Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 202
  • Last Modified:

Securing Corporate Integrity and Logons before providing network access

Hello.

I'm trying to figure out how to ensure users of our network have a few stipulated tools in place before logging into our corporate network.

If they are not logged into a Domain Computer as a Domain User, we would like to prevent them from having access to the following:

- Domain Servers for Domain Users data shares
- Access to AD Controller for DHCP and DNS

Also, we'd like to make sure the Domain Compuer is running a current version of our Trend Micro Antivirus Enterprise and that it is Manageable by the Domain.

Is this possible?  

Our environment consists of the following:

-Extreme Networks Summit 400 48-Port Gigabit Switch
-App Servers: Exchange, SQL, Citrix, File Server, AD Servers (2) all running on 2003
-Windows XP or XP Pro clients

We have ScriptLogic if this will help.

Thanks

Jack

 
0
JackTibbitts
Asked:
JackTibbitts
2 Solutions
 
TannerManCommented:
I am perplexed by your desire here. Machines can ONLY be joined to the domain by adminis. Users can ONLY be given access to the domain by Admins. If you join a machine to the domain then you know, before every joining it, if it has all the critieria you desire.

Also, in TrendMicro Corporate Edition you can set it up so that it requires a password for anyone to UNLOAD the officescan client....therefore....i

If you setup a new machien to join the network then you will know it has all required settings and software you mandate BEFORE you ever join it to the domain. THen.....no need to ever do pre-network access checks.

Does that make sense or am I completely missing the boat on this one.
0
 
TheCleanerCommented:
With this statement:

If they are not logged into a Domain Computer as a Domain User, we would like to prevent them from having access to the following:

- Domain Servers for Domain Users data shares
- Access to AD Controller for DHCP and DNS

=============================

I'm guessing he means a secure guest VLAN of sorts?

Are you saying if someone logs onto the machine as something other than a domain user?  How would they do that unless they had a local account on that computer that they knew?
0
 
MazaraatCommented:
"If they are not logged into a Domain Computer as a Domain User, we would like to prevent them from having access to the following:"

1.  Disable guest accounts or accounts for users who no longer work at the company.
2.  use NTFS permissions on all network shares to secure them:
http://thelazyadmin.com/index.php?/archives/91-Lock-Down-Your-Share-Permissions.html

"Also, we'd like to make sure the Domain Compuer is running a current version of our Trend Micro Antivirus Enterprise and that it is Manageable by the Domain. "
1.  You can install software using group policies at logon:
http://www.computerperformance.co.uk/w2k3/gp/group_policy_software.htm

Howto group policies:
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

download gpo manager:
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en

0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
JackTibbittsAuthor Commented:
Thanks for the replies. Sorry I'm late in replying...had to fly out last minute.

>Comment from TannerMan
>Date: 03/28/2006 08:08AM PST
>      Comment
>
>I am perplexed by your desire here. Machines can ONLY be joined to the domain by adminis. Users can ONLY be given access to the domain by Admins. If you join a >machine to the domain then you know, before every joining it, if it has all the critieria you desire.
>
>Also, in TrendMicro Corporate Edition you can set it up so that it requires a password for anyone to UNLOAD the officescan client....therefore....i
>
>If you setup a new machien to join the network then you will know it has all required settings and software you mandate BEFORE you ever join it to the domain. >THen.....no need to ever do pre-network access checks.
>
>Does that make sense or am I completely missing the boat on this one.
>
>

Great commentss. The machines are indeed added by Admins. We tend to have developers who modify their sytems often on our network. We are trying to prevent folks from running apps and doing things that possible disturb our security. If they plug into our network, we'd like to provide no connectivity internally or through the gatewayt unless they are logged into the network as both the Admin added Domain Computer and Domain User.

Trend is great and PW protected from unload as you said. The monitoring of Trend only works if the user attaches to the network and the server verify's the status of the Trend Client. If the attach to the network as a workgroup and then connect to network shares for file access, we can't gaurantee the virus protection is in place to a RWX mapped share. They would simply browse to the share, then type domain_nane\user_name and they are attached. The Trend Server would only report that the client had not synched during for so many days and also report on the version differences from last sync.  


>Comment from TheCleaner
>Date: 03/28/2006 08:35AM PST
>      Comment       Accept
>
>With this statement:
>
>If they are not logged into a Domain Computer as a Domain User, we would like to prevent them from having access to the following:
>
>- Domain Servers for Domain Users data shares
>- Access to AD Controller for DHCP and DNS
>
>=============================
>
>I'm guessing he means a secure guest VLAN of sorts?
>
>Are you saying if someone logs onto the machine as something other than a domain user?  How would they do that unless they had a local account on that computer >that they knew?

Essentially, yes. If they are not logged into both a domain computer and domain user, we'd like them to essentially have a dead connection whether ethernet or wireless.  Then, if they have both, we'd like to have the first action verify the Trend services is active and current or kick them off.

Do you guys think I am whacked?  :)

Thanks again.

-Jack
0
 
TheCleanerCommented:
>If they plug into our network, we'd like to provide no connectivity internally or through the gatewayt unless they are logged into the network as both the Admin >added Domain Computer and Domain User.

This is done through 802.1X authentication and VLANs.

You'll need to call Extreme Networks and explain what you are trying to do and they can point you in the right direction.  If you are unfamiliar with the CLI in the switch or if the switch's licenses don't support it, they can tell you that, then you may need to have an Extreme tech come out and do this for you as a project.

The idea is:

1.  VendorA comes in with VendorA's laptop
2.  They connect to a network jack (or wireless)
3.  They are not part of your corporate network and therefore don't have the certificate needed for 802.1X authentication
4.  The switch throws them into a "guest VLAN" that has a route to the internet and that's it

OR

1.  EmployeeA turns on their domain computer
2.  They are connected to a network jack (or wireless)
3.  The computer has a certificate for the network so it authenticates to the 'network' with 802.1X
4.  The computer is put into the proper corp. VLAN
5.  The user signs on at the CTRL-ALT-DEL screen and they have a valid domain account and network access
0
 
TheCleanerCommented:
OH...and for the Trend thing, I don't know how that works exactly, but if it's managed by the domain, then Trend can tell you how to set it up to "verify updates" at each login/computer startup/according to a schedule, etc.

Other approaches are "host integrity checking", check google for various companies that offer that.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now