JackTibbitts
asked on
Securing Corporate Integrity and Logons before providing network access
Hello.
I'm trying to figure out how to ensure users of our network have a few stipulated tools in place before logging into our corporate network.
If they are not logged into a Domain Computer as a Domain User, we would like to prevent them from having access to the following:
- Domain Servers for Domain Users data shares
- Access to AD Controller for DHCP and DNS
Also, we'd like to make sure the Domain Compuer is running a current version of our Trend Micro Antivirus Enterprise and that it is Manageable by the Domain.
Is this possible?
Our environment consists of the following:
-Extreme Networks Summit 400 48-Port Gigabit Switch
-App Servers: Exchange, SQL, Citrix, File Server, AD Servers (2) all running on 2003
-Windows XP or XP Pro clients
We have ScriptLogic if this will help.
Thanks
Jack
I'm trying to figure out how to ensure users of our network have a few stipulated tools in place before logging into our corporate network.
If they are not logged into a Domain Computer as a Domain User, we would like to prevent them from having access to the following:
- Domain Servers for Domain Users data shares
- Access to AD Controller for DHCP and DNS
Also, we'd like to make sure the Domain Compuer is running a current version of our Trend Micro Antivirus Enterprise and that it is Manageable by the Domain.
Is this possible?
Our environment consists of the following:
-Extreme Networks Summit 400 48-Port Gigabit Switch
-App Servers: Exchange, SQL, Citrix, File Server, AD Servers (2) all running on 2003
-Windows XP or XP Pro clients
We have ScriptLogic if this will help.
Thanks
Jack
With this statement:
If they are not logged into a Domain Computer as a Domain User, we would like to prevent them from having access to the following:
- Domain Servers for Domain Users data shares
- Access to AD Controller for DHCP and DNS
========================== ===
I'm guessing he means a secure guest VLAN of sorts?
Are you saying if someone logs onto the machine as something other than a domain user? How would they do that unless they had a local account on that computer that they knew?
If they are not logged into a Domain Computer as a Domain User, we would like to prevent them from having access to the following:
- Domain Servers for Domain Users data shares
- Access to AD Controller for DHCP and DNS
==========================
I'm guessing he means a secure guest VLAN of sorts?
Are you saying if someone logs onto the machine as something other than a domain user? How would they do that unless they had a local account on that computer that they knew?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thanks for the replies. Sorry I'm late in replying...had to fly out last minute.
>Comment from TannerMan
>Date: 03/28/2006 08:08AM PST
> Comment
>
>I am perplexed by your desire here. Machines can ONLY be joined to the domain by adminis. Users can ONLY be given access to the domain by Admins. If you join a >machine to the domain then you know, before every joining it, if it has all the critieria you desire.
>
>Also, in TrendMicro Corporate Edition you can set it up so that it requires a password for anyone to UNLOAD the officescan client....therefore....i
>
>If you setup a new machien to join the network then you will know it has all required settings and software you mandate BEFORE you ever join it to the domain. >THen.....no need to ever do pre-network access checks.
>
>Does that make sense or am I completely missing the boat on this one.
>
>
Great commentss. The machines are indeed added by Admins. We tend to have developers who modify their sytems often on our network. We are trying to prevent folks from running apps and doing things that possible disturb our security. If they plug into our network, we'd like to provide no connectivity internally or through the gatewayt unless they are logged into the network as both the Admin added Domain Computer and Domain User.
Trend is great and PW protected from unload as you said. The monitoring of Trend only works if the user attaches to the network and the server verify's the status of the Trend Client. If the attach to the network as a workgroup and then connect to network shares for file access, we can't gaurantee the virus protection is in place to a RWX mapped share. They would simply browse to the share, then type domain_nane\user_name and they are attached. The Trend Server would only report that the client had not synched during for so many days and also report on the version differences from last sync.
>Comment from TheCleaner
>Date: 03/28/2006 08:35AM PST
> Comment Accept
>
>With this statement:
>
>If they are not logged into a Domain Computer as a Domain User, we would like to prevent them from having access to the following:
>
>- Domain Servers for Domain Users data shares
>- Access to AD Controller for DHCP and DNS
>
>========================= ====
>
>I'm guessing he means a secure guest VLAN of sorts?
>
>Are you saying if someone logs onto the machine as something other than a domain user? How would they do that unless they had a local account on that computer >that they knew?
Essentially, yes. If they are not logged into both a domain computer and domain user, we'd like them to essentially have a dead connection whether ethernet or wireless. Then, if they have both, we'd like to have the first action verify the Trend services is active and current or kick them off.
Do you guys think I am whacked? :)
Thanks again.
-Jack
>Comment from TannerMan
>Date: 03/28/2006 08:08AM PST
> Comment
>
>I am perplexed by your desire here. Machines can ONLY be joined to the domain by adminis. Users can ONLY be given access to the domain by Admins. If you join a >machine to the domain then you know, before every joining it, if it has all the critieria you desire.
>
>Also, in TrendMicro Corporate Edition you can set it up so that it requires a password for anyone to UNLOAD the officescan client....therefore....i
>
>If you setup a new machien to join the network then you will know it has all required settings and software you mandate BEFORE you ever join it to the domain. >THen.....no need to ever do pre-network access checks.
>
>Does that make sense or am I completely missing the boat on this one.
>
>
Great commentss. The machines are indeed added by Admins. We tend to have developers who modify their sytems often on our network. We are trying to prevent folks from running apps and doing things that possible disturb our security. If they plug into our network, we'd like to provide no connectivity internally or through the gatewayt unless they are logged into the network as both the Admin added Domain Computer and Domain User.
Trend is great and PW protected from unload as you said. The monitoring of Trend only works if the user attaches to the network and the server verify's the status of the Trend Client. If the attach to the network as a workgroup and then connect to network shares for file access, we can't gaurantee the virus protection is in place to a RWX mapped share. They would simply browse to the share, then type domain_nane\user_name and they are attached. The Trend Server would only report that the client had not synched during for so many days and also report on the version differences from last sync.
>Comment from TheCleaner
>Date: 03/28/2006 08:35AM PST
> Comment Accept
>
>With this statement:
>
>If they are not logged into a Domain Computer as a Domain User, we would like to prevent them from having access to the following:
>
>- Domain Servers for Domain Users data shares
>- Access to AD Controller for DHCP and DNS
>
>=========================
>
>I'm guessing he means a secure guest VLAN of sorts?
>
>Are you saying if someone logs onto the machine as something other than a domain user? How would they do that unless they had a local account on that computer >that they knew?
Essentially, yes. If they are not logged into both a domain computer and domain user, we'd like them to essentially have a dead connection whether ethernet or wireless. Then, if they have both, we'd like to have the first action verify the Trend services is active and current or kick them off.
Do you guys think I am whacked? :)
Thanks again.
-Jack
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
OH...and for the Trend thing, I don't know how that works exactly, but if it's managed by the domain, then Trend can tell you how to set it up to "verify updates" at each login/computer startup/according to a schedule, etc.
Other approaches are "host integrity checking", check google for various companies that offer that.
Other approaches are "host integrity checking", check google for various companies that offer that.
Also, in TrendMicro Corporate Edition you can set it up so that it requires a password for anyone to UNLOAD the officescan client....therefore....i
If you setup a new machien to join the network then you will know it has all required settings and software you mandate BEFORE you ever join it to the domain. THen.....no need to ever do pre-network access checks.
Does that make sense or am I completely missing the boat on this one.