Network Infrastructure

Discussion in 'Windows Networking' started by news.microsoft.com, Mar 25, 2008.

  1. Hi Guys,

    Hope Im in the right group.

    Im in a stage of fixing my network. This is my current setup.

    1. I have an active directory server, which is mydomain.com, wherein
    also my DNS and DHCP is located.
    2. My subnet is 255.255.255.0

    This is my idea.

    1. Have these servers: (Need suggestions on these)

    a. AD Server with DNS Server - is this a good practice?
    b. DHCP Server with ISA Server - is this a good practice?

    Other concern:

    I want my network to have access limitations. Here is a scenario.

    1. In our network, only managers can use their laptop to access our
    network and internet. It can be wired or wireless. Unauthorized laptop
    should or must not access our network. But from the way the network was
    setup, they can access it through wire. I can filter the wireless using MAC
    Address filter from the routers. But if they connect through wire and know
    how to config TCP/IP they can easily access our network. Can this be
    avoided through ISA? Is there a way to filter MAC Address through Active
    Directory?

    Hope you can help me on this.


    Thanks in advance.

    Allan
     
    news.microsoft.com, Mar 25, 2008
    #1
    1. Advertisements

  2. No.
    a. AD Server with DNS, DHCP, WINS
    b. Server with ISA and *nothing*
    No. Not at all. ISA is a firewall product that sits between the LAN and the
    Internet. It has nothing to do with what users do on their own LAN.
    No.
    You have a flawed theory. You are tying to keep machines off the LAN instead
    of people. AD controls access by *who* the user is,...not what machine they
    are on. Share Permissions and NTFS Permission control what resources are
    accessable on the LAN and it is based on *who* the user is, not what machine
    they are using.

    Just because a machine gets a TCP/IP config from DHCP does not mean is has
    "access" to the resources on the LAN. Viewing it that way, and trying to
    control things at OSI Layers 3 & 2 is the wrong approach.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Troubleshooting Client Authentication on Access Rules in ISA Server 2004
    http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.mspx

    Microsoft ISA Server Partners: Partner Hardware Solutions
    http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
    -----------------------------------------------------
     
    Phillip Windell, Mar 25, 2008
    #2
    1. Advertisements

  3. They have access in LAN since they are part of the AD. Maybe policy on
    bringing laptops will solve my problem. But in any case someone is
    suggesting to use IPsec Policy along with Group Policy. Can you give a
    feedback on this. Very much Appreciated.


    Thanks

    Allan
     
    Allan M. Grafil, Mar 26, 2008
    #3
  4. Yes. Personally I like "Public User Beatings",..but hey,..that's just me.
    But seriously, yes you have to control what people bring into the
    building,...but if management won't back you,...then you are screwed, the
    wars is over, you lost,...let them do whatever management wants to let them
    do.
    A full mesh IPSec network is insane.

    Think simpler. Combine the ability of Management to control their employees
    (point made above) with just simply not having unused wall jacks lying
    around "hot". Unplug them at the patch panel. If they start plugging the
    laptops into where there workstation was plugged in then Management has to
    deal with that. Word gets around that someone got fired or suspended
    without pay for a few days, it will be amazing how behavor will change with
    the rest of them

    If wireless is the case then the users are not supposed to know the "Key" in
    the first place. You are supposed to configure it for them the first time
    and it will "remember" the Key after that. They won't be able to see the Key
    themselves after that.

    You can also combine the feature found in the Active Directory Accounts to
    set the machine names of the machines the users are allowed to log in with.
    That won't help in every case by itself, but the combination of all these
    things working together will make a difference.

    Computers are not "babysitters",...Managers are.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Mar 26, 2008
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.