We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Blocking internet access to non-domain member computers

pascal_p
pascal_p asked
on
Medium Priority
608 Views
Last Modified: 2013-12-04
Hi,

I manage a small network and I noticed the following : as long as I plug any computer to our network, it gets an IP address from our DHCP server and can access the internet. I would like to limit internet access to computers which have domain accounts only.
I know one way would be to setup mac filtering but that would take a while and maintenance.
Is there a setting in Windows 2000 server DHCP which will do the job? Or a policy?

Thanks
Comment
Watch Question

Commented:
I dont know anything in dhcp that could be used for that.

As you point out using HW address reservations is a management nightmare.

Microsoft is mentioning using IPSEC so that only people in your domain can talk to you.
http://www.microsoft.com/downloads/info.aspx?na=22&p=18&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=&u=%2fdownloads%2fdetails.aspx%3fFamilyID%3d156c73a1-f9c2-41c7-b5c1-a509fb255447%26DisplayLang%3den

Others (with newer network switches) are looking at 802.1x so that your computers authenticate to the network equipment before getting on the network.   that is kind of an involved project.

And of course others have the philosophy, let them on but they must meet my policy they using products like Cisco NAC or Cleanaccess to do that.  
Commented:
nevermind, I was answering a question of my own making.  I'd say the easiest way to block internet access to unauthorized user is to have a password protected http proxy.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Commented:
Change the security permissions on iexplore.exe to include only users you want to allow internet access via IE to run to.

Author

Commented:
I ll accept boywaja's response as the most practical. Second response requires you having access to a non-domain member computer. If someone off the street would plug into my network (over my dead body), they would have internet access and I could not necessarily change their internet options.
It's surprising that micrisoft has not linked computer domain accounts and DHCP. Assuming network printers could be given network accounts.

Thanks everyone.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.