none
how to block wimax devices in AD network?

    General discussion

  • i'm designer/administrator for a network with 500 clients/users. here we use extreme/cisco (mostly 2960) switches & cisco (mostly 3750) routers... we have 3 DCs running server 2k8 (not R2 yet) , & we have a dhcp running server 2k3 (haven't got the time to migrate it to a 2k8 R2 server). we have 25 scopes (each for different VLAN).

    here's my problem...we don't share internet access for everyone....they must open file a ticket to IT department. their boss & IT department must accept their access to internet & then they'll be given the access.

    but some users bring WiMax devices with them & connect them to their PCs using lan cables...

    now we wanna prevent this...because of security issues & also their boss doesn't want them to have internet access.

    is there a way through Active directory to achieve this? is there even a third party to accomplish this goal?

    suggestions are most appreciated...

    tnx in advance



    this post is provided as is, with no warranties/guarantees

    Thursday, July 11, 2013 9:20 AM

All replies

  • Hi,

    Thanks for posting in Microsoft TechNet forums.

    Please provide me more detail information regarding limitation of internet access.That is to say,how to stop an user from accessing  the Internet?

    Do the WIMax devices access internet through company's network or not?

    Regards

    Ted

    Friday, July 12, 2013 6:24 AM
  • hi & tnx for the reply

    here we use Mikrotik + Netbill accounting software to limit access to internet. users use VPN connections to connect to mikrotik device & our netbill software grants/denies them internet access, also limitations like traffic & access hour are done through Netbill.

    some users bring WiMax devices with them...these devices don't connect to our network...they connect to different ISPs.

    so when a wimax device is turned on, the user doesn't need to connect it to the ISP..the device automatically connects to ISP & so the device has internet access.

    users just connect the lan cable from wimax devices to their PCs (their PCs are member of our domain) & then the device assigns an ip address to the pc...so the pc will have internet access.

    we want to block them, but haven't found a solution yet...well except for physical security like security cameras & ...



    this post is provided as is, with no warranties/guarantees

    Friday, July 12, 2013 9:09 AM
  • these solutions are about USB connected devices, rather than RJ45 cables.

    the WiMax devices that i'm having trouble with, are connected to PCs using RJ45 cables. so i can't prevent it using "Device Installation" settings, unfortunately


    this post is provided as is, with no warranties/guarantees

    Wednesday, July 17, 2013 11:47 AM
  • Hi,

    That is to say,your PCs have two  LAN Adapters, one is connected to enterprise network, the other is connected to the WIMax devices?

    Regards

    Ted

    Thursday, July 18, 2013 3:30 AM
  • these solutions are about USB connected devices, rather than RJ45 cables.

    the WiMax devices that i'm having trouble with, are connected to PCs using RJ45 cables. so i can't prevent it using "Device Installation" settings, unfortunately

    Saeed,

    Do not allow users to bring their devices at workplace and that should fix this issue.

    This is something which needs to be addressed using your corporate governance policies involving required stakeholders like HR, IT and Security personnels or Use WiMax Jammer devices at your workplace which would render the user devices useless !


    Regards, Santosh

    I do not represent the organisation I work for, all the opinions expressed here, are my own and posted AS IS.

    Thursday, July 18, 2013 3:40 AM
  • nah..their PCs have only 1 LAN adapter

    they just disconnect themselves from the enterprise network & connect the WiMax devices to their PCs

    so while they're connected to WiMax devices, they're not connected to our network

    & funny thing is we have our automation software published online, so they can browse the internet & do their job at the same time


    this post is provided as is, with no warranties/guarantees

    Thursday, July 18, 2013 6:07 AM
  • so there's no software-based solution to remedy this issue rather than physical security solutions?

    thanks for the kind reply btw ;)


    this post is provided as is, with no warranties/guarantees

    Thursday, July 18, 2013 6:09 AM
  • so there's no software-based solution to remedy this issue rather than physical security solutions?

