Solved

Trying to control which devices are allowed to connect to our network

Posted on 2016-10-11
8
97 Views
Last Modified: 2016-10-21
We have 3 locations which comprise of Windows PCs/laptops, Servers, and some iPhones/iPads. We are constantly running into people connecting their personal phones or laptops to our wired and/or wireless network.

We really don't want to get into managing a local CA server, or Cisco ISE, or anything like that as we are a thin staffed IT Dept.. We do have SCCM 2012 R2 in place and I was looking into to seeing if I can manage this with a Hybrid InTune setup. Is it possible to prevent people from connecting to our network based on whether or not they are enrolled? And can we have enrollment be something we have to approve before they're given access?

Or if there are any other ideas that make more sense I'd love to hear them as well.
0
Comment
Question by:rsgdmn
8 Comments
 
LVL 24

Expert Comment

by:Dr. Klahn
ID: 41838934
Have you considered restricting connections by MAC address?  It requires someone to go around to every device and record the MAC address, but relatively reliable if none of the employees know that this method is in use.  If anyone in IT lets the cat out of the bag, MAC address spoofing will run wild.

I do think it would be more effective to hold a whole-company meeting, attendance required (a meeting shows you're serious, memos are ignored) and state simply, "From now on, anyone connecting an unauthorized device to the company network will be terminated.  We will no longer tolerate endangering the security of our network.  Employees will immediately sign and return to Security the copy of this policy that you will find in your mailboxes, stating that you understand and will comply.  This policy is not open for discussion.  Thank you.  That is all for today."
0
 

Author Comment

by:rsgdmn
ID: 41838946
Yeah, we did look at that and that may have to be the answer. But we were hoping for something simpler to roll out and manage using our existing SCCM environment. If I do have to go that route I'd probably create an Allow list in DHCP for the MACs we allow. But we have about 350 users and many of them travel between the 3 locations so there would be a lot of MAC addresses to manage at all 3 locations, as well as several places to add every new machine that comes on board to. But good idea.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 41839050
Security and ease of use are diametrically opposed items. With company issued equipment it is easy for the mac address to be recorded and added to dhcp when issued to a user. with 3 sites and 3 dhcp servers you would need to periodically sync the allowed lists.
0
 
LVL 23

Expert Comment

by:masnrock
ID: 41839243
MAC address filtering is the simplest solution, as you basically want to only utilize existing infrastructure. But you should look into other solutions in the long run, such as the things you named not wanting to invest in. But do it as part of another project,

You also never mentioned whether there was a policy that banned unauthorized devices. If not, it's something you're going to want to look into and to work with management to get into place.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:rsgdmn
ID: 41839250
As I continue to look into InTune I'm seeing it's great for managing devices that are on the network but not seeing that it will be able to prevent devices form getting on the network. Agree? Disagree?

Also, what about the use of a Radius server? From what I understand I could use that for both wired and wireless, just not sure about printers and VoIP phones. Although if I went that route I would probably want one at each site. And I always thought multiple Radius servers can be troublesome. Thoughts?

As you can see, I'm really trying to avoid the MAC address whitelisting, although maybe it's not as bad as I'm imagining it.

I really appreciate all the input so far, thanks.
0
 
LVL 23

Accepted Solution

by:
masnrock earned 500 total points
ID: 41839273
Since you're using a domain, you could have NPS in place, and restrict to machines that are already members of the domain... that would have a shot at working and frustrating users enough.

However, bear in mind you want to have a company policy in place BEFORE you do that so that you have something backing you up.
0
 

Author Comment

by:rsgdmn
ID: 41846642
If I try using NPS would I need a CA in my environment? Or can it be done with either a self-signed certificate form the NPS server or a 3rd party CA?
0
 
LVL 23

Expert Comment

by:masnrock
ID: 41852225
You should be able to accomplish it in either manner.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Compromised PC? 17 173
backup computers on Workgroup 10 49
logging buffered 8 39
What Can't I Connect by FTP??? 27 56
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now