locked
GPO 802.3 Policies "Settings" lockdown RRS feed

  • Question

  • Hello, and Happy Thanksgiving,

    I am working on implementing NAP with 802.1x, and EAP enforcement on my network, and so far its going good.  I just extended my AD Schema so I could setup a Wired Network 802.3 Policy.  That worked great to configure the clients, but users can still go into "Settings" on the Authentication tab, and mess with settings.  Why isnt that locked down when the settings are applied via GPO?


    Thursday, November 26, 2009 2:42 AM

Answers

  • To configure Wired Network (IEEE 802.3) Policies Group Policy settings, perform the following steps:
    1. open the Group Policy Management snap-in.
    2. In the console tree, expand Forest, expand Domains, and then click the name of your domain to which your wired clients belong.
    3. On the Linked Group Policy Objects pane, right-click the appropriate Group Policy Object. Then click Edit.
    (Or you can run "GPME" insteading of step 1/2/3)

    4. navigate to Computer Configuration\Policies \Windows Settings\ Security Settings\System Services. In the details pane, double-click Wired AutoConfig.
    In the Wired AutoConfig Properties dialog box, select the Define This Policy Setting check box, select Automatic, and then click OK.
    5. In the console tree, navigate to Computer Configuration\ Policies \Windows Settings\Security Settings\Wired Network (IEEE 802.3) Policies.
    6. Right-click Wired Network (IEEE 802.3) Policies, and then click Create A New Windows Vista Policy.
    7. On the General tab, type a name for the policy and a description.
    8. On the Security tab, specify the EAP type, authentication mode, and other settings as needed.

    9. Click OK.

    The next time your Windows Server 2008 or Windows Vista wired clients update Computer Configuration Group Policy for this Group Policy Object, the wired network settings in the Group Policy Object will be automatically applied. You can manually force an update of an existing Group Policy Object by running the gpupdate command at a command prompt. For a new Group Policy Object, you must restart the wired client.
    After the wired network settings are applied, the Authentication tab of the properties dialog box of LAN connections in the Network Connections folder will display the message “These settings are managed by your system administrator,” and users will not be able to modify settings on the Authentication tab.
    Sorry. My posting is my personal suggestion, Microsoft won't take any responsibilities for my posting. But I am more than happy to try my best to help you.
    Friday, November 27, 2009 4:50 AM

All replies

  • To configure Wired Network (IEEE 802.3) Policies Group Policy settings, perform the following steps:
    1. open the Group Policy Management snap-in.
    2. In the console tree, expand Forest, expand Domains, and then click the name of your domain to which your wired clients belong.
    3. On the Linked Group Policy Objects pane, right-click the appropriate Group Policy Object. Then click Edit.
    (Or you can run "GPME" insteading of step 1/2/3)

    4. navigate to Computer Configuration\Policies \Windows Settings\ Security Settings\System Services. In the details pane, double-click Wired AutoConfig.
    In the Wired AutoConfig Properties dialog box, select the Define This Policy Setting check box, select Automatic, and then click OK.
    5. In the console tree, navigate to Computer Configuration\ Policies \Windows Settings\Security Settings\Wired Network (IEEE 802.3) Policies.
    6. Right-click Wired Network (IEEE 802.3) Policies, and then click Create A New Windows Vista Policy.
    7. On the General tab, type a name for the policy and a description.
    8. On the Security tab, specify the EAP type, authentication mode, and other settings as needed.

    9. Click OK.

    The next time your Windows Server 2008 or Windows Vista wired clients update Computer Configuration Group Policy for this Group Policy Object, the wired network settings in the Group Policy Object will be automatically applied. You can manually force an update of an existing Group Policy Object by running the gpupdate command at a command prompt. For a new Group Policy Object, you must restart the wired client.
    After the wired network settings are applied, the Authentication tab of the properties dialog box of LAN connections in the Network Connections folder will display the message “These settings are managed by your system administrator,” and users will not be able to modify settings on the Authentication tab.
    Sorry. My posting is my personal suggestion, Microsoft won't take any responsibilities for my posting. But I am more than happy to try my best to help you.
    Friday, November 27, 2009 4:50 AM
  • I have already created an IEEE 802.3 Policy, but it only "locked" the Authentication tab of the Network Interface properties.  The "Settings" button was still enabled, and anyone could go in and change any of the Protected EAP Properties such as "Validate server certificate", "Enable Fast Reconnect", or "Enable Quarentine Checking/Enforce Network Access Protection".  My 802.3 Policy disables Fast Reconnect, and Enables Quarentine/Network Access Protection.  These can be disabled by the user though.

    Granted if they chagend anything it should change back on the next GPO refresh, but thats not the point.  I would expect those settings to be disabled also as they were set via GPO.  Granted this may be something on XP Pro that prevents the "Settings" button from being disabled.  I have not checked on a Vista/7 system yet.

    Friday, November 27, 2009 5:09 AM
  • Hi. Just looking at implementing 802.1x now with my cisco switches.

     

    Would I be correct in stating that you would have to temporarily disable 802.1x on the port to initially allow this group policy to come through? Or would it work something like with NAP in that you have a remediation server or something?

     

    • Marked as answer by yaplej Tuesday, September 21, 2010 4:02 AM
    • Unmarked as answer by yaplej Tuesday, September 21, 2010 4:02 AM
    Monday, September 20, 2010 10:18 AM
  • I am using 802.1x port authentication and NAP so my NonNAPCapable & Noncompliant devices get assigned to a guest VLAN that has limited access to Active Directory so they can apply the basic settings GPOs like this without any problems.  Its just a matter of setting up your ACLs so only the required traffic is allowed to pass to your domain controllers.

    You also need to configure you authenticating device so if authentication fails the device gets assigned to that guest/restricted VLAN.  On Cisco that means setting the guest-VLAN and authfail-VLAN.  I have them all use the same VLAN.

    • Proposed as answer by oztasdevil Tuesday, September 21, 2010 6:33 AM
    Tuesday, September 21, 2010 4:06 AM