Hi there, my security problem is the employee them self .. cause they got thier own laptop & logon to network share & network so i wanna to prevent them to logon .... -i need to allow only authorized computer to get IP from DHCP server & to connect to network !!! - also i need to avoid to connect to any computer domain through crossover cable

It wounds like you need to configure a CA and enable IPSec. That will restrict computers that can connect to your network to only the computers that you specify within the OU structure of your domain.

Hi Customer, Thanks for posting here. Based on your demands, I agree with Aaron. IPsec (Internet Protocol security) enables us to dynamically segment Windows environment into more secure and isolated logical networks based on policy and without costly changes to the network infrastructure or applications. This creates an additional layer of policy-driven protection, and helps better protect against network attacks, helps to prevent unauthorized access to trusted networked resources, achieve regulatory compliance, and reduce operational costs. And also, it can allow us to restrain the access to our network unless we specify in the related policy. For more information about how to isolate your network by IPsec, please refer to the above article: http://technet.microsoft.com/zh-cn/network/bb545651(en-us).aspx I hope this helps. If anything is unclear, please feel free to post back. Thanks. Regards, Morgan Che Microsoft Online Community Support

Hossam, first of all, you cannot stop someone from using a cross-over cable. What you can do is make it harder to push any traffic to the hosts you manage, but you cannot stop that if they have physical access. By virtue of granting anyone physical access you have automatically given them avenues to circumvent some of your security protocols. You can configure DHCP to not give out IP addresses other than to the hosts you want. However, it is very high overhead to manage that, and they can always just hard code an address if they want to, so it really does very little good. As you are posting ina Windows Server 2008 newsgroup, might I presume that you have Windows Server 2008? If so, you should investigate Network Access Protection (NAP). It is a policy enforcement tool that can ensure that computers on your network comply with policies before they get access to the network. You can learn more at http://technet.microsoft.com/en-us/network/bb545879.aspx. As with Morgan and Aaron, I think you should investigate IPsec, but more than that, you should investigate Server and Domain Isolation. It is a methodology to keep unmanaged machines off your network. Contrary to both the DHCP hacks and NAP it actually can prevent any unmanaged system from communicating at all. In conjunction with NAP it can ensure that every machine on your network complies with policy. Server and Domain Isolation is probably the most powerful security technology available to you today, and you do not need Vista and Windows Server 2008 to deploy it. You can learn more at www.microsoft.com/sdisolation. There is some good deployment guidance in the Windows Server 2008 Security Resource Kit as well: http://www.amazon.com/dp/0735625042?tag=protectyourwi-20.

You should be able to require all machines within your network to accept only IPSec traffic and always respond with IPSec traffic. There is also some "deny" rules that can be set up. So, if a non-domain machine or a machine without an IPSec cert and configuration tries to connect to any machine on the network with a crossover, you may able to prevent a session. However, Jesper is absolutely right in that if they have physical access to the other machine, they can crack the admin password and change the settings to allow whatever they want and plug in with a crossover cable...

thanks all for helping now i'm reading the guides Morgan posted but it seems there is remaining problem about connect computer through Crossover cable but i noticed i can make security policy & select option Access this computer from the network & add domain user group & domain computer group on this object what about that ? can this prevent unmanaged computer to access any of domain computer by using crossover cable?

Hi, Thanks for posting back, and also many thanks for Jesper and Aaron' assistance. Typically, it's very hard to restrain the physical network access by cross-over cable. If in case of Windows Server 2008, NAP (Network Access protection) is considerable. NAP performs computer health policy validation, ensure ongoing compliance with health policies, and optionally restrict the access of computers that do not comply with system health requirements until their health state can be corrected. NAP includes a client and server-side architecture. Administrators can configure Internet Protocol security (IPsec) enforcement, IEEE 802.1X enforcement, virtual private network (VPN) enforcement, Dynamic Host Configuration Protocol (DHCP) enforcement, or all four, depending on their network needs. For more information about NAP, please refer to: Introduction to Network Access Protection http://www.microsoft.com/technet/network/nap/napoverview.mspx Alternatively, we can realize the restriction of non-authorized physical access by configuring the Switch. As for as I know, the most ofSwitches can be configuredtoband theMAC address with thespecific IP address on the corresponding Switch ports to block the illegitimate physical access. However, this function is depending on the Switch. For the detailed information, please contact the Switch manufacturers. I hope this helps. Best wishes --------------Morgan Che Microsoft Online Community Support

