if dhcp wont work , what should I use instead to prevent unauthorized access to the network? Can I configure the group policy object editor to prevent computers from joining the domain or getting network access in a windows server 2003? What are steps to go about this?
DHCP has nothing to do with preventing and securing your Domain..,..
you can lock down shares and files server access via NTFS and Share permissions on your shares - you can also look at playing with ipsec policies to secure your domain pretty heavily - but that gets complex
your most simple solution is NTFS permissions on shares
Computers should only be able to join the domain if they supply a domain admin password, so that shouldn't be hard to control. as far as network access, there are lots of options. The PCI complicance board suggests deactivating network jacks that are not in use. If you have a managed switch you could configure it so the unused ports are in a different vlan without access. some switches and firewalls can be set up to check active directory and authenticate machines or users. DHCP could be used as well, you could create reservations for all the known computers and block unknown machines. How many network ports are you dealing with...that are available to be misused or whatever?
The only way you could prevent network access would be if you had a product like ISA server which you could setup to prevent network access unless properly authenticated. (it also depends on what you mean by network access; lan access or internet access or both ? ) This is quite a complex scenario not really suitable for a small network. If you still want to know more let us know.
i mean if you are going for a tight domain you should have to have a domain admin password to join a domain. if you never changed that: on any DC, go to the Administrative Tools menu and open the Domain Security Policy console. Under Security Settings/Local Policies/User Rights Assignment, you'll see "Add workstations to domain" - set the rights to this so that only Domain Admins can do it. If you set up DHCP with reservations for all known computers and no range that is outside the reservation list, then a new, unknown computer would not get an address. Could a savvy user still set a static ip and get access, yes, but avg joe wouldn't be on it. The feasability of this depends on the number of machines we are talking about here.
ah agreed, that policy should deffinitely turned on :)
There is some pretty cool tools coming from MS regarding all this security - Network Protection tools that are going to make life a whooole load easier - but at a price
firstly define "network" access you could attack this from a network context and use in cisco terms Network Admission Control This will heavily depend on your networking hardware, if your hardware has the smarts it can be configured to check whether a given system is allowed network service or not. if not then prevent it from gaining network access. The DHCP "static" reservations kinda works, but its major let down is that any body could just configure thier machine with a valid ip address in range and get network access.
Thanks a lot for all your comments. I think I'm going to learn more about setting up and configuring the ISA Server to properly authenticate the computers or users. By network access, I am referring to my local area network.
