Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Can I block internet access for users not logged to the domain?

Status
Not open for further replies.
kopja

kopja

Technical User
Jul 20, 2005
63
US
Hi all. We have an internal domain, using Active directory and win Server 2003 standard. We use a watchguard firewall to protect the network. The issue is we share the same building with a few other offices, and I noticed in the Firewall web reports that computers for the other offices (the computer names have the domain from the other company) have been using our internet. Now, if a computer is physically connected to the internal network, is there a way to block internet access until they actually login to our internal domain? As it is, I can bring my laptop from home, hook it up, and browse the internet (I can't see internal network drives of course, but I can ping them).

Thanks in advance.
I checked the firewall, but it only has an option to block by internal IP, not by computer name which does not help as the computer at this point does have an internal IP.
 
Sort by date Sort by votes
Are they connecting via wireless? If not then you could use RRAS or statically assign all your domain pc's an IP and stop DHCP.
 
Upvote 0 Downvote
Thanks for the reply dberg.

They are physically connecting somewhere.
I have about 50 computers on my network, plus a variety of anti-spam server, cctv box, hvac systems etc. Is there any other way to do this (other than statically assigning DHCP)?
One the servers is also the DNS server, perhaps there is a way to block non-domain users there?

 
Upvote 0 Downvote
Well you need to isolate your network somehow. If they are connecting via hardwire then you need to figure out how. Look at other firewalls or look at doing RRAS internally all though it is used commonly for remote access. I would look at the first, isolate your network find how they are connection. Solarwinds.com has a lot of free software that can help you with this.
 
Upvote 0 Downvote
Any particular one that you think its useful?
I am not sure how to isolate my network where the other company has physical access. It is easy enough on the network shares to set permissions where only domain users can get in, but for the internet?
 
Upvote 0 Downvote
A question you never answered is there wireless on your network?
 
Upvote 0 Downvote
If there is no wireless involved then I'd make sure that none of your unused wall ports are connected to your switches.

In my case, I needed the ability for clients and auditors to connect to the Internet so I set up a DMZ for our boardroom wall ports. All other ports not in use are dead. If a user wants to use a dead port then they make a request and I move them and deactivate their old port.

Hope this helps.

Please help us help you. Read Tek-Tips posting polices before posting.
Canadian members check out Tek-Tips in Canada for socializing, networking, and anything non-technical.
 
Upvote 0 Downvote
dberg, yes, there is wireless on the network, but it is separate from the physical network (the firewall is configured to handle them separately and block access from wireless to internal, and they have different IP ranges 192.168.xxx.xxx for wired and 192.168.YYY.YYY for wireless). The computer in question is connecting via the wired as the IP matches the range of the wired network.

cmeagan, that is a good idea, I will do that. However my boss now wants that any computer that is internal needs to login to the domain before it can have internet access. In other words people should not be able to just plugin their home laptop to the wired network and get internet access (they should use the wireless instead) Any suggestions?

 
Upvote 0 Downvote
Well, if you disable all ports that don't have company equipment attached for it, and set a written policy stating that ONLY company owned equipment can be attached to the wired network, then you can discipline employees who violate the policy.

If you disable all ports not used by company equipment then a user would have to unplug the company equipment from the network in order to plug in their home laptop.

Hope this helps.

Please help us help you. Read Tek-Tips posting polices before posting.
Canadian members check out Tek-Tips in Canada for socializing, networking, and anything non-technical.
 
Upvote 0 Downvote
But is there a way to enforce that (other than with written company policies)?
 
Upvote 0 Downvote
I know of no way to enforce it. In our case, the first violation resulted in a 1/2 day suspension without pay. There was only one violation. Everyone got the message that we were serious after that.

Hope this helps.

Please help us help you. Read Tek-Tips posting polices before posting.
Canadian members check out Tek-Tips in Canada for socializing, networking, and anything non-technical.
 
Upvote 0 Downvote
First - it's critical to find that access breach. It's opening up major holes in your company, and though I trust my neighbors, I don't hand them my checkbook.

Second - you can install a proxy server to filter all Internet traffic through the proxy, and give only your team access to the password. That can be brutal at the beginning (I've seen some pretty bad proxy implementations), but at least you can filter the traffic.

There are more discussions on Google about setting up a proxy - the functionality is built into many Linux distros.

Hope that helps...

RSA Corp - Houston, TX
Technical Assistance Center
 
Upvote 0 Downvote
- you can install a proxy server to filter all Internet traffic through the proxy, and give only your team access to the password.
Click to expand...
The only problem with that is kopja also wants to keep his own users from plugging their home laptop in to a wall port and getting Internet access. If he gives his staff access to the password there is nothing stopping his staff from using it to access the Internet from their home laptop.

Hope this helps.

Please help us help you. Read Tek-Tips posting polices before posting.
Canadian members check out Tek-Tips in Canada for socializing, networking, and anything non-technical.
 
Upvote 0 Downvote
Configure the proxy to only allow users logged on to the domain access to the internet.

-------------------------------

If it doesn't leak oil it must be empty!!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
253
microsGuy16
microsGuy16
nukeinfer
  • Locked
  • Question
Internet restrictions for isolated PCs in the Network
Replies
1
Views
233
mangentle
mangentle
Abdullah Al Maruf
  • Locked
  • Question
Telnet help for
Replies
2
Views
261
gbaughma
gbaughma
goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
409
goombawaho
goombawaho
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
434
gbaughma
gbaughma

Part and Inventory Search

Sponsor

Back
Top