Multiple foreign domains within 'My network places'

[Guest]

We have a bit of a weird problem. We have a Windows 2000 based domain
with W2k and XP clients. Over the last few days, I have noticed in 'my
network places' that there are 6 other domains listed that are nothing
to do with us. These domains are not accessible and error message
stating this comes up when you double click on them. However, this is
confusing to users and is potentially a security breach. I have no idea
of how to start troubleshooting this. Any suggestions anyone? Has
anyone seen this before?


Thanks.


Reply

 

[Steven L Umbach]

It sounds like you may have users plugging unauthorized computers into your
network or authorized computers that are not a member of the domain. If
those computers have workgroup names different than your domain name they
will show in My Network Places. They should disappear a short time after
disconnecting from the network and may be why you could not see any
computers in the workgroup. Assuming you are following security best
practices such as enforcing strong passwords and configuring network
resources with the principle of least privilege those computers should not
pose a threat to accessing your network resources but they could introduce
malware into your network. You may want to reiterate your policy of no
unauthorized computers on your network to your users assuming that is your
policy. Also check the security logs of your computers such as servers and
domain controllers to see if you see users authenticating with strange
computer names which would indicate those users may be bringing their
laptops to work to access domain resources with their domain user
account.. --- Steve

 

[Guest]

Thanks so much for the advice. Although I am MCSE, I dont really do much
outside servers and find much of this network stuff quite baffling. I think
you are definitely along the right lines here. I am watching the fort while
the infrastructure manager is away. However, I believe before he went he did
some fiddling on the network which involved a DSL line and a wireless router
being connected to a switch that itself is connected to the network. I do not
want to interfere with his work while he is away, but I am concerned by this.
I do not understand though how a DSL connection to the main network would
cause just 6 specific domains to appear - if the network is connected to the
internet, you might think that thousands might appear. Any thoughts?

 

[Steven L Umbach]

Interesting. Who is using the wireless access point?? If it is available for
non domain computers [knowingly or unknowingly] that could certainly be a
reason why you are seeing other names in My Network Places. The wireless
device should have some logging that will show such information which may
only be the IP address of the computer accessing it. Also I hope that the
wireless network is properly secured ideally not using non dynamic WEP for
encryption [using 802.1X or WPA PSK with a strong key instead] as that is
pretty weak and can be readily cracked by those looking to do such possibly
for free internet access. Another possibility is VPN connections from either
individual users or to other networks using a persistent VPN connection
using either a VPN server on your network or an ipsec endpoint device that
uses the internet connection. While it could be possible for other users on
the network to access your network [but not necessarily your network
resources if properly secured] if you are not using a firewall or improperly
configured firewall you would not see their network names as the mechanism
that maintains the browse list you see in My Network Places is mostly
maintained by broadcasts that are not allowed past routers unless the router
is specifically configured to do such. It would be a good idea to try and
scan your networks public IP address from outside your network to make sure
their are no unauthorized holes in your firewall or at the very least try a
self scan site such as http://scan.sygatetech.com/ .