Secure Server & Services

Discussion in 'Server Security' started by BOFH, Aug 29, 2004.

  1. BOFH

    BOFH Guest

    I have DHCP on the server, it issues addresses to non-domain computers too,
    which allows them use of the internet. I wish to block this.

    I have heard the term 'Domain Verification'...what is it and what can it do
    for me?


    BOFH
     
    BOFH, Aug 29, 2004
    #1
    1. Advertisements

  2. BOFH

    Miha Pihler Guest

    Hi,

    For now, there is no easy solution to prevent DHCP server issuing IPs to non
    domain clients. This is usually a problem when clients come in the office
    and want to plug their computer into your LAN. If you are worried about
    attacks well you should be. Even without DHCP it is pretty easy to figure
    out what IPs you use on your LAN. E.g. if you use Exchange mail server I can
    look in header of any e-mail from your organization and find out on what IP
    your Exchange server is running)... Now I can pretty much guess what IP I
    have to set manually to get access to your LAN and Internet even without
    DHCP.

    There are few things you can do.
    If you only want to prevent access to internet and you don't have problem
    with customers browsing your LAN setup a proxy (e.g. ISA server). You can
    setup ISA in a way that would require every user to authenticate themselves
    before they are granted access to the internet (user need a valid account in
    domain or some other database).

    If you also want to prevent access to LAN first thing you can do, don't
    patch all network outlets to network backbone. Even if someone comes to your
    office and plugs his computer with his own cable to the network outlet
    he/she still won't have any access to the network.

    Next thing you can do is port authentication (IEEE 802.1x). This is probably
    not the cheapest solution since you need switches that support IEEE 802.1x.
    Next thing you need are clients that are Windows 2000 SP4 or newer. Once the
    client connects to the network they have to present authentication
    parameters (username and password) and these are checked against e.g. Active
    Directory (using IAS - RADIUS)...

    You could also setup IPSec policy for your domain. This would prevent any
    computer that is not part of domain to communicate with other members of
    domain since Kerberos is used for IPSec authentication.
    Even if virus infected computer comes to your office and it is not part of
    your domain other computers will discard any connection from this computer
    since it doesn't use IPSec...

    I hope this helps,

    Mike
     
    Miha Pihler, Aug 29, 2004
    #2
    1. Advertisements

  3. BOFH

    Miha Pihler Guest

    Domain verification is not a term I am familiar with in a context to what
    you are looking for. Also if you run a search on Microsoft or Google it
    doesn't give any useful result to what you are looking for.

    Where did you hear this term and in what context?

    Mike
     
    Miha Pihler, Aug 29, 2004
    #3
  4. BOFH

    BOFH Guest

    It was an answer from another newgroup when I asked the same question...and
    I searched for it too with no useful results. Must have been a flight of
    fancy!

    How do I filter MAC addresses? (Another reply)

    I have 6 Windows 2003 servers, serving 250 or so PCs and 60 laptops. Its
    the damn laptops I have a problem with as some staff refuse to be a member
    of the domain. Being a BOFH I want to enforce company policy and restrict
    access to network resources and internet if they plug it in.

    Thanks for all your help :)
     
    BOFH, Aug 29, 2004
    #4
  5. BOFH

    Miha Pihler Guest

    You can setup a proxy (e.g. ISA server) and configure it to allow only
    authenticated users (Integrated authentication) to have access to the
    internet. In this case if users are loged on to their computers as members
    of domain they will not be allowed access to the internet...

    Another thing that you could do if you only have Windows 2000 or newer
    clients is setup IPSec policy. Since IPSec policy by default uses Kerberos
    as authentication protocol so only domain members will be able to
    participate in "conversation". It is also quite easy to setup.

    Other mentioneds mentioned methods are not as reliable and can be bypassed.
    E.g. MAC address can easily be changed.

    Mike
     
    Miha Pihler, Aug 29, 2004
    #5
  6. IPSec is the ideeal solution here, but it does take some setting up and
    careful consideration of what traffic you want to use IPSec for.

    If you just want to make it difficult for people to use non-domain members,
    consider using IPSec to make the most commonly-accessed resource accessible
    only by domain members. You can use IPSec AH with Kerberos to do this. If
    you're not careful, though, it's very easy to set an IPSec policy with Group
    Policy that it prevents communication with your domain controllers. From
    here, you have no way to undo this, so be careful and do plenty of testing.

