Problem
Two Technical Q&A
postings were both looking for ways to prevent unauthorized systems from
connecting to the corporate network and accessing the Internet. Since the
solution that both of them were searching for is so similar, we decided to
group the questions and solutions together.
TechRepublic member slk1@rcn.com
asked, “How do I prevent unauthorized personnel from accessing the Internet
with their Macs on my Windows network?”
Meanwhile, in a separate question, TechRepublic member adembo posted, “I am looking for a
way to have visitors that come in with their own laptops and plug into an
available port to be denied a DHCP address until I can verify the laptop has
proper security set and antivirus software running. What are some of the ways
this can be done? I had thought about a certificate server, but didn’t know if
that would work. The users do not have to log on to our network, so I don’t see
how Group Policy could help. Any ideas?”
Solution
The best solution was provided by member zrabi: “If you use Windows 2000 [or
Windows Server 2003] as your DHCP server, you can assign your Windows machines
a DHCP Class. In DHCP, you specify a gateway (router) address to that class.
Machines with no DHCP Class or another class will not get the router address …
and hence no Internet access. And now for the links:
- How to Create a New
DHCP User or Vendor Class [Q240247] - How
to Configure DHCP Class ID on a Windows 2000 DHCP Client [Q235272]”
From Microsoft
Knowledge Base article Q240247, here’s how to set up a DHCP class:
Create a New User or
Vendor Option Class
- Start
DHCP Manager. - In the
console tree, click the applicable DHCP server branch. - Right-click
the server, and then click Define User Classes to create a new user class,
or click Define Vendor Classes to create a new vendor class. - Click
Add. - In the
New Class dialog box, type a descriptive identifying name for the new
option in the Display name box. You may also add additional information to
the Description box. - Type
in the data to be used by the DHCP Server service for matching the class
ID provided by DHCP clients under ID or ASCII. To enter the data as
hexadecimal byte numeric values, click the left side of the text box. To
enter data as American Standard Code for Information Interchange (ASCII)
text character values, click the right side of the text box. - Click
OK, and then click Close.
Configure a DHCP
Scope with the New Class ID
- In
DHCP Manager, double-click the appropriate DHCP scope. - Right-click
Scope Options and then click Configure Options. - Click
Advanced. - Click
to select the check box or boxes next to the features you want to use with
the new vendor or user class. - Click
OK.
Set the Specified
DHCP Class ID String for Client Computers
Client computers that connect to a Windows 2000-based DHCP
server can use the following command to set the specified DHCP class ID string:
ipconfig /setclassid
adapter_name class_id
For example, to configure an adapter called “Local Area
Connection” with a user class ID called “myuserclass”, type ipconfig /setclassid “Local Area
Connection” myuserclass at a command prompt, and then press ENTER.
Alternate solutions
Besides setting up a DHCP Class, there are some other ways
to restrict unauthorized machines from accessing the Internet.
Member markusfrei@gmx.net
suggested, “You could install a proxy server and set up your PCs to only be
allowed access to the Internet via that proxy server. Within the proxy server
you could then set the users who are allowed Internet access.”
Member rfurze
also provided a suggestion for allowing Internet access to guests, while
keeping the corporate network safe: “The visitors could plug into specific
connections in a conference room or guest area and those connections could go
back to a separate DMZ zone that isn’t on your regular network. If they don’t
need to login to your network and only need Internet access there is much less
risk and work involved if they are on their own separate network on a DMZ. I
would also recommend having an appropriate policy and procedure that they are
educated in, and sign off on, before they plug in.”
Note
The text of discussion posts from TechRepublic members has
been slightly edited for spelling, punctuation, and clarity.