+ Post New Thread
Results 1 to 5 of 5
Windows Server 2000/2003 Thread, Restrict Access for Non-Domain Users in Technical; Hello Experts, I have citrix enviornment with 2 DC, DNS and DHCP servers with CISCO 3750 switches on default VLAN, ...
  1. #1

    Join Date
    Sep 2009
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Restrict Access for Non-Domain Users

    Hello Experts,

    I have citrix enviornment with 2 DC, DNS and DHCP servers with CISCO 3750 switches on default VLAN, currently any one can walk in connect a device to network and get IP from DHCP and can be a part of the network..

    I am thinking is there a way I can restrict access for all non-domain users.

    I have a soloution to configure NAC with RADIUS server on my DC i.e. IAS server but its gonna be very complicated in our network...

    Is there a simple soloution using DHCP or GPO to restrict access to the network for all those users who are not a member of domain?

  2. #2
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 70 Times in 42 Posts
    Rep Power
    33
    Sadly DHCP wasn't really made with security in mind. AFAIK, the only way you can really achieve this using DHCP is to give all your clients static IPs/reservations and then assign any "rogue" devices an IP address way out in the nether-lands so that they can't communicate with your managed clients.

    It's not a 5 minute job!

  3. #3

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    if you've got a list of your MAC addresses then you could set up reservations for all of them - it's scriptable so you don't have to type them all in :-)

    One other thing I've read about but never really used is IPSec - you can configure a group policy to say "always use IPSec". Any non-domain PC won't do this so won't be able to talk to the network.

  4. #4
    p858snake's Avatar
    Join Date
    Dec 2008
    Location
    Queensland
    Posts
    1,490
    Thank Post
    37
    Thanked 175 Times in 151 Posts
    Blog Entries
    2
    Rep Power
    51
    Just setup security on your server and filtering system so they can't access anything without being identified with their login details?

  5. #5
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 70 Times in 42 Posts
    Rep Power
    33
    Quote Originally Posted by p858snake View Post
    Just setup security on your server and filtering system so they can't access anything without being identified with their login details?
    ...which works great until viruses like Conficker get cleverer and stop just guessing at weak passwords. Also, you are relying very heavily on none of your machines being even 1 critical Windows update behind. If they are there is a risk that a virus could exploit it and infect the PC regardless of Windows account. Apparently there are even embedded printer OSes being compromised by Conficker.

    Obviously there are many millions of ways of tackling these problems, but if you can stop rogue devices from being able to send data over your network at all you're putting up a pretty big barrier.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 8
    Last Post: 8th June 2009, 10:32 AM
  2. Restrict Concurrent Logons using Domain Sessions?
    By Nick_Parker in forum Windows
    Replies: 41
    Last Post: 28th August 2008, 11:34 AM
  3. Only Domain users access to internet?
    By jmair in forum Windows
    Replies: 15
    Last Post: 18th March 2008, 12:58 AM
  4. Replies: 5
    Last Post: 28th February 2008, 04:57 PM
  5. Restrict users to a single login at any one time
    By frontal in forum How do you do....it?
    Replies: 6
    Last Post: 15th September 2006, 12:45 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •