Actively Securing a Windows Network from Rouge Systems

By Aaron_Wurthmann ·
I think the time has come in this day and age for us all to start to consider the following as fact. People bring systems in from home even though they shouldn't, people run rouge OSes (Linux, Windows ME, etc) Whilst I have no real problem with Linux (despite my avatar) or any non-Windows OS; I run a Windows only shop, we patch, secure and run Windows only. Anything outside of that is therefore not secured by me. So the question comes down to this...

How do I force all systems on a given network to join the Windows domain and get settings (ISA Client, Windows Firewall, IPSec, 802.11x, or whatever) that only allow Windows Domain clients to talk to Windows servers in the same domain?

Environment Details:
There are currently 4 subnets being routed via a 7i. That can easily be changed to the ISA server doing the workload and later be transitioned to an ISA cluster for redundancy.

Currently an ISA 2006 server sits "behind" the 7i and routes/firewalls all outbound traffic. Behind the ISA server is another firewall and then a router, etc...

All production clients and servers are currently on the same network/subnet/vlan. The other 3 networks are variations of tests networks. The DNS servers in the tests networks have the production DNS servers setup as forwarders. This is required as only the production DNS servers can talk outside for DNS info.

Some ideas I had...
I had this though about using ISA clients distributed via GPO to all production clients and the servers being on a new subnet. Then I could have a rule that said only ISA clients can talk the server subnet on the production/client network. Problem with this however is that there is no intuitive way to set a rule that says something like that. There is a concept of SecureNAT in ISA, but for the like of me I don't get it. That brings me back to an IPSec policy being pushed via GPO but with the test networks needing to talk to the DNS servers and the WSUS server and possibly the occasional production file server the idea of pushing an IPSec policy scares me a little, as I don't want to force the test network systems to use a policy I only want to affect the production client network.

Your thoughts? maybe I am missing something totally obvious, maybe someone can explain what ISA SecureNAT clients gives me.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by retro77 In reply to Actively Securing a Windo ...

In order to stop people from bringing in their home laptops, you have to get HR to sign off on a policy that you create. You have to letter it something with the idea of punishment up to and including termination.

You gotta get you whole chain of cmmand to sign off on it, then have your highest level take it to HR or even the board to sign off on it and make it policy.

Are the rogue systems connecting via wireless or wired connections? If wireless setup your security on the access points. Make it use the encryption with the long passcode that others dont know. If wired then shut down unused ports on your switches.

Collapse -

Not cheap

by scott_heath In reply to Actively Securing a Windo ...

There are products, mostly used for external access that can check a clients patch level, installed apps, virus scan dat version, etc before allowing it network access. But you may have to shell out a ton of money and make network changes to get it all working.

Try disabling extra network ports where no one is setting in the switch. I find that keeps some of the issues down. Question: besides not liking it, what are the real problems caused?

Collapse -

What are the real problems caused

by Aaron_Wurthmann In reply to Not cheap

Good question...
A real life example would have been last year when a rouge system was brought in with a worm on it. The worm was really basic "look for systems without administrator passwords or with weak passwords and propagate". Now mind you NO production machines are setup with such relaxed security, BUT there are plenty of easy picking in the lab. Before you know it I had a whole network of compromised systems. It was super fun to clean up. That was then and yes there are HR policies.. yawn, like they are going to let an Engineer go or a VP of Sales.. I wish. And yes the ISA firewall now prohibits anything that isn't 80, 443, 21, 20 and speaking the correct protocals of which.. but that STILL doesn't solve the problem at hand.

What is equally annoying is that when I was at this big company in Redmond that you might have heard of they had what I am describing, you could not print or even talk to DNS servers without being on the domain. hmm I suppose I could call my TAM and ask him WTF.

Collapse -

Just a thought

by Chris910 In reply to Actively Securing a Windo ...

You did not state how big your network was.

Creat Reservations for all of your approved Workstations in DHCP and then have all of the unreserved workstations assigned to addresses/subnet with limited/no access to network resources.

This may work for casual (70%) users but will not stop those who really want access.

Collapse -

Re: You did not state how big your network was

by Aaron_Wurthmann In reply to Just a thought

The production network is a 24 bit subnet, there are probally 20 servers the DHCP scope is for 200 client systems.

Yeah.. I coudl do that but the TCO on that isn't worth while, plus its a networking company so 75% of the user base would figure that out. Stupid err smart users. :)

Collapse -

I agree it might have been workable on a small Net

by Chris910 In reply to Re: You did not state how ...
Collapse -

I'd give them their own network.

by Virtual1 In reply to Actively Securing a Windo ...

to heck with all the bs. Secure your network and give them their own playground. make it wireless but don't let them use any other resources other than internet.

either buy them a $20 per month dsl circuit,or set up a vlan then build a gateway server that makes them authenticate with ras and hand out your own usb wifi sticks that you've pre-mapped the macs to the router if they want to get on at all. set up one wireless printer that they can use and be done with them.

Collapse -

Re: I'd give them their own network.

by Aaron_Wurthmann In reply to I'd give them their own n ...

I like they way you are thinking. 200 soemthing systems on a G or even N is gonna get pretty sluggish though... there is something to be said for their own network though. I think that is the direction I am going in. I guess I should pick up an ISA book and figure out what the ISA Client gives me in the way of identifing systems running with it. The annoying part is you can throttle bandwidth based on user or group with it.. BUT not security. grrr...

Collapse -

Keep it seperate

by retro77 In reply to Re: I'd give them their o ...

Put all the ports that are not in use by company computers on an open VLAN that can not route to any other VLANS except the one that dumps them on the internet.

You could put a low end server on that VLAN to hand out DHCP and the likes.

Also as far as the DNS security...are you running M$ DNS? Sure you are...hehe...there is a security tab there and I'm sure you could take out Authenticated users [as long as Domain Users is still in there] and any other 'open' groups that are in there. It might have 'Everyone', mine didnt and its a pretty much default setup.

Collapse -

Check out

by pstech In reply to Keep it seperate

For lots of interesting "securing with isa" info, go to They have all kinds of tutorials and how to articles to help.

Related Discussions

Related Forums