How are the 'non domain' computers getting access to the SBS network, i.e.
wired, or wireless, VPN, or ?
--
Les Connor [SBS Community Member - SBS MVP]
-----------------------------------------------------------
SBS Rocks !
"Louie" <Lo...@discussions.microsoft.com> wrote in message
news:4209C64A-3866-41BE...@microsoft.com...
However, If your Security and Authentication Practices are tight, it
shouldn't matter.
What issue are you trying to address ?
--
Henry Craven {SBS-MVP}
CI Information Technology
----------------------------------------------------
Melbourne SBS Users Group
http://groups.yahoo.com/group/melb-SBSusers/
"Louie" <Lo...@discussions.microsoft.com> wrote in message
news:4209C64A-3866-41BE...@microsoft.com...
But as Henry mentioned, you could limit the DHCP scope to the exact number
of PC's you want to allow. There are probably other ways as well.
--
Les Connor [SBS Community Member - SBS MVP]
-----------------------------------------------------------
SBS Rocks !
"Louie" <Lo...@discussions.microsoft.com> wrote in message
news:A5CDAB16-3873-44FD...@microsoft.com...
If you're going to rely on technology to prevent this kind of behaviour, it
will never end. There will be other abuses, and you'll be continually trying
to find ways to prevent users from doing things that should simply be not
allowed by way of company policy.
--
Les Connor [SBS Community Member - SBS MVP]
-----------------------------------------------------------
SBS Rocks !
"Louie" <Lo...@discussions.microsoft.com> wrote in message
news:FF034385-2FAA-4176...@microsoft.com...
On the IT side, I'd limit the IP Scope to the exact number of PCs on the
LAN, and assign IP Reservations to those workstations via their MAC
address. If anyone then goes to the bother of spoofing a MAC address to
connect to the LAN they should be summarily dismissed.
I hope you security groups, Shares, permissions are properly configured
and the users aren't walking away the company data and software.... (
your potential scenario sounds more than a little frightening )
--
Henry Craven {SBS-MVP}
CI Information Technology
----------------------------------------------------
Melbourne SBS Users Group
http://groups.yahoo.com/group/melb-SBSusers/
"Louie" <Lo...@discussions.microsoft.com> wrote in message
news:FF034385-2FAA-4176...@microsoft.com...
There are a number of other solutions to consider:
1. One of the most effective solutions is to use IPSec AH (authentication
only so no Encryption overhead). Enabling IPSec on your Server and
Workstations will only allow domain computers to communicate with each
other. With this solution IPSec has to be configured to provide
unrestricted access for DHCP, DNS and any network equipment that doesn't
support IPSec. This means that any computer will be able to communicate
with DHCP and DNS and rogue computers will still be 'connected' to the
network, but they will be unable to communicate with any of your domain
computers or gain access to the internet. Microsoft calls this Domain
Isolation.
Documentation on configuring IPSec can be found at www.microsoft.com/ipsec/
2. You could use switches which support 802.1x authentication. In this
case the authentication has to take place before any access is provided to
the network. Unfortunately this isn't without problems. The 802.1x
authentication has a known flaw which is related to the authentication only
taking place once prior to connection, once connected packets aren't signed
etc. A rogue system could take over the IP and MAC address of an
authenticated system giving it access to the network.
3. Similar to reserving IP's for specific MAC addresses and using a DHCP
scope with the exact number of network computers you could make use of DHCP
Classes. DHCP Classes allows you to setup a class field on your DHCP scope.
Workstations are then configured with this class and when requesting network
details from your DHCP server they provide this class which then tells the
DHCP server which scope to use. If a rogue workstation connects to the
network without the correct class they will not be assigned any network
details. Again this is not a secure solution and is easily overcome.
Q240247 (http://support.microsoft.com/kb/240247/EN-US/) and Q235272
(http://support.microsoft.com/default.aspx?scid=kb;en-us;235272) have
instructions on configuring this on a Win2k DHCP server.
From a security point of view the main solution which requires only the time
to configure it is IPSec. One stage further would be to use IPSec with
802.1x switches in an attempt to keep the rogue systems off all together
with the peace of mind of the IPSec AH between authorised systems.
--
Hth,
Stuart Mackie
www.stu.uk.com
MCSA: & MCSE: Security
"Louie" <Lo...@discussions.microsoft.com> wrote in message
news:4209C64A-3866-41BE...@microsoft.com...