Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Preventing Unnauthorized Win 95/98 PCs on our network.

Status
Not open for further replies.

AMCSE

Technical User
Oct 16, 2001
24
US
We have unnauthorized users coming onto our network with WIN95/98 PCs and getting an IP address via DHCP. Is there a way to keep these users from receiving an IP address? We are an NT 4.0 domain running NT 4.0 workstation with some 2000 Professional PCs.
 
How are they getting on your network. Are they logging in with valid user names and password?

If so, find out which users are doing it, and then restrict those logins to the appropriate machines.

Hope this helps... mot98..[peace]

"Where's the beer?"
 
The users are not logging into the domain. They are simply gaining an IP connection to the network. I want to ensure that WIN95/98 machines do not receive an IP address.
 
I am confused as to how they are getting a IP address from the server without logging on to it. Is the DHCP running from a NT Domain Controller or another device on the network?

How are these users getting to your network in the first place. Are they visitors 'plugging in' or coming in through another route?

How is the network set up? Do you have a fixed number of pc's on the network? The final solution (although not perfect) is to stop DHCP on the server and assign IP address manually.
 
AMSCE is right, you don't need to login to domain to get an IP, basically is you weren't issued an IP before you login than frankly you would never log in. An easy way to see this is by plugging a machine to ur network and using IE...voila.

I'm not sure about your problem though, im thinking the only solution is to say goodbye to DHCP and use only static IP, but might be more problems than its worth. WAIT another way you can do is by assigning a reservation for all stations on ur network, but again will probbably be a headache

Good luck
Nick
 
Only way I can think of is to manually configure the 95/98 workstations to have no IP....??? Don't know if this is an option for you....???
 
When a dhcp client first boots up it sends out a broadcast message looking for a dhcp server. There is no authentication process involved. The dhcp server simply responds with an available ip address.
 
To NickS:

Thanks for your comments. I was having a difficult time getting people to understand what my problem is.

AMSCE
 
That's an interesting one.

I have never tried this but it might work, its the only thing I can think of.
Create a New Scope
Get the MAC address of the 9x clients who are unauthorised and create a reservation on the new scope for that MAC address with an IP address that does not exist on your network. So the client will get an IP but it won't be one on your network.

Might work Might not. But you will need the MAC address and if they change their NIC they will get a valid address. Not the best solution...
 
At my school (im a senior in high school) we have the worst computer technology in the area. Many teachers decided to buy their own computers for their rooms, however, they are not allowed to connected to the district network (NT4). The BOFH says he will not do it because it will cost several hundered dollars for each computer added to the network AND they will require the services of an outside computer consulting company. During class I connected a teacher's personal computer (win98) to the network with no problem. About a month later the sysadmin found out and disconnected all the horozontal cable from the hub to the rooms that did not have "authorized" computers.

You could simply disconnect all the network ports that do not have a computer all ready connected to them. Then there will be no point of access to the network from unauthorized computers. When a port needs to be used just go to the wiring closet and plug in the correct cable into the port.
 
Also, I just remembered....

At Penn State University, they only allow computers with authorized NICs/MAC Addresses. All students must register their MAC address prior to logging in to the network. Instead of not allowing only certain MAC addresses you can only allow those addresses of the authorized computers. Not a good idea if your network is large though.


 
Theoretically, NT permissions should prevent the average user from being able to access your network resources without authenticating to the network. Of course, anyone determined enough can get in. . . ;)

Also, I know you mention the unauthorized users are using Win9x, but event WinNT and Win2k clients who aren't members of the domain can plug in and obtain an IP address from your DHCP server.

If the 9x clients that are connecting to your network aren't setup with your domain name as their workgroup, it will create another step for them to be able to browse your network from Network Neighborhood.

IMHO, I agree with weberdude, disconnect all network drops not in use. I do it here. Whenever a field rep or someone comes in w/ a laptop and needs Inet access, they have to tell me so I can plug in the connection for them in the switch room. Then I know who's using the network and can keep an eye on them.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top