prevent unauthorized laptops from using a network

  • Thread starter Thread starter Arnold
  • Start date Start date
A

Arnold

I am sorry, but I am new to windows2000, I've been using Linux for last
couple of years. Brought in to help client with their unix envoiroment, they
asked me if I could do this too.

How do I prevent unauthorized laptops from using a network that uses
DHCP for dynamic addressing? I do not want users coming in with laptops from
home (because they don't like thier Gateway desktops) and plug into any port
and get an IP address and be able to logon to my network.

I run Win2000 Server
I have WinXP& Win2000 pro for desktops.

Thank you
Arnold
 
Hello Arnold,
At present there is no option to do this within Windows.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Arnold,

I haven't a clue how to approach this from a server standpoint, but some
switches have security settings you can enable. My Cisco switches, for
example, have a port-level security setting that allows them to lock down a
particular port based on MAC addresses. This certainly isn't foolproof,
though, since many network cards allow you to change their MAC addresses.

matt

(remove all uppercase letters from my email address to reply)
 
Other than control at the switch level, if you are using a W2K domain you could
implement ipsec with a "require" policy. The result is that non domain computers
would not be able to access those computers with a require ipsec policy due to the
fact that kerberos machine authentication would fail. You would have to make sure
that you disable the ability for authenticated users to add workstations to the
domain however of which they can do ten times by default. Also there is a limitation
with domain controllers in that from what I know currently will not work with a
require policy and other domain members that will require a separate rule to exempt
ipsec traffic between them and domain memberrs.. You could configure ipsec to use AH
only to reduce the overhead of ESP encryption. This will not prevent them from
getting a dhcp ip address which in itself has limited security value as a user could
simply configure their computer with static ip info to access the network. Also
consider a strict user policy with defined consequences and check with the powers
that be that it will be enforced. --- Steve

http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
http://support.microsoft.com/default.aspx?scid=kb;EN-US;254949
 
Back
Top