Questions

Rogue PCs on the network

+
0 Votes
Locked

Rogue PCs on the network

admin
Can anyone tell me how to prevent rogue PCs from gaining access to the internet and file sharing on my network?
  • +
    0 Votes
    robo_dev

    Enable mac-address restrictions in ethernet edge switches.

    Disable DHCP and assign static IP addresses (not really a deterrent for most people).

    Disable unused ethernet jacks.

    Implement NAC (network access control) from Cisco and/or Microsoft.

    Install security cameras, armed guards, create a policy to forbid it, etc.

    +
    0 Votes

    and

    Dr Dij

    use a proxy for internet access - all internet access goes thru one of your servers rather than directly to internet.

    it is childs play to fake a mac address, that said, very few 'regular people' are likely to do it, other than industrial spies, criminals set on stealing your info, rogue admins, competitors in disguise...

    plus someone should check logs regularly

    +
    0 Votes

    and

    OH Smeg

    Remove all Wireless access points to the Network.

    If you absolutely must have WiFi Access use WPA2 security.

    Col

    +
    0 Votes
    wesley.chin

    I am confused. Where are the rogue PCs? Are the rogue PCs random or on the intranet? What is the OS?

    If the rogue PCs are intranet, allow no exceptions in the Windows Firewall (if Windows is the OS). If not intranet, get a good hardware firewall.

    +
    0 Votes
    robo_dev

    And do you mean physical access or logical access?

    I assume that you meant wired-physical access, but you know what happens when you assume....

    +
    0 Votes
    admin

    Thanks for all the replies so far. I guess I need to be more specific. It's a wired LAN and I'm running Win2003 R2 in a school environment. Users must join the domain to use file or print services, but Internet Access it still open. Is there something in Active Directory that will allow me to restrict access to only those PCs in an specific OU?

    +
    0 Votes
    JohnBHeller

    Hi,

    Sounds like you could use a proxy server. Microsoft and several other companies make them. The homepage for the microsoft proxy product now called ISA server is
    http://www.microsoft.com/forefront/edgesecurity/isaserver/en/us/default.aspx

    There are many others on the market too. I have used one called Proxy plus that was very good.

    Running a network with students invloved is a contant challenge. They are always expoiting any weaknesses that you leave open. Unfortunately there are a lot of resources and information that they can find via a search of the internet.

    For a proxy server to be sucessful, you will need to restict access to the router on the common ports such as port 80. Redict incoming packets to the proxy server so that they can't just type in the direct routers ip address to bypass the proxy. Put in an ACL to the router so that only certain hosts can communicate with it. If possible, connect the router directly to the proxy server on a seperate ethernet card, so that they is no direct access to the router. This depends on what other site access you allow ie staff being able to VPN in from home.

    With ISA server you can set up access rules based on usernames and groups to restirct or stop internet access. Of course the server also logs web sites visited and allows you the ban sites too. It caches websites, and speeds up access to commonly accessed pages too.

    I'd imagine that there are some good forum sites devoted to IT managers based in schools where you can swap hints and horror stories.

    I personally know the IT manangers of two local highschools, so i can probably put you in touch with them if you need more specific information.

  • +
    0 Votes
    robo_dev

    Enable mac-address restrictions in ethernet edge switches.

    Disable DHCP and assign static IP addresses (not really a deterrent for most people).

    Disable unused ethernet jacks.

    Implement NAC (network access control) from Cisco and/or Microsoft.

    Install security cameras, armed guards, create a policy to forbid it, etc.

    +
    0 Votes

    and

    Dr Dij

    use a proxy for internet access - all internet access goes thru one of your servers rather than directly to internet.

    it is childs play to fake a mac address, that said, very few 'regular people' are likely to do it, other than industrial spies, criminals set on stealing your info, rogue admins, competitors in disguise...

    plus someone should check logs regularly

    +
    0 Votes

    and

    OH Smeg

    Remove all Wireless access points to the Network.

    If you absolutely must have WiFi Access use WPA2 security.

    Col

    +
    0 Votes
    wesley.chin

    I am confused. Where are the rogue PCs? Are the rogue PCs random or on the intranet? What is the OS?

    If the rogue PCs are intranet, allow no exceptions in the Windows Firewall (if Windows is the OS). If not intranet, get a good hardware firewall.

    +
    0 Votes
    robo_dev

    And do you mean physical access or logical access?

    I assume that you meant wired-physical access, but you know what happens when you assume....

    +
    0 Votes
    admin

    Thanks for all the replies so far. I guess I need to be more specific. It's a wired LAN and I'm running Win2003 R2 in a school environment. Users must join the domain to use file or print services, but Internet Access it still open. Is there something in Active Directory that will allow me to restrict access to only those PCs in an specific OU?

    +
    0 Votes
    JohnBHeller

    Hi,

    Sounds like you could use a proxy server. Microsoft and several other companies make them. The homepage for the microsoft proxy product now called ISA server is
    http://www.microsoft.com/forefront/edgesecurity/isaserver/en/us/default.aspx

    There are many others on the market too. I have used one called Proxy plus that was very good.

    Running a network with students invloved is a contant challenge. They are always expoiting any weaknesses that you leave open. Unfortunately there are a lot of resources and information that they can find via a search of the internet.

    For a proxy server to be sucessful, you will need to restict access to the router on the common ports such as port 80. Redict incoming packets to the proxy server so that they can't just type in the direct routers ip address to bypass the proxy. Put in an ACL to the router so that only certain hosts can communicate with it. If possible, connect the router directly to the proxy server on a seperate ethernet card, so that they is no direct access to the router. This depends on what other site access you allow ie staff being able to VPN in from home.

    With ISA server you can set up access rules based on usernames and groups to restirct or stop internet access. Of course the server also logs web sites visited and allows you the ban sites too. It caches websites, and speeds up access to commonly accessed pages too.

    I'd imagine that there are some good forum sites devoted to IT managers based in schools where you can swap hints and horror stories.

    I personally know the IT manangers of two local highschools, so i can probably put you in touch with them if you need more specific information.