Prevent network access

  • Thread starter Thread starter Larry
  • Start date Start date
L

Larry

Is there a way, using Group Policy or not, to prevent non-
domain member computers(usually laptops) from physically
hooking up to the network and then being able to browse
the net and run anything they want. The problem is people
bring in their personal computers, hook up to one of the
many network ports, and then they can go out to the net,
browse the network (they would still have to authenticate
to browse the network), and run programs, scripts,
whatever they wanted. If I could prevent all non-domain
member computers from doing anything that would be great.
I know this function is built into wireless stuff (MAC
address and encryption) but this is a wired network with
many avalable ports all over the place. Thanks a lot.
 
There isn't a group policy setting to prevent this. Even if there was it
would not work because group policies only apply to the domain members. The
computers that are giving you this problem are not domain members. You may
be able to handle this from a network level. Some network admins are able
to disable and enable ports when a computer may be a hazard to the network.
That would prevent users from just plugging into any port. Try posting
your question in the networking newsgroup. Someone there may be able to
provide a solution.


--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
You can use Group Policy to prevent users on non domain machines from accessing
domain resources by implementing ipsec policies which use kerberos as machine
authentication in a domain/forest. Only W2K/XP Pro/W2003 computers are ipsec aware.
Ipsec however is something that should not be implemented without thorough testing
before rolling out. That would not prevent users from accessing the internet however.
For blocking total access you would need to invest in switches that manage traffic
based on mac addresses or use something like ISA proxy server to control internet
access. Either way is not cheap running probably into the thousands of dollars and a
learning curve.

The appearance of worms like blaster brought many networks to a complete halt because
of users plugging their laptops into the network. Also keep in mind that a user does
not have to log onto the domain [assuming no ipsec policies] to access domain
resources. If they have created local accounts on their computers matching user
logon/password of the domain account, then they can get access. I would highly
recommend implementing a strict user policy [signed copy in their files] that states
that personal computers are not allowed on the network without written approval and
what the consequences will be. You must follow up on the consequences or everyone
will ignore it. Good luck. --- Steve

http://www.microsoft.com/security/protect/
http://support.microsoft.com/?kbid=254949 -- Must read before implementing ipsec.
 
Back
Top