<div>
What are you using for switching? Any enterprise grade switch should be able to block access to a certain mac address to a switch port. I know cisco can do it.
</div>


<div>
@Spar-Q: Thanks for the quick response! Firewall/Router is the SonicWALL...all the switches are dumb (unmanaged).
</div>


<div>
Then there is no reliable way to accomplish your goal. I'm not familliar with how the sonicwall works, but you may be able to block access to the internet from it via mac filtering... but he could get onto the network just fine via setting his IP statically if he wanted.<br />
<br />
If you are assuming he is absolutely too stupid to do that, and will rely solely on DHCP, then you can try setting a reservation on the server using his MAC address, and seclude him to some random subnet not used on your network. Like, 10.,234.134.0 for example. I'm not 100% sure this will work, but it's an idea that just came to mind. This will limit his ability to communicate with any other hosts on the network, except maybe just the DHCP server.<br />
<br />
I'll play around with this idea and see if I can find instructions for you to do it.
</div>


<div>
Yes, she is not tech savvy at all...she would not even know how to assign a static IP address to herself.<br />
<br />
Thanks for diggin deeper.
</div>


<div>
Hell - I just played around in my server 2008 r2 VM, and it may be easier than that, even.<br />
<br />
Right click on the IPV4 (and IPV6) parts of the tree in the DHCP server. Select properties. Go to the &quot;Filters&quot; tab. Check off Deny. Now go to the filters section under the IPV4 and IPV6 trees, and add the MAC address to those lists. It will prevent that MAC from getting a DHCP lease.<br />
<br />
But as I stated earlier. The person could circumvent that by setting an IP manually.
</div>


<div>
In 2k3 I don't have an IPV4 or 6 part of the tree under the DNCP server. Attached is what I am looking at.<br />
<a href="https://filedb.experts-exchange.com/incoming/2011/10_w41/510065/DHCP-Tree-SBS2k3.JPG" target="_blank" class="file-inline" title="DHCP Tree - SBS 2k3 (29 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>DHCP-Tree-SBS2k3.JPG</a>
</div>


DHCP-Tree-SBS2k3.JPG

<div>
Oh, hmm. I misread that you were using sbs2008. I'll have to get back to you then. May take until tomorrow.
</div>


<div>
I'm not sure if this will work either but here is what I did so far. (attached)<br />
<a href="https://filedb.experts-exchange.com/incoming/2011/10_w41/510075/DHCP-ErroneousReservation.JPG" target="_blank" class="file-inline" title="DHCP - Erroneous Reservation (25 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>DHCP-ErroneousReservation.JPG</a>
</div>


DHCP-ErroneousReservation.JPG

<div>
That would work to prevent access to the internet, but the machine would still be able to communicate over the network. A virus could broadcast to 192.168.0.255 or 255.255.255.255, and other machines would have to process the packet.<br />
<br />
But now that I say that, I think my previous hack solution would produce the same vulnerability. A broadcast to 255.255.255.255 would hit all machines, even if the computer's IP was 199.199.199.198.<br />
<br />
So in the end, your solution will help mitigate SOME threats, its still not flawless. You would need a managed switch to really block access.
</div>


<div>
I discarded our workaround and installed the Call Out addon successfully. I am not seeing her registered in DHCP but I also have not confirmed that she has tried as of yet...but the solution looks promising. If she gains no IP nothing will transmit, correct?!
</div>


<div>
She will get an IP of 169.254.x.x with subnet 255.255.0.0. As stated, a broadcast to 255.255.255.255 will still reach all computers on the segment of LAN not separated by your sonicwall. Also, she can communicate with any other PC on the segment with apipa.
</div>


<div>
Aaa ic. So this IS still a faulty solution in lowering threat risk. Any other thoughts on how to do this then?
</div>


<div>
Only way, like I said, is to block it at the switch port. But since your switch is unmanaged, that's a non-starter.
</div>


<div>
Well, here's a convoluted solution: implement ipsec on your network, and only allow communication that is authenticated. I'm no ipsec expert, but I think it could work. It would be overkill though, and would degrade your network performance and be a bitch to setup on all computers.
</div>


<div>
I see. Yeah this is a small environment - I think your right with overkill. If she can't follow directions they should just replace her. I will award you points for the Call Out solution - initially w/o the security threat issues it does satisfy the requirement on not letting her on the internet or network in the non-tech savvy way, meaning she would not know how to access it via apipa, etc. Simply trying to go to the web and it failing will suffice. Thanks for all your efforts!<br />
<br />
P.S. here is the site to download the Call Out Add On: <a href="http://blogs.technet.com/b/teamdhcp/archive/2007/10/03/dhcp-server-callout-dll-for-mac-address-based-filtering.aspx" rel="ugc">http://blogs.technet.com/b/teamdhcp/archive/2007/10/03/dhcp-server-callout-dll-for-mac-address-based-filtering.aspx</a>. The site listed above in the solution's link is broken.
</div>


<div>
<div class="content wysiwyg-content">
SonicWALL TZ170 Wireless STD OS, handles WLAN DHCP<br />
SBS 2k3, handles LAN DHCP<br />
<br />
How do I block a user from gaining access to the internet and/or network?<br />
<br />
I have a subcontractor who is not tech savvy who brings in their laptop to work infected and the boss does not want to even spend 1 minute fixing it because they are not really a part of our company. To eliminate any threats they may bring in he wants them to have NO internet or network access. I have the MAC address. They connect via Ethernet *not* wireless. Wireless access is being blocked via MAC address filtering on the SonicWALL if they should try to connect to the WLAN.<br />

</div>
</div>


SonicWALL TZ170 Wireless STD OS, handles WLAN DHCP
SBS 2k3, handles LAN DHCP

How do I block a user from gaining access to the internet and/or network?

I have a subcontractor who is not tech savvy who brings in their laptop to work infected and the boss does not want to even spend 1 minute fixing it because they are not really a part of our company. To eliminate any threats they may bring in he wants them to have NO internet or network access. I have the MAC address. They connect via Ethernet *not* wireless. Wireless access is being blocked via MAC address filtering on the SonicWALL if they should try to connect to the WLAN.


Blocking a MAC Address on SBS 2003 from all access LAN &amp; WAN

Small Business Server (SBS) is a line of server operating systems targeted at small businesses by bundling the operating system with a number of other Microsoft products that would normally need to be purchased or licensed separately. The most notable inclusions are Exchange, SQL Server, SharePoint and ISA/TMG (Microsoft's firewall and proxy server).

The Dynamic Host Configuration Protocol (DHCP) is an auto configuration protocol used on IP networks and an extension of the Bootstrap Protocol. DHCP allows for computers to be configured automatically to communicate with each other over an IP network without the need for manual setup by a network administrator. The implementation of DHCP relies on a DHCP server to hand out network configuration information to DHCP-capable clients that request an IP address (and other information required or useful in communicating with other devices on an IP network). In addition to an IP address, common configuration information served over DHCP includes a default gateway, subnet mask and DNS sever(s).

DHCP

Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.

Blocking a MAC Address on SBS 2003 from all access LAN &amp; WAN

Blocking a MAC Address on SBS 2003 from all access LAN & WAN