Problem

Two Technical Q&A
postings were both looking for ways to prevent unauthorized systems from
connecting to the corporate network and accessing the Internet. Since the
solution that both of them were searching for is so similar, we decided to
group the questions and solutions together.

TechRepublic member slk1@rcn.com
asked, “How do I prevent unauthorized personnel from accessing the Internet
with their Macs on my Windows network?”

Meanwhile, in a separate question, TechRepublic member adembo posted, “I am looking for a
way to have visitors that come in with their own laptops and plug into an
available port to be denied a DHCP address until I can verify the laptop has
proper security set and antivirus software running. What are some of the ways
this can be done? I had thought about a certificate server, but didn’t know if
that would work. The users do not have to log on to our network, so I don’t see
how Group Policy could help. Any ideas?”

Solution

The best solution was provided by member zrabi: “If you use Windows 2000 [or
Windows Server 2003] as your DHCP server, you can assign your Windows machines
a DHCP Class. In DHCP, you specify a gateway (router) address to that class.
Machines with no DHCP Class or another class will not get the router address …
and hence no Internet access. And now for the links:

From Microsoft
Knowledge Base article Q240247, here’s how to set up a DHCP class:

Create a New User or
Vendor Option Class

  1. Start
    DHCP Manager.
  2. In the
    console tree, click the applicable DHCP server branch.
  3. Right-click
    the server, and then click Define User Classes to create a new user class,
    or click Define Vendor Classes to create a new vendor class. 
  4. Click
    Add.
  5. In the
    New Class dialog box, type a descriptive identifying name for the new
    option in the Display name box. You may also add additional information to
    the Description box.
  6. Type
    in the data to be used by the DHCP Server service for matching the class
    ID provided by DHCP clients under ID or ASCII. To enter the data as
    hexadecimal byte numeric values, click the left side of the text box. To
    enter data as American Standard Code for Information Interchange (ASCII)
    text character values, click the right side of the text box.
  7. Click
    OK, and then click Close.

Configure a DHCP
Scope with the New Class ID

  1. In
    DHCP Manager, double-click the appropriate DHCP scope.
  2. Right-click
    Scope Options and then click Configure Options.
  3. Click
    Advanced.
  4. Click
    to select the check box or boxes next to the features you want to use with
    the new vendor or user class.
  5. Click
    OK.

Set the Specified
DHCP Class ID String for Client Computers

Client computers that connect to a Windows 2000-based DHCP
server can use the following command to set the specified DHCP class ID string:

ipconfig /setclassid
adapter_name class_id

For example, to configure an adapter called “Local Area
Connection” with a user class ID called “myuserclass”, type ipconfig /setclassid “Local Area
Connection” myuserclass at a command prompt, and then press ENTER.

Alternate solutions

Besides setting up a DHCP Class, there are some other ways
to restrict unauthorized machines from accessing the Internet.

Member markusfrei@gmx.net
suggested, “You could install a proxy server and set up your PCs to only be
allowed access to the Internet via that proxy server. Within the proxy server
you could then set the users who are allowed Internet access.”

Member rfurze
also provided a suggestion for allowing Internet access to guests, while
keeping the corporate network safe: “The visitors could plug into specific
connections in a conference room or guest area and those connections could go
back to a separate DMZ zone that isn’t on your regular network. If they don’t
need to login to your network and only need Internet access there is much less
risk and work involved if they are on their own separate network on a DMZ. I
would also recommend having an appropriate policy and procedure that they are
educated in, and sign off on, before they plug in.”

Note

The text of discussion posts from TechRepublic members has
been slightly edited for spelling, punctuation, and clarity.