Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Need advice on how to block Windows XP in a multi OS network

Posted on 2014-02-19
7
Medium Priority
?
1,147 Views
Last Modified: 2014-03-05
Hello all -

I have been asked if there is a possible way to block Windows XP machines from accessing our network.
At a glance -
We have about 1K stations (mostly Windows 7)
We have a large WAN across several T1 and fiber circuits
99% of the network devices are Cisco (28XX routers and 35XX switches)

Without having the budget to acquire a NAC on the fly and with a request from our management to block Windows XP machines I wanted to know if there is a way to identify the XP devices at the network devices and somehow block them from there.

I have been reading on ways to do it using DHCP fingerprinting but I'm not getting anywhere.

I also looked at open source options (PacketFence) but the set up might be an issue for us,

Any advice on this subject?
0
Comment
Question by:CocoCounty
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 12

Assisted Solution

by:Henk van Achterberg
Henk van Achterberg earned 500 total points
ID: 39872539
The only option I can see is pro actively scanning the network with nmap with the fingerprinting option on. When XP is detected make a dhcp exception for it with a wrong gateway so it does not reach the internet.

There is no safe and sound solution for this problem without NAC.

Another "option" is to put a captive webportal in between which will check your OS and block you if you have Windows XP. But with 1k workstations that can be a pain in the ass.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 1000 total points
ID: 39872690
Can you do 802.1x on your network? I didn't need to purchase anything when I implemented it on my network several years ago. If all of your authorized computers are domain members 802.1x should work quite well for you, and it helps to keep unauthorized devices off the network, not just Windows XP.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 1000 total points
ID: 39872720
For 802.1x, all you need is NPS or IAS server(s) and a certificate authority, both of which are readily available in a Windows server environment.
@CoCoCounty, If your handle means Contra Costa County, I work nearby if you need a local resource.
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 39873193
The host OS fingerprint typically is passive based
1) IP  TTL and TCP Windows size e.g. 128 and 65535 respectively
2) DHCP (as you mentioned) and you may want to check out "Fingerbank" )
3) User agent in HTTP header e.g. “Windows NT 5.1”

However for effective blocking, NAC is still something worth looking into. There is one such free and Open Source network access control (NAC) solution called PacketFence. It uses fingerprints as above ...
@ http://www.packetfence.org/en/about/advanced_features.html#c1484

.. and supports several isolation techniques, including VLAN isolation with VoIP support (even in heterogeneous environments) for multiple switch vendors
@ http://www.packetfence.org/about/supported_switches_and_aps.html#c1482
0
 

Author Comment

by:CocoCounty
ID: 39873653
I would like to thank you all for your responses.

I believe we are going to try NPS first and then, if we have to, PacketFence.

Kevin - Not in Contra Costa, but thanks for the offer, i will keep that in mind.
0
 

Author Comment

by:CocoCounty
ID: 39873673
I intended to make all answers as correct but it only marked the last comment as such. I apologize for that.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An article on effective troubleshooting
In this article, we’ll look at how to deploy ProxySQL.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question