Re: MAC Filtering Part II

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Miha Pihler [MVP] (mihap-news_at_atlantis.si)
Date: 01/20/05 

Date: Thu, 20 Jan 2005 20:30:27 +0100

Hi,

Like I mentioned before MAC can be changed on computer so this would not be
very efficient.

If these are Windows 2000 or newer computers implement IPSec on them. If
they are part of domain, use Kerberos as authentication protocol for IPSec.
If they are not members of domain you can use certificates. On the servers
set "Require IPSec". If any of the students plug-in their own laptop they
will not be able to use IPSec to talk to the servers and other computers
since they:
a) are not members of domain
b) do not have appropriate certificate

Other options. Physical security. Don't allow users access to LAN
connections (put computer and LAN socket in appropriate box and lock them --
take a look how cyber cafés does this).

Personally I would do both (IPSec and physical security)

Step-by-Step Guide to Internet Protocol Security (IPSec)
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp

Assigning IPSec policy
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsecpolassign.mspx 

-- 
Mike
Microsoft MVP - Windows Security
"KWME" <KWME@discussions.microsoft.com> wrote in message 
news:CB068EF2-FD2E-4774-B0F4-312E813A6296@microsoft.com...
> I'll try to be more complete this time.  I'm running a network in a high
> school where teachers have computers in every classroom reserved for 
> teaching
> or administrative staff only.  Students may not use this network.  Local
> machines are running XP Pro and the server is running Server 2003.  We've 
> had
> some break-ins lately where we've seen signs that students are using the 
> LAN
> connections and their own laptops to try to either hack our system or at 
> very
> least steal internet time.  I'd like to find a way to prevent ANY such 
> access
> to the system - to keep non-approved machines from getting any access on 
> the
> LAN.  I thought that finding a way to permit only certain MAC addresses 
> would
> be a simple way to do so.  Is this possible in Server 2003?  Are there 
> better
> suggestions?

Relevant Pages

  • ipsec and/or netfilter problem
    ... It's a LAN ... The server has 3 NIC's: eth0 which is connected to the internet with my ... My goal with ipsec is to secure all the LAN traffic (both ethernet and ...
    (Linux-Kernel)
  • Re: Require connecting systems to be a Domain Computers
    ... something in which I include the group Domain Computers. ... >kerberos computer authentication for the ipsec SA then the computer must be ... In such case the server must not be a domain controller, ... >ipsec require policy will need to exempt all domain controllers with a rule ...
    (microsoft.public.security)
  • Re: Windows 2003 IPSEC problem
    ... "unassign" the policy that you assigned which should disable it. ... Sine these computers are not all in the same domain you need to ... use preshared key or certificate authentication for the ipsec policy and not ... > Terminal Server traffic. ...
    (microsoft.public.win2000.networking)
  • Re: RRAS two way (pptp) vpn possible?
    ... If the dedicated server is on a public network, your best bet is to use ... VPN is designed to link remote clients to a LAN (ie the client is ... To set up a secure link between two servers, IPSec is the tool to use. ...
    (microsoft.public.windows.server.networking)
  • Re: Isolate systems
    ... If you have access to the firewall, you might be able to configure what IP ... filtering policy on your computers which is a policy that uses rules with ... Ipsec policies are best when trying to configure for a subnet ... network layout you may be able to implement ...
    (microsoft.public.win2000.security)