Mark Minasi's Tech Forum
Register Calendar Latest Topics Chat
 
 
 


Reply
  Author   Comment  
downtime

Senior Member
Registered:
Posts: 103
Reply with quote  #1 
Dear all,

Is there a way to restrict WIRED LAN connections in GPO or any other means? Here is what I want to do:

We have laptops that are designated as "Internal Only". I use the Wireless Network Policies GPO to restrict these laptops to our internal SSID only. Works great. But, how can I do the same for wired connections? The Wired Network Policy GPO doesn't restrict wired connections, i.e., I can simply plug the laptop into any other LAN connection (home, hotel, anywhere!) and it will happily give me an IP Address.

I want to restrict these laptops to ONLY connect to my internal wireless and wired networks and nothing else.

0
donoli

Senior Member
Registered:
Posts: 505
Reply with quote  #2 
AFAIK, if there is any way at all, it would have to be based on the MAC address.  However, any restriction placed on a workstation can be bypassed by booting with a Live CD.  If the laptops are "Internal Only", shouldn't the users be required to leave them on the premises?
0
downtime

Senior Member
Registered:
Posts: 103
Reply with quote  #3 
This is a new business requirement.

We are trying to separate laptops into "internal only" and "external only" in the hope of preventing nasties entering our network.

External laptops won't be AD joined so our 802.1X will just kick them off the network if someone attempts to connect internally (wired or wireless).

Internal laptops can only access one SSID which is fine.

These internal laptops SHOULD remain on premises but nothing stopping people from removing them (is this possible? chain locks not possible since they move around in meeting rooms a lot).

0
donoli

Senior Member
Registered:
Posts: 505
Reply with quote  #4 
Quote:
These internal laptops SHOULD remain on premises but nothing stopping people from removing them (is this possible? chain locks not possible since they move around in meeting rooms a lot).


If they stay on premises, are they locked in a room with limited access?  Can a sign out/sign in system be implemented where before the employees leave, they have to return the laptop to the specified room?  Similar procedures are used with tools on construction jobs.
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 226
Reply with quote  #5 
If you are already running 802.1X all you need to do is disable the "fall back to unauthenticated connection" setting of the LAN adapter and prevent users from re-enabling it. Not making them local admins might even be sufficient for that.
__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
downtime

Senior Member
Registered:
Posts: 103
Reply with quote  #6 
Thanks for the info. I unchecked this setting "Fallback to unauthorised network access" and it worked perfectly. This is exactly what I need.

Is there a way to automatically set "Fallback to unauthorised network access" to unchecked? I checked GPO and registry but cannot find any way to automate this. I would like avoid having to visit each laptop if possible.

0
donoli

Senior Member
Registered:
Posts: 505
Reply with quote  #7 
Can it be automated by using a login script?  Keep in mind that if the user boots the machine with a Live CD, that's the end of the setting.
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 226
Reply with quote  #8 
You need to create an XML profile for your LAN connection and add it via netsh lan add profile. The setting you are looking for is OneXEnforced = True .
__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 226
Reply with quote  #9 
Quote:
Originally Posted by donoli
Can it be automated by using a login script?  Keep in mind that if the user boots the machine with a Live CD, that's the end of the setting.


Disabling boot from CD, USB and PXE in BIOS might help here. You will see this in corporate environments most of the time.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
donoli

Senior Member
Registered:
Posts: 505
Reply with quote  #10 
Quote:
Disabling boot from CD, USB and PXE in BIOS might help here.


Taking it a step beyond that, disabling the recovery partition would be essential too.
0
downtime

Senior Member
Registered:
Posts: 103
Reply with quote  #11 
Thanks for your responses guys, much appreciated. Lots of great info to consider.
0
Creacon

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 30
Reply with quote  #12 
One thing you can do that could help is to log in to your router and establish which device (MAC Address) can be used on each port.  That way ONLY the specified MAC address can be connected to each port, any other one w/be rejected.  This also offers a little more network security, since A BYOD can't be connected.  This is how I've kept unauthorized devices off my network.

If you have a programmable router you can create separate subnets with specific limitations; i.e. one subnet for external only and another for the internal only.  You'd  need to set up internal static IP addresses for each computer within each subnet, and turn off the router's DHCP.

Another, and perhaps easier and better, approach would be to create port VLANs on your router, one each for internal and external.  If your router won't allow this, you can obtain a managed (programmable) switch to create the VLANs.  An 8-port managed version can be obtained from Newegg  for $35.00 w/free shipping; go to http://www.newegg.com and search for "D-Link 8-Port EasySmart Gigabit Ethernet Switch - Lifetime Warranty (DGS-1100-08)".  With that switch you can create a separate VLAN for each port, and/or combine 2 or more ports to single VLANs.

I hope this is helpful

__________________
Capt. Dinosaur
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.