Setup a false DNS server, script to correct one

[chamberaudio]

I'm looking for some help on solving a security issue within our network. I currently am having an issue with outside laptops being plugged into our network and pulling DHCP services and therefor DNS services.

Can I set my DHCP to give out a false DNS IP (two NIC's in server, one set for DNS forwarding, the other is not being used) and have the laptops on my domain still pull DHCP? If so, how can I get the correct DNS IP forced after successfully logged onto the domain? I tried the GPO setting to force DNS server but it does not work.

Is there a vbs I can use to do this? Experienced in vbs, but far from an expert.

I use Win2k3 server w/AD and WinXP clients.

Thank you

 

[58sniper]

That doesn't stop them. Nothing is stopping them from hard coding valid info.

Two approaches include a third party security solution such as Cisco's Clean Access, as well as disabling any network port that doesn't have a known valid network resource connected to it.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[chamberaudio]

We're not working with tech-savvy users, some can't even type their own name correctly. I know it wont stop them completely, but it keeps them from being able to "plug & surf"

Our network is not allowed to have outside software installed on it unless it's been approved by my chain of command. The port disabling doesn't work as they can just unplug what is there and plug their laptop in.

 

[TechyMcSe2k]

Turn off the IP range and set Reservations by MAC address. Teadious, but it works.

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[unclerico]

What is your ultimate goal here?? Is it to keep any outside resource off your network no matter what?? Port disabling will work brilliantly if implemented correctly. Most switch vendors offer some form of port-security whereby you can specify how many mac addresses can be dynamically (or statically) learned on a port and if there is a violation it can either automatically shutdown the port or leave the port up but discard traffic from the offending mac address(es).

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[chamberaudio]

Ultimate goal is to disable any outside piece of equipment being attached to my network. I issue out the laptops from my supply and they are allowed to use these laptops on any connection in our area of operation. I'm unable to turn ports off or limit the amount of connection made to them because of this.

I'm not dealing with ultra smart users here, only thing they know is that they can hook up their laptop to my connections and get on the internet, bypassing my domain and therefore my GPO.

What I would like is to force any laptop connected to route to my DNS server and give them a false DNS address unless they connect to the AD DC and then issue the correct DNS IP from a script.

Note: The AD DC has 2 NICs, if I understand correctly, I can still access the DC via both NICs and only enable one to do DNS forwarding, that one would be defined in my GPO.

I guess I'll just start with the MAC addresses, hope it works... this will take a good week to finalize.

 

[unclerico]

What you could do is, if your switch supports it, use 802.1X port-based authentication. The only problem is that they can go under the supplicant and bypass the Server Certificate validation and the option to use their windows logon info. If they do this then they will be presented with a ballon stating that they need to provide credentials and if they give their normal username and password they will be granted access. You can push these settings out via GPO if you have a 2008 server. If they are as clueless as you say they are then it will be very difficult for them to bypass this.

Another option would be to combine 802.1X with the new Network Policy and Access Services in 2008 server. There is an option in there for the Health Registration Authority to issue heath certificates only for authenticated users which implies that the computer itself is joined to the domain.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[jhenager]

If you are using Cisco switches, you can limit the port to one specific MAC address.
If any other MAC address is detected on that port, it can be shut down immediately, requiring an administrator to re-enable it.
That, along with an email with the words 'up to and including termination' should do the trick.

 

[unclerico]

jhenager, look back a few posts, that idea has already been presented.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[chamberaudio]

Unclerico, I am not authorized to upgrade to 2K8 yet, is there a way this can be done using 2K3? Sounds like it would work for me if I could enforce this on 2K3.

 

[unclerico]

I don't believe that there is a way to do it natively in 2k3 server. Your best bet is to use a third party NAC solution, but most are hit and miss. If this is a big security threat and a threat that behavioral managment/company policy cannot overcome then you need to lay it at your managers feet, simple as that. Just throwing a 2k8 server on the domain as a member server will allow you to install the directory services tools such as GPMC and it will allow you to push the GPO's out. You will need to update your 2k3 schema but it's painless to do. Also you clients that need to support this (if they are XP) need to have the XMLLite hotfix installed on their machines.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[chamberaudio]

For a temporary fix, I have been given authority to have every MAC address of every piece of equipment that comes into my area of operation logged and scanned. This is a lawful order handed down from above and must be obeyed. If any equipment is found on my network that has not been logged, must relinquish ownership to our command group.

As far as the upgrade is concerned, its not just my network that has to be approved, its a world wide upgrade that has yet to be approved. The IT guys have been pushing for this, it takes a lot of paperwork to get this approved though. Outside software that is not approved, cannot be used, to use a third-party program is not allowed, hence the reason I'm trying to do this using the utilities included with Windows.

 

[Ceez]

Hey there.

If you have 2003 which is AD integrated I believe you can change the Dynamic Updates to "secure only".

I've read that only machines and user accounts that belong to the network will be able to register a host record on DNS and therefore be able to retrieve an IP address from your DHCP server.

Right click on your DNS server - fwd lookup zone - right click on your desired zone - on the General tab look for Dynamic Updates and select "secure". If you already have secure then my idea is right out the door!

good luck and if you try this let me know if it works.

ceez

 

[58sniper]

Setting DNS to secure only has nothing to do with whether they will get an address.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[unclerico]

For a temporary fix, I have been given authority to have every MAC address of every piece of equipment that comes into my area of operation logged and scanned. This is a lawful order handed down from above and must be obeyed. If any equipment is found on my network that has not been logged, must relinquish ownership to our command group.

