Restrict access to LAN by random laptops?

Is there any native way on a Windows Server 2003 domain to prevent unknown
personal laptops from accessing the local LAN without needing to use third
party hardware and software?
We do not want to turn off DHCP, and even if we did, that wouldn't stop
someone from manually configuring a static address that works on our LAN.

Hello MyGposts,

Use manageable switches and allow only the MAC addresses from the company
computers.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Is there any native way on a Windows Server 2003 domain to prevent
> unknown
> personal laptops from accessing the local LAN without needing to use
> third
> party hardware and software?
> We do not want to turn off DHCP, and even if we did, that wouldn't
> stop
> someone from manually configuring a static address that works on our
> LAN.

We are unable to do that and it would be too tedious even if the switches
supported that and we had staff available to manage mac addresses.

What about something built into Windows?
The problem is more that we don't want the rogue, virus-infected personal
computers to be able to be used to access our domain resources by the user
simply mapping a drive and typing in their domain credentials at an
authentication prompt.
Is IPSEC or 802.1x suitable and which is the easiest to implement?

"Meinolf Weber [MVP-DS]" wrote:

> Hello MyGposts,
>
> Use manageable switches and allow only the MAC addresses from the company
> computers.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Is there any native way on a Windows Server 2003 domain to prevent
> > unknown
> > personal laptops from accessing the local LAN without needing to use
> > third
> > party hardware and software?
> > We do not want to turn off DHCP, and even if we did, that wouldn't
> > stop
> > someone from manually configuring a static address that works on our
> > LAN.
>
>
>

Hello MyGposts,

Some equivalent is not built in in windows. If you use server 2008 you can
have a look on Network Access Protection:
http://www.microsoft.com/technet/net...poverview.mspx

http://technet.microsoft.com/en-us/n.../bb545879.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> We are unable to do that and it would be too tedious even if the
> switches supported that and we had staff available to manage mac
> addresses.
>
> What about something built into Windows?
> The problem is more that we don't want the rogue, virus-infected
> personal
> computers to be able to be used to access our domain resources by the
> user
> simply mapping a drive and typing in their domain credentials at an
> authentication prompt.
> Is IPSEC or 802.1x suitable and which is the easiest to implement?
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello MyGposts,
>>
>> Use manageable switches and allow only the MAC addresses from the
>> company computers.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Is there any native way on a Windows Server 2003 domain to prevent
>>> unknown
>>> personal laptops from accessing the local LAN without needing to use
>>> third
>>> party hardware and software?
>>> We do not want to turn off DHCP, and even if we did, that wouldn't
>>> stop
>>> someone from manually configuring a static address that works on our
>>> LAN.

This isn't really something that you can control by system software. The
only thing that works is a management policy that clearly states that this
sort of behavior will not be tolerated and sets out clearly what will happen
to people who disregard the policy.

"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:(E-Mail Removed) .com...
> Hello MyGposts,
>
> Some equivalent is not built in in windows. If you use server 2008 you can
> have a look on Network Access Protection:
> http://www.microsoft.com/technet/net...poverview.mspx
>
> http://technet.microsoft.com/en-us/n.../bb545879.aspx
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> We are unable to do that and it would be too tedious even if the
>> switches supported that and we had staff available to manage mac
>> addresses.
>>
>> What about something built into Windows?
>> The problem is more that we don't want the rogue, virus-infected
>> personal
>> computers to be able to be used to access our domain resources by the
>> user
>> simply mapping a drive and typing in their domain credentials at an
>> authentication prompt.
>> Is IPSEC or 802.1x suitable and which is the easiest to implement?
>> "Meinolf Weber [MVP-DS]" wrote:
>>
>>> Hello MyGposts,
>>>
>>> Use manageable switches and allow only the MAC addresses from the
>>> company computers.
>>>
>>> Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers
>>> no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>> Is there any native way on a Windows Server 2003 domain to prevent
>>>> unknown
>>>> personal laptops from accessing the local LAN without needing to use
>>>> third
>>>> party hardware and software?
>>>> We do not want to turn off DHCP, and even if we did, that wouldn't
>>>> stop
>>>> someone from manually configuring a static address that works on our
>>>> LAN.
>
>

"Mygposts" <(E-Mail Removed)> wrote in message
news:BE30BD85-1F5C-46B2-97C8-(E-Mail Removed)...
> We are unable to do that and it would be too tedious even if the switches
> supported that and we had staff available to manage mac addresses.

I think the best original answer for this is, "Define what "access to LAN"
means".

Just because something is "on the wire" does not mean it has access to the
LAN. That is what NTFS Permissions are for,...they control access. Then
you also have proprietary Access Controls built into any *real* proprietary
Bussiness Application where the user has to log into the Application before
they can use it.

Short of deploying a complicated 802.1x solution (yea, guys, I may get the
802 number wrong) your other choices are to stop using DHCP or to not leave
empty Wall-Jacks "hot" when they aren't being used. The MDF or IDF needs to
be locked so that "any old Joe" cannot go into it an connect a Wall Jack at
the Patch Panel.

Wireless systems do not have this problem because if you set the WPA
Security as you should be, no one can connect to it unless you give them the
Key. At our place no one has the key but me,...none of the users have the
Key. Their machine does not show them the Key because it is "masked out"
and it is not something they need to know to reconnect each time after I
made the initial connection myself. Since none of the users know the key
they can not give it out to any "Guests".

Even if you stop using DHCP that doesn't prevent the user from "getting
lucky" and guessing a random IP# that is not in use and assigning it to
their machine. All they have to do is look at one of you other machines and
get the correct Net ID.

In the end this is a "human" problem and not a technical problem. The
solution to that is a "human" solution as Bill Grant was saying.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------