are tying to keep machines off the LAN
> instead of people. AD controls access by *who* the user is,...not what
> machine they are on. Share Permissions and NTFS Permission control what
> resources are accessable on the LAN and it is based on *who* the user is,
> not what machine they are using.
>
> Just because a machine gets a TCP/IP config from DHCP does not mean is has
> "access" to the resources on the LAN. Viewing it that way, and trying to
> control things at OSI Layers 3 & 2 is the wrong approach.

They have access in LAN since they are part of the AD. Maybe policy on
bringing laptops will solve my problem. But in any case someone is
suggesting to use IPsec Policy along with Group Policy. Can you give a
feedback on this. Very much Appreciated.


Thanks

Allan




>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Troubleshooting Client Authentication on Access Rules in ISA Server 2004
> http://download.microsoft.com/downlo...7/ts_rules.doc
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/p...s/default.mspx
>
> Microsoft ISA Server Partners: Partner Hardware Solutions
> http://www.microsoft.com/forefront/e...epartners.mspx
> -----------------------------------------------------
>

"Allan M. Grafil" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> They have access in LAN since they are part of the AD. Maybe policy on
> bringing laptops will solve my problem.

Yes. Personally I like "Public User Beatings",..but hey,..that's just me.
But seriously, yes you have to control what people bring into the
building,...but if management won't back you,...then you are screwed, the
wars is over, you lost,...let them do whatever management wants to let them
do.

> But in any case someone is suggesting to use IPsec Policy along with Group
> Policy.

A full mesh IPSec network is insane.

Think simpler. Combine the ability of Management to control their employees
(point made above) with just simply not having unused wall jacks lying
around "hot". Unplug them at the patch panel. If they start plugging the
laptops into where there workstation was plugged in then Management has to
deal with that. Word gets around that someone got fired or suspended
without pay for a few days, it will be amazing how behavor will change with
the rest of them

If wireless is the case then the users are not supposed to know the "Key" in
the first place. You are supposed to configure it for them the first time
and it will "remember" the Key after that. They won't be able to see the Key
themselves after that.

You can also combine the feature found in the Active Directory Accounts to
set the machine names of the machines the users are allowed to log in with.
That won't help in every case by itself, but the combination of all these
things working together will make a difference.

Computers are not "babysitters",...Managers are.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------