Questions

Quarantining laptops

Tags:
+
0 Votes
Locked

Quarantining laptops

I got to the office this morning and saw a manager headed for a meeting with a laptop. The laptop was not one I had seen before and was not the usual brand we use.

I was wondering if there might be a good way to quarantine these devices until they can be checked for viruses and to ensure they have antivirus applications and the like installed and up to date if they connect to the network.

Not sure how to go about such things... any help would be appreciated.

Thanks

Derek
  • +
    0 Votes
    ThumbsUp2

    If you tell us what you already have, it might help!

    What kind of server are you using? Do you assign static IP's? Are you filtering by MAC address? Or, is your system wide open and allows anything that gets plugged into it to be assigned an IP?

    +
    0 Votes

    it allows anything plugged in... its wide open, using Windows 2003 AD.

    Was hoping to find the right starting point to get it moving in the right direction as we aren't doing anything today.

    +
    0 Votes
    shasca

    You need a policy enforced to back you up. You need parameters set as to what is, and is not allowed on the company network. You don't want to lock everything down without managements buyin.

    +
    0 Votes

    I will give it a look. After I come up with some possibilities, management will be involved. If I cannot achieve the goal there is no sense in bothering them about it.

    +
    0 Votes
    IC-IT

    I believe Shasca is referring to Management setting a Policy.
    The Policy either would limit or ban non-company resources from connecting to the network. It gives you the authority to enforce the rule. It also gives you a direction for implementation.
    Then you may take additional steps to lock down the network (or examine a quarintine solution).

    +
    0 Votes
    CG IT

    some of the enterprise level Antivirus solutions have quarantine capabilites. If a new client is added to the network, the AV will quarantine it until it meets the network requirements.

    If this is an active directory domain, by design, if the laptop is not a member of the domain, it can not access resources on the domain. Even if the user tries to log on with their account. Active Directory requires a computer account for clients to be members of the domain, therefore there is some inherent quarantine.

    Managed switches allow you to assign MAC addresses to a switch port. This security feature will disable the switch port if the wrong computer uses that switchport. You can also disable unused switchports.

    Combined, these security features can be used to make sure unauthorized computers do not gain access to the network.

  • +
    0 Votes
    ThumbsUp2

    If you tell us what you already have, it might help!

    What kind of server are you using? Do you assign static IP's? Are you filtering by MAC address? Or, is your system wide open and allows anything that gets plugged into it to be assigned an IP?

    +
    0 Votes

    it allows anything plugged in... its wide open, using Windows 2003 AD.

    Was hoping to find the right starting point to get it moving in the right direction as we aren't doing anything today.

    +
    0 Votes
    shasca

    You need a policy enforced to back you up. You need parameters set as to what is, and is not allowed on the company network. You don't want to lock everything down without managements buyin.

    +
    0 Votes

    I will give it a look. After I come up with some possibilities, management will be involved. If I cannot achieve the goal there is no sense in bothering them about it.

    +
    0 Votes
    IC-IT

    I believe Shasca is referring to Management setting a Policy.
    The Policy either would limit or ban non-company resources from connecting to the network. It gives you the authority to enforce the rule. It also gives you a direction for implementation.
    Then you may take additional steps to lock down the network (or examine a quarintine solution).

    +
    0 Votes
    CG IT

    some of the enterprise level Antivirus solutions have quarantine capabilites. If a new client is added to the network, the AV will quarantine it until it meets the network requirements.

    If this is an active directory domain, by design, if the laptop is not a member of the domain, it can not access resources on the domain. Even if the user tries to log on with their account. Active Directory requires a computer account for clients to be members of the domain, therefore there is some inherent quarantine.

    Managed switches allow you to assign MAC addresses to a switch port. This security feature will disable the switch port if the wrong computer uses that switchport. You can also disable unused switchports.

    Combined, these security features can be used to make sure unauthorized computers do not gain access to the network.