Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 20 of 21 Posts

·
Registered
Joined
·
152 Posts
Discussion Starter · #1 ·
hi guys,

i'm an outsource in a company, lets say it ABC Company. now the company has 20 computers and 3 laptops and they're connected to a domain.

i cannot stay in ABC daily, i only comes at saturday and sunday. one day, when i came to the office, i noticed that A person is bringing his own laptop and copying his own file/files from the server.

i also noticed that he had set his workgroup name the same with my domain name. and he only copied his own file/files to work at home which means that he only accessed his data by using his own password, buat this is a leak in my security.

is there anyway that there will be no other computer that can access the server except the domain clients?
 

·
Registered
Joined
·
152 Posts
Discussion Starter · #7 ·
Well, the server DHCP server should support reservations, which is tying a MAC address to an IP address.
hi john,

well i had reserved all the the IP from 192.168.1.0 to 192.16.1.254. and not all of this IP are used.

in my DHCP, i book all the IP as follow:
IP : 192.168.1.21, MAC : 10
IP : 192.168.1.22, MAC : 11
IP : 192.168.1.23, MAC : 12
and so on until
IP : 192.168.1.254, MAC : 254

192.168.1.1 - 192.168.1.20 already booked for my clients.

here's the case:
i already booked the 192.168.1.200 and i typed 200 for the MAC address. but still if i bring another laptop and use the 192.168.1.200 <STATIC-ly> i can access the network resources.

is there something wrong in my DHCP? please advice.
 

·
Registered
Joined
·
3,477 Posts
You need to compile a list of MAC addresses for the the "legitimate" machines and reserve a DHCP address per MAC address. Allow for no more addresses than you need and this will block any rogue machines.
You could allow a couple of extra addresses to save you some work and put a ficticious address in there for those two something like 00-00-00-00-00-00.
You could then easily change the reservation based on a new MAC rather than to setup the whole thing everytime.
 

·
Registered
Joined
·
58 Posts
Seriously? The best advice for restricting access that an MCSE can give is to reserve all of the available IP addresses? You must be kidding me.

Check out this guide on Server and Domain Isolation: http://www.microsoft.com/technet/security/guidance/architectureanddesign/ipsec/default.mspx
It's not "simple" but if you're serious about security it's what you need. Uses IPsec and Group Policy to ensure that only authorized machines can access your domain resources.
 

·
Retired Moderator
Joined
·
106,726 Posts
Seriously? The best advice for restricting access that an MCSE can give is to reserve all of the available IP addresses? You must be kidding me.

Check out this guide on Server and Domain Isolation: http://www.microsoft.com/technet/security/guidance/architectureanddesign/ipsec/default.mspx
It's not "simple" but if you're serious about security it's what you need. Uses IPsec and Group Policy to ensure that only authorized machines can access your domain resources.
Using the reservation feature of the DHCP server seems to be an easier way...
 

·
Registered
Joined
·
58 Posts
Except that the reservation method doesn't actually work. MAC address cloning defeats it, even just assigning yourself IP addresses until you stumble upon one that the PC is turned off or the laptop is out of the office for then using that IP to access the network will defeat it.
The Reservation feature of the DHCP server is NOT a security feature. It's not meant to control network access. So yes, if you want to use a way that doesn't work then reservation feature of the DHCP server is easier. But if you want it to work for real then you need to put in the time to do it right.
 

·
Registered
Joined
·
2,070 Posts
I partly agree with that. DHCP reservations is not a security feature. It really depends on the motivation and skills of the person attempting to gain access. If someone is going to take the time to start spoofing MAC addresses, then they really have to be motivated. Based on the previous posts, I don't see that in this situation. I think what JohnWill means is that it's at least a good start until more robust security features can be implemented.
 

·
Retired Moderator
Joined
·
106,726 Posts
Security is a layered approach, each brick in the wall adds another roadblock to accessing the network.

Yes, I didn't mean to suggest that the reservations solve all security issues, and I don't see where I said that. ;) However, very few networks are secured as well as that link suggests, simply because the ROI isn't there for many organizations.
 

·
Registered
Joined
·
2,298 Posts
Except that the reservation method doesn't actually work. MAC address cloning defeats it, even just assigning yourself IP addresses until you stumble upon one that the PC is turned off or the laptop is out of the office for then using that IP to access the network will defeat it.
The Reservation feature of the DHCP server is NOT a security feature. It's not meant to control network access. So yes, if you want to use a way that doesn't work then reservation feature of the DHCP server is easier. But if you want it to work for real then you need to put in the time to do it right.
We're talking about a company with 20 or so users, if I understand the original poster correctly. If people are going to take the time to clone MAC addresses to access company files, then the problem them becomes whoever said employees supervisor is. I agree with everyone else, just restrict by MAC.
 

·
Registered
Joined
·
58 Posts
They why restrict it at all? If you are going to trust your users then trust them. Just ask the guy not to copy company files to the laptop. Either secure it, or don't. Don't half *** it. The illusion of security is worse than knowing you are insecure.
 

·
Registered
Joined
·
152 Posts
Discussion Starter · #17 ·
They why restrict it at all? If you are going to trust your users then trust them. Just ask the guy not to copy company files to the laptop. Either secure it, or don't. Don't half *** it. The illusion of security is worse than knowing you are insecure.
either u trust them or not, this is a leak, and i cant be in the ABC from monday to friday.
 

·
Registered
Joined
·
152 Posts
Discussion Starter · #18 ·
You need to compile a list of MAC addresses for the the "legitimate" machines and reserve a DHCP address per MAC address. Allow for no more addresses than you need and this will block any rogue machines.
You could allow a couple of extra addresses to save you some work and put a ficticious address in there for those two something like 00-00-00-00-00-00.
You could then easily change the reservation based on a new MAC rather than to setup the whole thing everytime.
hi jim, if i already booked 192.168.1.200 with a ficticious MAC like 00-00-00-00-00-01, and then i connect my laptop and set the IP staticly 192.168.1.200. then set the WORKGROUP name the same with my doman.

i still can access the network resources, because i still know my user's password.
 

·
Registered
Joined
·
152 Posts
Discussion Starter · #19 ·
Except that the reservation method doesn't actually work. MAC address cloning defeats it, even just assigning yourself IP addresses until you stumble upon one that the PC is turned off or the laptop is out of the office for then using that IP to access the network will defeat it.
The Reservation feature of the DHCP server is NOT a security feature. It's not meant to control network access. So yes, if you want to use a way that doesn't work then reservation feature of the DHCP server is easier. But if you want it to work for real then you need to put in the time to do it right.
and yes, this is what i'm experiencing right now.
 

·
Registered
Joined
·
152 Posts
Discussion Starter · #20 ·
Seriously? The best advice for restricting access that an MCSE can give is to reserve all of the available IP addresses? You must be kidding me.

Check out this guide on Server and Domain Isolation: http://www.microsoft.com/technet/security/guidance/architectureanddesign/ipsec/default.mspx
It's not "simple" but if you're serious about security it's what you need. Uses IPsec and Group Policy to ensure that only authorized machines can access your domain resources.
WOW, such a long journey, i'll give it a try, will give y'all the report in 2 days.

but if there any easier way or advice, please guys. i'll appreciate any advices.
 
1 - 20 of 21 Posts
Status
Not open for further replies.
Top