    Not that I am aware of...

    Regards, Santosh

    I do not represent the organisation I work for, all the opinions expressed here, are my own and posted AS IS.

    Thursday, July 18, 2013 6:17 AM
  • Hi,

    We  can achieve this target by setting static IP.

    To ensure that they do not have the local administrator account.

    The clients cannot be assigned  the correct IP addres through the WiMax devices.

    Ted


    • Edited by Ted Xie Thursday, July 18, 2013 10:04 AM modify
    Thursday, July 18, 2013 10:02 AM
  • Hi,

    BTW,setting the static IP is a huge task.

    I believe you won't do this...

    Ted

    Thursday, July 18, 2013 10:24 AM
  • BTW,setting the static IP is a huge task.

    I was about to write this, meantime, saw your reply ;-) 

    If machine count is below 50, then it's achievable as a one time task. if client count is more, it becomes a tedious task.


    Regards, Santosh

    I do not represent the organisation I work for, all the opinions expressed here, are my own and posted AS IS.

    Thursday, July 18, 2013 10:28 AM
  • well client count is something like 400-500...more or less

    the thing is we don't know who brings WiMax device with himself, we can't monitor every single connection to our servers.

    & another thing is that sometimes i set some options through DHCP, like 033 & 121 (static routes)...

    if i set static IP addresses, it'll be really hard to manage clients u know

    so i guess physical security is the final answer.

    by the way, is there any script/batch or option to disable the local area connection whenever a RJ45 cable is disconnected from the client?


    this post is provided as is, with no warranties/guarantees

    Thursday, July 18, 2013 4:01 PM
  • Hi,

    please refer to the link below:

    http://gallery.technet.microsoft.com/ScriptCenter/6b8163d1-5fae-43b5-a664-a2d1f6e1e2da/

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/452bd87c-f802-447c-91fb-e98b1b6ddb0e/how-to-get-all-active-computer-list-in-domain-with-some-attributes

    If you have questions about powershell or script,I suggest we seek help in our script forum:

    http://social.technet.microsoft.com/Forums/en-US/ITCG/

    There you can get more effective suggestion by other experts who familiar with this topic.

    Ted

    Friday, July 19, 2013 5:02 AM
  • Hi,
     
    As this thread has been quiet for a while, we will mark it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
     
    BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
     
    Best Regards
     
    Ted
    Tuesday, July 23, 2013 4:34 AM
  • :

    http://gallery.technet.microsoft.com/ScriptCenter/6b8163d1-5fae-43b5-a664-a2d1f6e1e2da/

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/452bd87c-f802-447c-91fb-e98b1b6ddb0e/how-to-get-all-active-computer-list-in-domain-with-some-attributes


    Ted,


    OP asked " is there any script/batch or option to disable the local area connection whenever a RJ45 cable is disconnected from the client?"

    How can you justify your answer ? Would you mind explaining the answer for the community ? Did you even read the OPs question properly ?

    The links provided by you have nothing to do with OPs question. Marked answer is not at all correct or relevant. 


    Thanks ! Jayawardhane

    Tuesday, July 23, 2013 5:08 AM
  • Hi Jayawardhane,

    I admit that the link I provided didn't match the problem.

    Howerver,if we use script to perform the task, there can be some potential problem .When clients change their position or customers need to use the company's network temporarily,it will bring some trouble.

    So I think that the links I provided are more practical significance.

    If you have a better idea pls feel free to share with us.Your contribution will be appreciated.

    Thank you!

    Ted


    • Edited by Ted Xie Thursday, July 25, 2013 9:38 AM modify
    Thursday, July 25, 2013 9:21 AM
  • Hi Jayawardhane,

    I admit that the link I provided didn't match the problem.

    Howerver,if we use script to perform the task, there can be some potential problem .When clients change their position or customers need to use the company's network temporarily,it will bring some trouble.

