Restricting unauthorozed clients

We have a large network running 2003 server and XP clients. Is there a way
to stop users from bringing in personal computers/notebooks and plugging them
in to the network? I know we can't PHYSICALLY stop them, but is there
something we can do to restrict their access to network resources? This
could apply to users that may or may not have a valid account. Is there
something in group policy that we could use or something related to computers
having to be joined to the domain? Thanks.....

MJG wrote:
> We have a large network running 2003 server and XP clients. Is there
> a way to stop users from bringing in personal computers/notebooks and
> plugging them in to the network? I know we can't PHYSICALLY stop
> them, but is there something we can do to restrict their access to
> network resources? This could apply to users that may or may not
> have a valid account. Is there something in group policy that we
> could use or something related to computers having to be joined to
> the domain? Thanks.....

You can remove the right for users to join computers to the domain, that's
documented if you look. If that's ample for your needs then you're done.,

You can also use RADIUS authentication on your switches to disallow
unrecognised client connections. IF your switches support this. And IF
you're prepared to invest the effort in setting this up.

Whatever option you choose, you *also* need to make it a personnel /
disciplinary issue for people who just turn up and do this. If you don't
bother then you'll turn it into a game; some people just won't take the hint
and keep trying to beat you until someday things go badly wrong and you
either have a serious network issue or the need to fire someone, both of
which you can probably do without.

I realise you'll probably gloss over this last part because it can be
difficult to persuade management on this issue and either you or they will
convince yourselves that a technical solution is enough. But if you don't
also address the human side of the problem as well as the technical one then
one day you'll come back to rue the day.

--
--
Rob Moir, Microsoft MVP for Security
Blog Site - http://www.robertmoir.com
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
I'm always surprised at "professionals" who STILL have to be asked:
"Have you checked (event viewer / syslog)".

The short answer is "No you can't do anthing about it"
The longer answer is that there is some quarentining technology out there
but it is still in an "infancy" stage and hasn't been fully matured,
developed, and standardized yet. You may be able to search for products or
methods concering that on the Net but I don't have anything specific on
this. Like anything new, it will either be $$$$ or it will be clunky,
complex, and undependable (and still may be $$$$).

This is why DHCP is not (or should not be deployed) in an evironment where
something like this matters. DHCP is a convienience tool, not a security
tool,...it is the exact opposite of a security tool. It is more of an
"insecurity tool".

As far as physically stopping them,...yes you can if managment has the
stomach to enforce it. For starters, if they are caught doing it, the
laptop can be confiscated and given back at the end of the day when they
leave to go home. Make-up your own favorite punshiments for repeat
offenders. If management won't enforce the policy, then you are screwed and
might as well let them do whatever they want and if something gets fouled up
you can just tell management "See, I told you so" and maybe they will listen
next time. They typically have to get bit in the rear by something first
before they take it seriously.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"MJG" <(E-Mail Removed)> wrote in message
news:EA3A1FB8-24DF-4B7B-9F70-(E-Mail Removed)...
> We have a large network running 2003 server and XP clients. Is there a
way
> to stop users from bringing in personal computers/notebooks and plugging
them
> in to the network? I know we can't PHYSICALLY stop them, but is there
> something we can do to restrict their access to network resources? This
> could apply to users that may or may not have a valid account. Is there
> something in group policy that we could use or something related to
computers
> having to be joined to the domain? Thanks.....

"MJG" <(E-Mail Removed)> wrote in message
news:EA3A1FB8-24DF-4B7B-9F70-(E-Mail Removed)...
> We have a large network running 2003 server and XP clients. Is there a way
> to stop users from bringing in personal computers/notebooks and plugging them
> in to the network? I know we can't PHYSICALLY stop them, but is there
> something we can do to restrict their access to network resources? This
> could apply to users that may or may not have a valid account. Is there
> something in group policy that we could use or something related to computers
> having to be joined to the domain? Thanks.....

If you knew their MAC addresses, you could block them. The opposite is to allow
all known MAC addresses and block unknown. Disabling DHCP can help, but is not
a sure-fire solution since people can still manually assign static IPs.