How to block arp -a command domain wide .

  • Thread starter Thread starter Venoy
  • Start date Start date
V

Venoy

Hi all,
I am running windows 2000 server and Exchange server
2000 and we hahe around 200 clients in a single network.
i found that some users are using the command arp -a and
finding the mac id of servers.then by editing the mac id
of their machine the are trying to bring down our servers.
How to disable this arp command. or how to get rid of this
security risk?

Can anybody help.

Thanks in advance
 
First you enable auditing of object acces for all your computers and then
audit the arp file on each computer and you fire or expel those users who
are trying to compromise your server. That should stop that activity real
quick. For more info on auditing see the link below. Note that they may not
be using arp from the default location in \winnt\system32. There are also
programs like Ethereal that can be used to monitor packet traffic and can
use filters to narrow down the search or software firerwalls like Sygate
that can be used just for their logging capabilities.

http://www.microsoft.com/technet/security/guidance/secmod144.mspx

To answer your question, you can use Group Policy to manage file
permissions. For instance to change permissions for arp at the default
location you would make and entry for %systemroot%\system32\arp and
configure permissions and select replace. Do that under computer
configuration/Windows settings/security settings/file system. For users you
could also try to go to user configuration/administrative templates/system
and add arp.exe to the list of disallowed Windows applications where you may
also want to disable the command prompt and registry editing while there
after reading the full explaination of what these settings do. Note that is
extremely hard to restrict users that have power user or administrator
access to their local computer. --- Steve
 
Venoy,

I totally agree with Steven's comments. This is a
personnel / HR Office / Dean's Office issue, not a
technology issue. If this is a corporate environment,
those users should be fired. If this is an educational
environment, failing / expelling the students will put a
stop to it.

I work in an large educational environemnt, and we have
all of our students *Read* and *Sign* an "Acceptable Use
Policy" which clearly states that anyone caught acting in
a malicious or malevolent manner will be Failed (read=
automatic F for the class), as well as dropped from the
class and barred from the CIS Lab. Problem resolved.

Lisa
 
Have you considered the scenario that those users may`ve changed their network adapter? I think you question is somehow ... strange ... Network security has nothing to do with forbidding the users to perform arp commands or change their macs, etc. after all
 
Back
Top