    So I think that the links I provided are more practical significance.

    The scripts talk about finding active and inactive computers in the domain.

    Sorry, I am still unable to understand, how that answers the OPs question " is there any script/batch or option to disable the local area connection whenever a RJ45 cable is disconnected from the client?"

    OK, even if you get the active and inactive computer lists, how it is going to help in  Disabling the LAN connection when RJ 45 cable is disconnected ?

    What are we achieving out of  getting he active and inactive computer lists ?

    Suppose, machine is disconnected from network for 45 min, does the inactive computer script list the computer name which is inactive for 45 min ? Even if it does, how do you disable remote LAN connection ?


    Thanks ! Jayawardhane

    Friday, July 26, 2013 6:19 AM
  • "Disabling the LAN connection" is not a good idea.We do not recommend him to do this.

    Work together to address the issues would be better than argument.

    Find the proper way to solve the problem would be highly appreciated.

    Ted

    Friday, July 26, 2013 7:06 AM
  • thank for referrin' me to these links

    well to find active/inactive computers or users in my domain & to disable/remove them also, i use dsquery command with different switches..like:
    dsquery user -inactive x , x stands for number of weeks & also i disable the result using the below command :

    dsquery user -inactive x -limit 0 | dsmod user -disabled yes

    but that doesn't really solve my promlem. imagine i get a list of computers that have been inactive for the pas 45 minutes, maybe they've been turned off, maybe the switch that they're connected to has been faulty.

    i had to unmark this post as answered since other peaople might get to this thread also..thanks for helpin' me out though, really appreciate it


    this post is provided as is, with no warranties/guarantees

    Friday, July 26, 2013 7:10 AM
  • actually it was just a thought passin' through my mind , since if i do that, i'll have my phone ringing like 100 times a day & i can't really bear that.

    my bosses have asked me to find a way to block that, i even thought about using port security on our cisco switches , but it will just disable the switch port the client is connected to & not the client itself.

    hmm

    earlier i thought about using windows firewall. like i set our network as the only trusted network through windows firewall, & every other network as untrusted network...& allow traffic (local & internet) just through the trusted network. so when the client is connected to wimax device, windows firewall recognizet it as untrusted network & block all the traffic to that client.

    is this even possible? 


    this post is provided as is, with no warranties/guarantees

    Friday, July 26, 2013 7:22 AM
  • Work together to address the issues would be better than argument.

    Find the proper way to solve the problem would be highly appreciated.

    Ted

    @Ted, No disrespect here , but argument was about the marked answer which did not make any sense.

    @Saeed, fool proof way is to block physical access to unauthorized devices, it has been already suggested earlier. Rest of the things would be workarounds only with one or the other disadvantages.

    Also, we should not look for only technical solutions (which do not exist or very hard to implement) when a single company Policy can do what you want to achieve.


    Thanks ! Jayawardhane

    Friday, July 26, 2013 8:25 AM
  • Hello,

    @Saeed Khalifi

    First, your Company Policy has problem. Why a user can unplugg network cable!!!??

    Second, You can delete & disable Cached Credentials and logon locally in Windows and use this VBScript:

    strComputer = "." Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\wmi") Set colMonitoredEvents = objWMIService.ExecNotificationQuery _ ("Select * from MSNdis_StatusMediaDisconnect")

    Do While True

    Set strLatestEvent = colMonitoredEvents.NextEvent Set objShell = CreateObject("Wscript.Shell") objShell.Run "%windir%\System32\shutdown.exe /l /f" Loop

    How Can I Be Notified Any Time a Network Cable Gets Unplugged? (Hey, Scripting Guy! Blog)

    When cable unplugged, user force to logoff.

    OR

    You must buy rjlockdown or LockPORT.

    AGAIN: think about your company policy!

    Regards




    • Edited by Patris_70 Tuesday, August 13, 2013 10:05 PM
    Tuesday, August 13, 2013 9:57 PM