Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Preventing Unnauthorized Win 95/98 PCs on our network.
- Thread starter AMCSE
- Start date
How are they getting on your network. Are they logging in with valid user names and password?
If so, find out which users are doing it, and then restrict those logins to the appropriate machines.
Hope this helps... mot98..![[peace]](/data/assets/smilies/peace.gif "[peace] [peace]")
"Where's the beer?"
If so, find out which users are doing it, and then restrict those logins to the appropriate machines.
Hope this helps... mot98..
"Where's the beer?"
- Thread starter
- #3
I am confused as to how they are getting a IP address from the server without logging on to it. Is the DHCP running from a NT Domain Controller or another device on the network?
How are these users getting to your network in the first place. Are they visitors 'plugging in' or coming in through another route?
How is the network set up? Do you have a fixed number of pc's on the network? The final solution (although not perfect) is to stop DHCP on the server and assign IP address manually.
How are these users getting to your network in the first place. Are they visitors 'plugging in' or coming in through another route?
How is the network set up? Do you have a fixed number of pc's on the network? The final solution (although not perfect) is to stop DHCP on the server and assign IP address manually.
AMSCE is right, you don't need to login to domain to get an IP, basically is you weren't issued an IP before you login than frankly you would never log in. An easy way to see this is by plugging a machine to ur network and using IE...voila.
I'm not sure about your problem though, im thinking the only solution is to say goodbye to DHCP and use only static IP, but might be more problems than its worth. WAIT another way you can do is by assigning a reservation for all stations on ur network, but again will probbably be a headache
Good luck
Nick
I'm not sure about your problem though, im thinking the only solution is to say goodbye to DHCP and use only static IP, but might be more problems than its worth. WAIT another way you can do is by assigning a reservation for all stations on ur network, but again will probbably be a headache
Good luck
Nick
- Thread starter
- #7
- Thread starter
- #8
That's an interesting one.
I have never tried this but it might work, its the only thing I can think of.
Create a New Scope
Get the MAC address of the 9x clients who are unauthorised and create a reservation on the new scope for that MAC address with an IP address that does not exist on your network. So the client will get an IP but it won't be one on your network.
Might work Might not. But you will need the MAC address and if they change their NIC they will get a valid address. Not the best solution...
I have never tried this but it might work, its the only thing I can think of.
Create a New Scope
Get the MAC address of the 9x clients who are unauthorised and create a reservation on the new scope for that MAC address with an IP address that does not exist on your network. So the client will get an IP but it won't be one on your network.
Might work Might not. But you will need the MAC address and if they change their NIC they will get a valid address. Not the best solution...
At my school (im a senior in high school) we have the worst computer technology in the area. Many teachers decided to buy their own computers for their rooms, however, they are not allowed to connected to the district network (NT4). The BOFH says he will not do it because it will cost several hundered dollars for each computer added to the network AND they will require the services of an outside computer consulting company. During class I connected a teacher's personal computer (win98) to the network with no problem. About a month later the sysadmin found out and disconnected all the horozontal cable from the hub to the rooms that did not have "authorized" computers.
You could simply disconnect all the network ports that do not have a computer all ready connected to them. Then there will be no point of access to the network from unauthorized computers. When a port needs to be used just go to the wiring closet and plug in the correct cable into the port.
You could simply disconnect all the network ports that do not have a computer all ready connected to them. Then there will be no point of access to the network from unauthorized computers. When a port needs to be used just go to the wiring closet and plug in the correct cable into the port.
Also, I just remembered....
At Penn State University, they only allow computers with authorized NICs/MAC Addresses. All students must register their MAC address prior to logging in to the network. Instead of not allowing only certain MAC addresses you can only allow those addresses of the authorized computers. Not a good idea if your network is large though.
At Penn State University, they only allow computers with authorized NICs/MAC Addresses. All students must register their MAC address prior to logging in to the network. Instead of not allowing only certain MAC addresses you can only allow those addresses of the authorized computers. Not a good idea if your network is large though.
Theoretically, NT permissions should prevent the average user from being able to access your network resources without authenticating to the network. Of course, anyone determined enough can get in. . . 
Also, I know you mention the unauthorized users are using Win9x, but event WinNT and Win2k clients who aren't members of the domain can plug in and obtain an IP address from your DHCP server.
If the 9x clients that are connecting to your network aren't setup with your domain name as their workgroup, it will create another step for them to be able to browse your network from Network Neighborhood.
IMHO, I agree with weberdude, disconnect all network drops not in use. I do it here. Whenever a field rep or someone comes in w/ a laptop and needs Inet access, they have to tell me so I can plug in the connection for them in the switch room. Then I know who's using the network and can keep an eye on them.
Also, I know you mention the unauthorized users are using Win9x, but event WinNT and Win2k clients who aren't members of the domain can plug in and obtain an IP address from your DHCP server.
If the 9x clients that are connecting to your network aren't setup with your domain name as their workgroup, it will create another step for them to be able to browse your network from Network Neighborhood.
IMHO, I agree with weberdude, disconnect all network drops not in use. I do it here. Whenever a field rep or someone comes in w/ a laptop and needs Inet access, they have to tell me so I can plug in the connection for them in the switch room. Then I know who's using the network and can keep an eye on them.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question
