Re: Blocking Access to Non-domain computers

["Balaji Prasad" <bp1974 () comcast net>]

Hello Andreas:
  If you are relying on DHCP to block internet access, I think your  
restriction can be breached very easily. One just needs to snoop network  
traffic for sometime in order to get the DHCP settings your server is  
transmitting, and then configure them statically on their computer.  Once  
this is done, the rogue windows client can easily "register" the lease  
with the server (by switching to automatic configuration mode) and   
sending in its settings to the server.
Now assuming that each W2K user is only using a single system to access  
the internet, you can set up internet access based on user authenticaion  
instead of system authentication. A good  idea would be to implement some  
form of proxy http that will serve all the windows clients on your domain.  
Delegate is an easily configurable and popular choice that can be hooked  
up to have authenticate your users with the W2K PDC before allowing them  
access to the internet.

Balaji

> Hello,
>
> On Thursday 19 August 2004 16:58, Brian Gehrke wrote:
> > I am running a W2K domain, using DHCP.  Is it possible to block
> > non-domain computers from getting an IP address from the DHCP server,
> so
> > they will not be able to access the Internet through the network.
>
> is dhcp by mac address (which of course can easily be spoofed)
> an option?
>
> regards,
> andreas
>
> ------------------------------------------------------------------------
> ---
> Computer Forensics Training at the InfoSec Institute. All of our class
> sizes
> are guaranteed to be 12 students or less to facilitate one-on-one
> interaction with one of our expert instructors. Gain the in-demand
> skills of
> a certified computer examiner, learn to recover trace data left behind
> by
> fraud, theft, and cybercrime perpetrators. Discover the source of
> computer
> crime and abuse so that it never happens again.
>
> http://www.infosecinstitute.com/courses/computer_forensics_training.html
> ------------------------------------------------------------------------
> ----
>
>
>
> ---------------------------------------------------------------------------
> Computer Forensics Training at the InfoSec Institute. All of our class  
> sizes
> are guaranteed to be 12 students or less to facilitate one-on-one
> interaction with one of our expert instructors. Gain the in-demand  
> skills of
> a certified computer examiner, learn to recover trace data left behind by
> fraud, theft, and cybercrime perpetrators. Discover the source of  
> computer
> crime and abuse so that it never happens again.
>
> http://www.infosecinstitute.com/courses/computer_forensics_training.html
> ----------------------------------------------------------------------------



--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------