Solved

Need advice on how to block Windows XP in a multi OS network

Posted on 2014-02-19
7
1,110 Views
Last Modified: 2014-03-05
Hello all -

I have been asked if there is a possible way to block Windows XP machines from accessing our network.
At a glance -
We have about 1K stations (mostly Windows 7)
We have a large WAN across several T1 and fiber circuits
99% of the network devices are Cisco (28XX routers and 35XX switches)

Without having the budget to acquire a NAC on the fly and with a request from our management to block Windows XP machines I wanted to know if there is a way to identify the XP devices at the network devices and somehow block them from there.

I have been reading on ways to do it using DHCP fingerprinting but I'm not getting anywhere.

I also looked at open source options (PacketFence) but the set up might be an issue for us,

Any advice on this subject?
0
Comment
Question by:CocoCounty
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 12

Assisted Solution

by:Henk van Achterberg
Henk van Achterberg earned 125 total points
ID: 39872539
The only option I can see is pro actively scanning the network with nmap with the fingerprinting option on. When XP is detected make a dhcp exception for it with a wrong gateway so it does not reach the internet.

There is no safe and sound solution for this problem without NAC.

Another "option" is to put a captive webportal in between which will check your OS and block you if you have Windows XP. But with 1k workstations that can be a pain in the ass.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 250 total points
ID: 39872690
Can you do 802.1x on your network? I didn't need to purchase anything when I implemented it on my network several years ago. If all of your authorized computers are domain members 802.1x should work quite well for you, and it helps to keep unauthorized devices off the network, not just Windows XP.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 250 total points
ID: 39872720
For 802.1x, all you need is NPS or IAS server(s) and a certificate authority, both of which are readily available in a Windows server environment.
@CoCoCounty, If your handle means Contra Costa County, I work nearby if you need a local resource.
0
Schedule a Tour of the ATEN booth at InfoComm 2017

Tour the ATEN booth to see the the Latest Addition to the Modular Matrix Switch Series, New 4K HDMI Over IP Extender and more! Enter ATEN's Ultimate Giveaway Sweepstakes for a chance to win one of several great prizes, including an ATEN US7220 2-Port Thunderbolt 2 Sharing Switch!

 
LVL 64

Accepted Solution

by:
btan earned 125 total points
ID: 39873193
The host OS fingerprint typically is passive based
1) IP  TTL and TCP Windows size e.g. 128 and 65535 respectively
2) DHCP (as you mentioned) and you may want to check out "Fingerbank" )
3) User agent in HTTP header e.g. “Windows NT 5.1”

However for effective blocking, NAC is still something worth looking into. There is one such free and Open Source network access control (NAC) solution called PacketFence. It uses fingerprints as above ...
@ http://www.packetfence.org/en/about/advanced_features.html#c1484

.. and supports several isolation techniques, including VLAN isolation with VoIP support (even in heterogeneous environments) for multiple switch vendors
@ http://www.packetfence.org/about/supported_switches_and_aps.html#c1482
0
 

Author Comment

by:CocoCounty
ID: 39873653
I would like to thank you all for your responses.

I believe we are going to try NPS first and then, if we have to, PacketFence.

Kevin - Not in Contra Costa, but thanks for the offer, i will keep that in mind.
0
 

Author Comment

by:CocoCounty
ID: 39873673
I intended to make all answers as correct but it only marked the last comment as such. I apologize for that.
0

Featured Post

Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
An article on effective troubleshooting
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question