RE: information harvesting from within the network

["Jason Lopez" <jaylpz () sbcglobal net>]

If you have any manage switches, you could put them on separate VLans, and
deny them access to your private network...

My two-cents
jay
-----Original Message-----
From: ddjjembe 2 [mailto:ddjjembe2 () hotmail com] 
Sent: Thursday, May 19, 2005 7:40 PM
To: security-basics () securityfocus com
Subject: information harvesting from within the network

Background:
I work in a university that has university typical security practices.  
Currently any authenticated user can scan the parts of the network with 
tools like LANguard or Nessus and obtain a considerable amount of 
information from them.   Most of the computers in our network are windows 
computers.  We also have departments with MACs and *nix machines.

Goal:
If possible, lock down the Windows computers with group policies and/or 
templates to disable this potential unauthorized information harvesting 
users and then restrict scanning ability to the security group with LDAP 
permissions.  Am I on the right track here?

I would like to achieve this without using a host based firewall.

Group policies have large pool of settings to pick from.  Narrowing it down 
to a few that disable at least portions would be appreciated.

Thanks,

ddjembe

_________________________________________________________________
Don't just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/