Security Basics mailing list archives
Re: Blocking Access to Non-domain computers
From: "Balaji Prasad" <bp1974 () comcast net>
Date: Sun, 29 Aug 2004 13:41:48 -0700
Hello Andreas:If you are relying on DHCP to block internet access, I think your restriction can be breached very easily. One just needs to snoop network traffic for sometime in order to get the DHCP settings your server is transmitting, and then configure them statically on their computer. Once this is done, the rogue windows client can easily "register" the lease with the server (by switching to automatic configuration mode) and sending in its settings to the server. Now assuming that each W2K user is only using a single system to access the internet, you can set up internet access based on user authenticaion instead of system authentication. A good idea would be to implement some form of proxy http that will serve all the windows clients on your domain. Delegate is an easily configurable and popular choice that can be hooked up to have authenticate your users with the W2K PDC before allowing them access to the internet.
Balaji
Hello, On Thursday 19 August 2004 16:58, Brian Gehrke wrote:I am running a W2K domain, using DHCP. Is it possible to block non-domain computers from getting an IP address from the DHCP server,sothey will not be able to access the Internet through the network.is dhcp by mac address (which of course can easily be spoofed) an option? regards, andreas ------------------------------------------------------------------------ --- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ------------------------------------------------------------------------ ---- ---------------------------------------------------------------------------Computer Forensics Training at the InfoSec Institute. All of our class sizesare guaranteed to be 12 students or less to facilitate one-on-oneinteraction with one of our expert instructors. Gain the in-demand skills ofa certified computer examiner, learn to recover trace data left behind byfraud, theft, and cybercrime perpetrators. Discover the source of computercrime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ----------------------------------------------------------------------------
-- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ --------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ----------------------------------------------------------------------------
Current thread:
- Re: Blocking Access to Non-domain computers, (continued)
- Re: Blocking Access to Non-domain computers Andreas (Aug 24)
- Re: Blocking Access to Non-domain computers Peter Wohlers (Aug 25)
- Re: Blocking Access to Non-domain computers Rob Hughes (Aug 24)
- Re: Blocking Access to Non-domain computers Oleksandr Darchuk (Aug 25)
- Re: Blocking Access to Non-domain computers Alexandre Verriere (Aug 31)
- RE: Blocking Access to Non-domain computers Steven A. Fletcher (Aug 25)
- RE: Blocking Access to Non-domain computers Raoul Armfield (Aug 25)
- Re: Blocking Access to Non-domain computers Richard Boswell (Aug 26)
- Re: Blocking Access to Non-domain computers Don Voss (Aug 30)
- RE: Blocking Access to Non-domain computers Dan and Liz Boyson (Aug 30)
- Re: Blocking Access to Non-domain computers Balaji Prasad (Aug 31)
- RE: Blocking Access to Non-domain computers Raoul Armfield (Aug 25)
- RE: Blocking Access to Non-domain computers Steven A. Fletcher (Aug 25)
- RE: Blocking Access to Non-domain computers Barrie Dempster (Aug 30)
- RE: Blocking Access to Non-domain computers DeGennaro, Gregory (Aug 26)
- Re: Blocking Access to Non-domain computers Andreas (Aug 24)