Ipsec policies can be used to prevent non domain computers from accessing domain
resources if the resource computer has a "ipsec require" policy. Note that domain
controllers must be exempt from ipsec negotiation policies for domain members by
adding their IP addresses to a separate rule in the policy with a permit filter
action. Ipsec negotiation polices for use of ESP [encryption] or AH [integrity] will
cause some overhead which can be reduced by using network adapters that do ipsec
encryption or using just AH instead of ESP. Keep in mind that only W2K/XP Pro/W2003
are ipsec capable and other computers would be denied access to a computer with a
require policy. Never unleash an ipsec policy on the network without testing it out
ahead of time including computer reboots and logging back on after policy has been
implemented.
As others have mentioned, isolating the network may be a good idea. They could be put
on their own switch that has a link to the internet or use a switch that can do vlans
or port isolation. I bought a HP 2512 for home use off of Ebay and it is the greatest
thing since sliced bread. While vlans are nice, from what i can tell, if any ports
have to be "tagged" due to more than one vlan being on the port, the computers on the
tagged port have to be using 802.1Q compliant network adapters that are properly
configured. Port isolation on my HP 2512 allows various port configuration options to
allow computers to be segregated by ports while sharing ports, if necessary, that
have resources needed for all computers. Vlans are certainly more flexible and offer
better security however. --- Steve
Marcelo said:
Is there a way of preventing client PCs from accessing the domain? Here in the
office, users "lease" their cubicles and use the resource provided by the company. I
would like to have more control on what they plug to the network and force some
policies on them. Can this be done with IPSec policies?