    Sometimes a technical solution is not always the best for those who breach
    company policy. The most likely reason that your staff don't want to be
    domain members is that they plug their laptops into their home networks and
    mistakenly believe that if they're joined to the domain, they won't be able
    to do this. Since these machines are outside your control, you have no way
    to patch them against vulnerability-of-the-day and no way to ensure they get
    patched. It won't be long before your network gets the next Blaster,
    Sasser, Nimda, Code Red or Slammer unless you get support from your managers
    to stop this happening. It's not really about being BOFH, it's about
    protecting your company and protecting yourself, because no doubt the
    fingers will be pointing at you rather than the idiots with the laptops when
    the next worm hits your network.

    Hope this helps

    Oli
     
    Oli Restorick [MVP], Aug 29, 2004
    #6
  7. Oli Restorick [MVP], Aug 29, 2004
    #7
  8. BOFH

    BOFH Guest

    Can you point me to any documentation on this subject?

    All I need is a basic setup to deny any machine that isnt on the domain...
     
    BOFH, Aug 29, 2004
    #8
  9. BOFH

    BOFH Guest

    I have the company laptops under a unique OU, can I implement IPSEC just for
    that OU?

    Ooooh headaches heacaches...users users
     
    BOFH, Aug 30, 2004
    #9
  10. You'd be securing a resouce, so that would mean requiring authentication
    through Kerberos with IPSec when accessing those resources. Therefore, you
    need all domain-joined machines to be able to do IPSec, which is not the
    default.

    Mike seems to think that IPSec is somewhat easier to set up than I do, so
    I'd be interested to know what resources Mike has for configuring this.
    Also, see the link I posted elsewhere in this thread on domain isolation.
    It's quite lengthy, though.

    The Microsoft web site has loads of resources on IPSec, but personally I
    think there's some way to go in explaining it in a more approachable way.
    The documentation I've seen seems to assume that you're already familiar
    with IPSec and are just learning the implementation. Also, there's a good
    online seminar available.

    Go to http://www.microsoft.com/seminar/default.mspx and select "view all
    presenations". Look for a seminar entitled "Improving Trust In Your
    Infrastructure With IPSec" by Steve Riley.

    One problem you'll face is that if you start securing the infrastructure
    (DNS, DHCP, WINS, Active Directory), you get into a tricky situation with
    new machines. They can't perform enough on the network to get joined to the
    domain because they're not joined to the domain.

    Oli
     
    Oli Restorick [MVP], Aug 30, 2004
    #10
  11. BOFH

    Miha Pihler Guest

    Oli,

    First part I picked up at Tech-Ed few years ago (one of Steve Riley
    presentation). Later I played with IPSec and IP filters in my lab. I even
    written a step-by-step guide on how to setup IP filters or IPSec policies
    and posted it on mirosoft.private news groups. Biggest problem is that it is
    not written in English :-\ but in my first language.

    Best advice I could give in this case is to test, test, test ... policies.
    One thing that could show up is that one or more server or clients can't
    handle the additional load because of IPSec...

    Some resources:
    http://www.microsoft.com/technet/security/topics/network/default.mspx under
    IPSec section

    Mike
     
    Miha Pihler, Aug 30, 2004
    #11
  12. BOFH

    JP Hamilton Guest

    Thanks for all the info guys and I will be scrutinising IPSec for an
    answer...but in the meantime, if I enter a reservation for a known MAC
    address into DHCP and give it a silly IP address like 0.0.0.0, would this
    work?


    BOFH
     
    JP Hamilton, Aug 31, 2004
    #12
  13. BOFH

    Miha Pihler Guest

    This works, but MAC address can be changed in less then a minute...

    Mike
     
    Miha Pihler, Aug 31, 2004
    #13
  14. BOFH

    BOFH Guest

    I don't think that would be a problem...it wouldnt be long before I find out
    anyway, and our County Council has strict policies on hacking....and
    besides, the users arent that bright and probably arnt even aware of MAC
    addresses.
     
    BOFH, Aug 31, 2004
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.