If it's good enough for you then that's all that matters.

As far as the upgrade is concerned, its not just my network that has to be approved, its a world wide upgrade that has yet to be approved.

That's understandable

I've read that only machines and user accounts that belong to the network will be able to register a host record on DNS and therefore be able to retrieve an IP address from your DHCP server.

You are correct in that the host and ptr records will not be created in DNS, but incorrect in that a host will not obtain a DHCP address. DHCP operation is independent of DNS operation.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ArizonaGeek]

I am not sure how big your network is but if isn't too big, what you could do is set up a DHCP reservation for each user on your network using correct information then set up a block of DHCP addresses to be given out with a bad gateway and/or bad DNS info. Anyone who plugs in and grabs a DHCP address won't be able to do anything.

I am sure there are other ways but that is the way I would go since my network is only about 30 users. Good luck!

Cheers
Rob

The answer is always "PEBKAC!

 

[Ceez]

@unclerico, thanks for the correction. Obviously blocking DNS access would not prevent DHCP from leasing out an IP Address.

 

[Redfox1]

I think you are essentially asking for 'guest' access i.e. users who are either on the AD or visitors who just want to get to the Internet & email.

This falls under the topic of "Network Access Control" or NAC which is a HOT topic (i.e. revenue) for a lot of companies...

PS: Our company struggles with this type of access need too...

Yes, 802-1X will allow you to lock ports down, BUT you'll be managing MAC addresses all day long... not sure how many switches you have, but it's a lot of effort, unless you have a network management suite + a RADIUS server.


BTW> the GPMC (group policy management console) CAN be installed on Windows 2003. If You want Group POlicy PREFERENCES, you'll need a Vista machine or Windows 2008 AND install a Windows hotfix (or SP3 I think.)

Suggestion A:
If I may recommend one particular brand of Access points:
HP ProCurve 530's

With the latest Firmware, they're able to allow users to associate with an AP - no setting changes needed; they would need to open a browser and attempt to visit a website. Upon doing so, with the help of the AP, they're redirected to your own login page. If they don't know the password you can customize the login page to say 'call xyz' and ask for a password; you can interrogate them to your liking etc. Authorized users (based on perhaps an 802-1X certificate can be added to a separate subnet. This particular AP CAN put different clients on different subnets and only use ONE ethernet interface using VLAN tagging. Just need a router behind it to route between subnets. That's where the following ideas might help.

Walled Garden: Prevent certain machines (unknown) machines from passing a system with out authorization. There are several linux based ones, or router based ones (smoothwall, pfsense being one of the best ones.)


A combination of the two:
Put a linux system with TWO nics (Gigabit preferred) one nic points to the inside of your network (NIC-A), the other to the wireless lan (NIC-B). Connect all the Access points behind this linux box. Create a VLAN on the NIC-B interface with two different subnets: 192.168.10.1/24 - Trusted IPs; 192.168.11.2/24, Untrusted IPs. Set the AP's management port to be on the trusted IP range. Set this nic to use VLAN tagging;

THE KEY: Setup TWO SSID's in the Access Point:

TRUSTED WIRELESS One perhaps with a WPA-PSK with AES, or WPA2-Enterprise with a RADIUS server in the back (use a self signed cert that you can push out via GPO's.)
VLAN A

UNTRUSTED Wireless: No WPA-PSK, just a wide open network... Present the guest login prompt on the Access Point. Then Setup a simple Linux firewall/filter on this network to limit their access to your private network EXCEPT perhaps your anti virus update servers...
VLAN B

VLAN A traffic gets full access/all ports through the linux server.
Setup VLAn B traffic to your liking with normal firewall rules. I would recommend fw-builder to help with that.

COST: The cost of the HP ProCurve 530 APs, one Linux box with two nics & some cables.

The only issue I'm still struggling with is HOW and what to do to scan the clients with automatically... Perhaps your AV suite can help with a Policy of some kind. NOD32 Remote Admin server/console, McAfee ePO, Symantec products all offer some sort of a method to load different policies depending on location/subnet.

Hope this helps...

 

[w33mhz]

Well another tidous task you could do (depends on the number of clients) is to take DNS server setting out of your DHCP scope and just staticly assign those to all the clients. Its about as good as recording all the mac addresses and setting resorvations as previously stated earlier

TechyMcSe2k
Turn off the IP range and set Reservations by MAC address. Teadious, but it works.

This is really only feasable in reality if you have a small enviornment. If you have a larger number of clients then you need some kind of NAC device. Cisco is probably the most popular.

But as writing this post I did come up with a good idea you could try this either take out the DNS in the scope or put bogus ones in. Then set the DNS server settings in a GPO under Computer settings > Administrative Tools > Network > DNS Client > DNS Servers setting. This will supersedes any DHCP DNS setting given to the clients.

 

[w33mhz]

One note, I haven't actually tried that, so I don't know how well that will work without a DNS server to resolve your client to a domain controller to apply the policy, but you could staticly assign one when ever you setup a new client to apply the policy. The existing should be fine until they get new DHCP settings.