Morgan, far be it from me to steer someone away from NAP. However, if we ignore for a moment the fact that NAP is not currently available in any shipping product,it will do nothing to stop access with a cross-over cable. DHCP "enforcement" (it is not actually enforcement of any kind) is completely meaningless in all circumstances, and would be entirely out of the loop if you use a cross-over cable. 802.1x enforcement would not get involved since the attacker would be connecting directly to the victim, without involving a switch in the transaction. Assuming you are not connecting a cross-over cable to the VPN server, that typeof enforcement also would do nothing to stop this.If the attacker actually is connecting the cross-over cable to the VPN server, you have a whole host of more urgent security problems to address. IPsec enforcementwould possibly stop the traffic depending on the rule set. That, however, is the critical point that both Aaron and I have been trying to make. IPsec will mitigate this type of attack, with or without NAP, depending on the rule set. NAP, as it turns out, has absolutely no ability to stop this type of attack because the attacker is connecting directly to the victim, not to a network where there is a NAP policy server. NAP is to stop a computer from getting to the network until it claims to be compliant with the policies. NAP is not useful to stop one computer from connecting to another computer if there are no NAP components that can get involved. In the case the OP puts forth there are no switches, not policy servers, no enforcement servers, in short, no NAP involved. The correct way to mitigate this attack is, obviously, is to stop the attacker from having physical access to anything. Realizing thenthat this is impossible, you have no choice but to rely on host-based defenses. The effective host based defenses against this type of attack are: Up to date computers with no missing security updates Host-based firewalls IPsec enforcement on any ports the client must have open in the firewall. Note the critical aspect of this is that the IPsec policies must not permit any machine the attacker can use to connect. That's as effective as you can get in this case. The attacker, given that he has physical access, can still circumvent all of this protection by using his physical access, but this is something you have to live with if you permit physical access from untrusted individuals. NAP does nothing to help in this situation. It is a valid policy enforcement tool, but it does nothing to secure anything and especially not cross-over cable access.

Dear Jesper, Thanks for the comments. I think NAP is designed to ensure the health of client system, but not too much for anti-attack. That's why NAP couldn't fully meet our demands of intranet security. Thanks for your understanding. J Have a nice day! Best wishes --------------Morgan Che Microsoft Online Community Support

Hello all, I realise that this forum thread is a couple of months old but I have almost the exact same problem. I've read the previous comments and am no nearer a solution. Basically anybody can bring in their own laptop and connect a network cable to access the internet. The problem we have is that if they know the credentials of a network user then they can map a drive and access our data. I would assume that when a machine logs on to the domain there is a lookup done on or by the domain controller to cross reference the NetBios name and SID with an account on the domain, once it has confirmed that the logon process continues. Surely the same technology\process can be used by the DHCP server to interrogate the same information before deciding to assign an IP address or not? The technology is already there so it shouldn't take too much effort to incorporate this as an option when configuring DHCP? Any chance of Microsoft creating a patch or application to this end? Kind regards, Gareth

Gareth, What you are saying needs to be controlled by policy first of all. You must have a security policy, that you actually enforce, that outlines severe consequences for people who connect personal machines. Second, there is no patch possible for this. By design, you are supposed to be able to authetnicated from a non-domain member. The DHCP server works prior to any authentication, and is an unauthenticated protocol, so you cannot restrict it there either. You could use NAP, if you have a Server 2008 architecture, but it won't stop anyone determined either. However, there is something you can do: Domain Isolation. Set up IPsec to restrict access to any resources to machines that can present an IPsec authenticated session, and restrict those to domain members. That will address the issue in a technical manner, and is very difficult to circumvent. To learn more, go to http://technet.microsoft.com/en-us/network/bb545651.aspx.

Jesper, Thanks for your response, we shall have to look in to the IPsec solution then. Can you please explain, for my own education, why Microsoft designed this system where you can authenticate from a non-domain member? I can't actually see any benefit in this unlessI am the person using my own laptop. Surely in this day and age this design should be reviewed as data security is becoming a huge issue. Also there is nothing to stop somebody bringing an unprotected laptop in to our premises and releasing a virus or surfing on the internet for explicit or illegal content as they can bypass any internet control servers that are in place. many thanks, Gareth

The vast majority of enterprise networks include non-domain members. It would break hundreds of thousands of networks if you could not authenticate from a non-domain member. Think about all the networks that have non-Windows computers in them, for example. Then there are all the millions of home networks where people share files, but without a domain. Those also require authentication from non-domain members. There are definitely networks today where you do not want to permit that, but that's why you have DomainIsolation, or better yet, Server Isolation. I've written about that in every one of my books. I thinkServerIsolation is the mostimportant security technology we have today.