Securing Corporate Integrity and Logons before providing network access

Hello.

I'm trying to figure out how to ensure users of our network have a few stipulated tools in place before logging into our corporate network.

If they are not logged into a Domain Computer as a Domain User, we would like to prevent them from having access to the following:

- Domain Servers for Domain Users data shares
- Access to AD Controller for DHCP and DNS

Also, we'd like to make sure the Domain Compuer is running a current version of our Trend Micro Antivirus Enterprise and that it is Manageable by the Domain.

Is this possible?  

Our environment consists of the following:

-Extreme Networks Summit 400 48-Port Gigabit Switch
-App Servers: Exchange, SQL, Citrix, File Server, AD Servers (2) all running on 2003
-Windows XP or XP Pro clients

We have ScriptLogic if this will help.

Thanks

Jack

 
JackTibbittsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TannerManCommented:
I am perplexed by your desire here. Machines can ONLY be joined to the domain by adminis. Users can ONLY be given access to the domain by Admins. If you join a machine to the domain then you know, before every joining it, if it has all the critieria you desire.

Also, in TrendMicro Corporate Edition you can set it up so that it requires a password for anyone to UNLOAD the officescan client....therefore....i

If you setup a new machien to join the network then you will know it has all required settings and software you mandate BEFORE you ever join it to the domain. THen.....no need to ever do pre-network access checks.

Does that make sense or am I completely missing the boat on this one.
0
TheCleanerCommented:
With this statement:

If they are not logged into a Domain Computer as a Domain User, we would like to prevent them from having access to the following:

- Domain Servers for Domain Users data shares
- Access to AD Controller for DHCP and DNS

=============================

I'm guessing he means a secure guest VLAN of sorts?

Are you saying if someone logs onto the machine as something other than a domain user?  How would they do that unless they had a local account on that computer that they knew?
0
MazaraatCommented:
"If they are not logged into a Domain Computer as a Domain User, we would like to prevent them from having access to the following:"

1.  Disable guest accounts or accounts for users who no longer work at the company.
2.  use NTFS permissions on all network shares to secure them:
http://thelazyadmin.com/index.php?/archives/91-Lock-Down-Your-Share-Permissions.html

"Also, we'd like to make sure the Domain Compuer is running a current version of our Trend Micro Antivirus Enterprise and that it is Manageable by the Domain. "
1.  You can install software using group policies at logon:
http://www.computerperformance.co.uk/w2k3/gp/group_policy_software.htm

Howto group policies:
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

download gpo manager:
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

JackTibbittsAuthor Commented:
Thanks for the replies. Sorry I'm late in replying...had to fly out last minute.

>Comment from TannerMan
>Date: 03/28/2006 08:08AM PST
>      Comment
>
>I am perplexed by your desire here. Machines can ONLY be joined to the domain by adminis. Users can ONLY be given access to the domain by Admins. If you join a >machine to the domain then you know, before every joining it, if it has all the critieria you desire.
>
>Also, in TrendMicro Corporate Edition you can set it up so that it requires a password for anyone to UNLOAD the officescan client....therefore....i
>
>If you setup a new machien to join the network then you will know it has all required settings and software you mandate BEFORE you ever join it to the domain. >THen.....no need to ever do pre-network access checks.
>
>Does that make sense or am I completely missing the boat on this one.
>
>

Great commentss. The machines are indeed added by Admins. We tend to have developers who modify their sytems often on our network. We are trying to prevent folks from running apps and doing things that possible disturb our security. If they plug into our network, we'd like to provide no connectivity internally or through the gatewayt unless they are logged into the network as both the Admin added Domain Computer and Domain User.

Trend is great and PW protected from unload as you said. The monitoring of Trend only works if the user attaches to the network and the server verify's the status of the Trend Client. If the attach to the network as a workgroup and then connect to network shares for file access, we can't gaurantee the virus protection is in place to a RWX mapped share. They would simply browse to the share, then type domain_nane\user_name and they are attached. The Trend Server would only report that the client had not synched during for so many days and also report on the version differences from last sync.  


>Comment from TheCleaner
>Date: 03/28/2006 08:35AM PST
>      Comment       Accept
>
>With this statement:
>
>If they are not logged into a Domain Computer as a Domain User, we would like to prevent them from having access to the following:
>
>- Domain Servers for Domain Users data shares
>- Access to AD Controller for DHCP and DNS
>
>=============================
>
>I'm guessing he means a secure guest VLAN of sorts?
>
>Are you saying if someone logs onto the machine as something other than a domain user?  How would they do that unless they had a local account on that computer >that they knew?

Essentially, yes. If they are not logged into both a domain computer and domain user, we'd like them to essentially have a dead connection whether ethernet or wireless.  Then, if they have both, we'd like to have the first action verify the Trend services is active and current or kick them off.

Do you guys think I am whacked?  :)

Thanks again.

-Jack
0
TheCleanerCommented:
>If they plug into our network, we'd like to provide no connectivity internally or through the gatewayt unless they are logged into the network as both the Admin >added Domain Computer and Domain User.

This is done through 802.1X authentication and VLANs.

You'll need to call Extreme Networks and explain what you are trying to do and they can point you in the right direction.  If you are unfamiliar with the CLI in the switch or if the switch's licenses don't support it, they can tell you that, then you may need to have an Extreme tech come out and do this for you as a project.

The idea is:

1.  VendorA comes in with VendorA's laptop
2.  They connect to a network jack (or wireless)
3.  They are not part of your corporate network and therefore don't have the certificate needed for 802.1X authentication
4.  The switch throws them into a "guest VLAN" that has a route to the internet and that's it

OR

1.  EmployeeA turns on their domain computer
2.  They are connected to a network jack (or wireless)
3.  The computer has a certificate for the network so it authenticates to the 'network' with 802.1X
4.  The computer is put into the proper corp. VLAN
5.  The user signs on at the CTRL-ALT-DEL screen and they have a valid domain account and network access
0
TheCleanerCommented:
OH...and for the Trend thing, I don't know how that works exactly, but if it's managed by the domain, then Trend can tell you how to set it up to "verify updates" at each login/computer startup/according to a schedule, etc.

Other approaches are "host integrity checking", check google for various companies that offer that.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.