Two Technical Q&A
postings were both looking for ways to prevent unauthorized systems from
connecting to the corporate network and accessing the Internet. Since the
solution that both of them were searching for is so similar, we decided to
group the questions and solutions together.
TechRepublic member email@example.com
asked, “How do I prevent unauthorized personnel from accessing the Internet
with their Macs on my Windows network?”
Meanwhile, in a separate question, TechRepublic member adembo posted, “I am looking for a
way to have visitors that come in with their own laptops and plug into an
available port to be denied a DHCP address until I can verify the laptop has
proper security set and antivirus software running. What are some of the ways
this can be done? I had thought about a certificate server, but didn’t know if
that would work. The users do not have to log on to our network, so I don’t see
how Group Policy could help. Any ideas?”
The best solution was provided by member zrabi: “If you use Windows 2000 [or
Windows Server 2003] as your DHCP server, you can assign your Windows machines
a DHCP Class. In DHCP, you specify a gateway (router) address to that class.
Machines with no DHCP Class or another class will not get the router address …
and hence no Internet access. And now for the links:
- How to Create a New
DHCP User or Vendor Class [Q240247]
to Configure DHCP Class ID on a Windows 2000 DHCP Client [Q235272]”
Knowledge Base article Q240247, here’s how to set up a DHCP class:
Create a New User or
Vendor Option Class
- In the
console tree, click the applicable DHCP server branch.
the server, and then click Define User Classes to create a new user class,
or click Define Vendor Classes to create a new vendor class.
- In the
New Class dialog box, type a descriptive identifying name for the new
option in the Display name box. You may also add additional information to
the Description box.
in the data to be used by the DHCP Server service for matching the class
ID provided by DHCP clients under ID or ASCII. To enter the data as
hexadecimal byte numeric values, click the left side of the text box. To
enter data as American Standard Code for Information Interchange (ASCII)
text character values, click the right side of the text box.
OK, and then click Close.
Configure a DHCP
Scope with the New Class ID
DHCP Manager, double-click the appropriate DHCP scope.
Scope Options and then click Configure Options.
to select the check box or boxes next to the features you want to use with
the new vendor or user class.
Set the Specified
DHCP Class ID String for Client Computers
Client computers that connect to a Windows 2000-based DHCP
server can use the following command to set the specified DHCP class ID string:
For example, to configure an adapter called “Local Area
Connection” with a user class ID called “myuserclass”, type ipconfig /setclassid “Local Area
Connection” myuserclass at a command prompt, and then press ENTER.
Besides setting up a DHCP Class, there are some other ways
to restrict unauthorized machines from accessing the Internet.
suggested, “You could install a proxy server and set up your PCs to only be
allowed access to the Internet via that proxy server. Within the proxy server
you could then set the users who are allowed Internet access.”
also provided a suggestion for allowing Internet access to guests, while
keeping the corporate network safe: “The visitors could plug into specific
connections in a conference room or guest area and those connections could go
back to a separate DMZ zone that isn’t on your regular network. If they don’t
need to login to your network and only need Internet access there is much less
risk and work involved if they are on their own separate network on a DMZ. I
would also recommend having an appropriate policy and procedure that they are
educated in, and sign off on, before they plug in.”
The text of discussion posts from TechRepublic members has
been slightly edited for spelling, punctuation, and clarity.