Windows Server 2000/2003 Thread, Restrict Access for Non-Domain Users in Technical; Hello Experts,
I have citrix enviornment with 2 DC, DNS and DHCP servers with CISCO 3750 switches on default VLAN, ...
30th September 2009, 04:36 PM #1
- Rep Power
Restrict Access for Non-Domain Users
I have citrix enviornment with 2 DC, DNS and DHCP servers with CISCO 3750 switches on default VLAN, currently any one can walk in connect a device to network and get IP from DHCP and can be a part of the network..
I am thinking is there a way I can restrict access for all non-domain users.
I have a soloution to configure NAC with RADIUS server on my DC i.e. IAS server but its gonna be very complicated in our network...
Is there a simple soloution using DHCP or GPO to restrict access to the network for all those users who are not a member of domain?
30th September 2009, 05:35 PM #2
Sadly DHCP wasn't really made with security in mind. AFAIK, the only way you can really achieve this using DHCP is to give all your clients static IPs/reservations and then assign any "rogue" devices an IP address way out in the nether-lands so that they can't communicate with your managed clients.
It's not a 5 minute job!
30th September 2009, 10:47 PM #3
if you've got a list of your MAC addresses then you could set up reservations for all of them - it's scriptable so you don't have to type them all in :-)
One other thing I've read about but never really used is IPSec - you can configure a group policy to say "always use IPSec". Any non-domain PC won't do this so won't be able to talk to the network.
1st October 2009, 12:46 AM #4
Just setup security on your server and filtering system so they can't access anything without being identified with their login details?
1st October 2009, 11:43 AM #5
...which works great until viruses like Conficker get cleverer and stop just guessing at weak passwords. Also, you are relying very heavily on none of your machines being even 1 critical Windows update behind. If they are there is a risk that a virus could exploit it and infect the PC regardless of Windows account. Apparently there are even embedded printer OSes being compromised by Conficker.
Originally Posted by p858snake
Obviously there are many millions of ways of tackling these problems, but if you can stop rogue devices from being able to send data over your network at all you're putting up a pretty big barrier.
By Grommit in forum Windows
Last Post: 8th June 2009, 10:32 AM
By Nick_Parker in forum Windows
Last Post: 28th August 2008, 11:34 AM
By jmair in forum Windows
Last Post: 18th March 2008, 12:58 AM
By gshaw in forum Windows
Last Post: 28th February 2008, 04:57 PM
By frontal in forum How do you do....it?
Last Post: 15th September 2006, 12:45 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)