Prevent users from using laptops

[bustamove]

Hi,

We have a Windows based network running W2K3 DHCP server. We have a lot of users who bring their own laptop and plugging into the network. Is there an easy way to stop them doing this? i.e. Don't assign any address or block internet access. The laptops range from Windows 98 to XP, and MacOS

Many thanks

 

[schofs]

The usual way to do this is

1.implement mac-adress filtering on switches or routers however this can cause a lot of hassele to admins

2. use 802.1x with somthing like a Radius Server to authenticate clients.

 

[bustamove]

Thanks, I am aware of MAC address, but we have like 800 computers with 5 staff members, as you said, we give up because of the hassle. we thought about static IP, but again, give up. Could you point out some directions for the second setup, any web links? But again, we want authenticated user to use their laptop (like senior people)but not everybody. Is there a lot of admin overhead for the second option?

 

[schofs]

Implementing 802.1X authentication is best done in conjunction with a RADIUS server. You may implement a RADIUS server separately or as a part of NT Domain or Active Directory. The payoff for centralized authentication is significant, as it is one of the best ways to effectively manage usage and prevent rogues.
windows xp ships with its own RADIUS Client or you can use 8021.x switches and routers
try the following link for more information.

http://www.foundrynet.com/solutions/appNotes/PDFs/802.1xWhite_Paper.pdf

 

[schofs]

should have been and you can use 1x routers an sitches
yo require

client
authentecator (the sitch)
authentication server RADIUS

 

[bustamove]

thanks again. I am reading it now.

One more stupid question. Do we have to reconfigure all the 800 computers that include about 50 pre-xp windows, 30 Mac, 15 linux/UNIX and 15 OS/2.

 

[Dollie]

Not sure if this is of any help, but we have offsite people who stop by our office and want to get their laptops online. Our system is configured to allow computers that have been manually given permission onto the network. Each computer, when set up, is registered on the server. If the computer has not previously been given permission, they cannot authenticate and only thing they will be able to access is the internet. Keeps them clear from my network.

It also sounds as if a policy needs to be in place about personal computers and laptops being brought into a private network. It's one thing for the executives to have them, but when a CowOrker (from the secretarial pool or an accounting clerk for example) starts bringing in personal laptops, I'd not only wonder why but I'd be concerned about ulterior motives.

 

[schofs]

you could probably do it via gpo and deliver it toslients that way...

On another thought of using somthing like Microsoft ISA server and force authentication that way

This would prevent users using the internet but not connecting to the network

 

[Spirit]

Erm, am I missing something? People bring in laptops and connect them to the network? So you allow illegal software (yeah everyone buys Office 2003 Full edition?), trojans, spyware, virus's, hacking tools, key loggers and porn on your network? Not to mention people bring in laptops and download customer files, financial data, employee data, personal information, product pricing etc and the boss's are ok with that not to mention the Data Protection Acts.

Give up and write the CV.

First, get an IT policy written get the top dog to sign it off and impliment it (forget about christmas cards co's you won't get them anymore after this).

Second, enforce the above.

I would look at implimenting an ISA server with IPsec that way you can start getting your network back.

Good Luck!

Iain

 

[allthetimeintheworld]

Iain is so right here that I'm going to, basically, say the same thing to ram the point home.

I am a network admin and I wrote our company's IT policy. No one is allowed to plug a laptop into our network.

However hard it is to manage a secure network (and it is hard: starting with impressing upon the MD what can and does happen if security is ignored) it's a fraction of the work recovering from damage caused by a hacker/virus.

I speak here from very bitter experience that includes, amongst other 'orrible jobs, repairing 30 hosts from damage that was done by a user thinking that a BRAND SPANKING NEW laptop would be ok:

1. Laptop taken out of box
2. Laptop connected via home to internet (10 mins max)
3. Laptop connected to our network (2 mins max)

That's all it took. Then the network just stopped working and the whole business fell right apart for 2 days.

You have 20x more hosts to fix if eveything goes batpoo.

If you do not have complete control over every machine plugged into your network then you are, effectively, cirumventing ALL your own security measures. You might aswell switch off your firewall and plug straight into the internet.

Paranoia is a wonderful thing: get paranoid now or learn to be paranoid the hard way like I did (and, to tell you the truth, I was paranoid about security before the above happened).

Hope you find a solution you're happy with.
Sam

 

[bustamove]

well, what can you do? If you hear that we have 5 people managing a network of 800 computers + 50 printers, you know that management / policies do not stand at our corner.

our policy is let IT check personal laptops (patch if necessary) before they can be plugged in, but they can't wait for/we don't have time to finish it in half an hour. because the network manager himself is on his knees busy replacing a noise power supply...

Actually, I am now looking at something like ZoneLab's integrity agent software to replace the manual work. But the bottom line is, you need to let them use it eventually as a part of their business need.

 

[downloadkid]

Hi Bustamove, so just to get this straight you have a 2003 domain and the security it provides.
A couple of questions spring to mind, first and foremeost when you say peeps bring in their laptops and plug them into the network what info exactly are they able to get access to? Is it just so they can have internet access through the proxy or are they actually logging the laptops ont the domain?
Internet access can be blocked through a GPO, in which you specify a 'dumbvalue' in the proxy address for all except authorised users / machines who would come under a seperate GPO. remember a GPO is effectively a software firewall, permit / deny. Much more could be achieved through using ISA 2004 where only authenticated users can get through.
If however you are saying they are actually logging their machines onto the domain that is a whole new problem, starting with ....so they have access to the admin password necessary to join a node to the domain. etc
Of course education is a great tool, i am network manager at 2 large schools that share in excess of 500+ nodes, I have one tech at each school and 1000 kids who love to find loop holes........do what I do, persistent offenders are locked out, period. Funny how the message starts to sink in.

 

[JoeBloggssss]

Hi,

1. You should have the use of laptops prohibited in your organisational policies, this should have management buy in, and have actions taken against users whom break it.

2. This can be enforced by technology, port security using only authorised MAC address is the most obvious way, however, yes this does create alot of overhead. If you have higher end switches you can use VMPS (VLAN Management Policy Server) to help you manage this. Again, 802.1X - Port Based Network Access Control can also be implemented, but this all increase the admin overhead. And to be honest, open tools like macof, which facilities the use of spoofing, can overcome port security. It does not take a very knowledge person to use this. Therefore, org policy is needed. Yes, you can use tools to mitigate this like arpwatch and more commerical sector tools.

At the end of the day, there is only so much you can do to reduce risk from internal users, thats what you have screening processes and policies/procedures for. In the short term, until you create a culture of user knowing they can't use laptops I would spend the time and use port security.

Christopher McGill
CCSA, CCNA, MCP