Anyone can browse my network

Anyone can browse my network
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Anyone can browse my network Kurt 06-29-2005
Posted by =?Utf-8?B?S3VydA==?= on June 29, 2005, 4:21 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi,

I have a mixed mode 2000 domain. we have a firewall in place.
If someone plugs a laptop into one of our switches. They can browse my
entire network. The can see computers, shares and files.
Is there a way to stop this?

Thanks

Kurt

Posted by Alceryes on June 29, 2005, 6:13 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> I have a mixed mode 2000 domain. we have a firewall in place.
> If someone plugs a laptop into one of our switches. They can browse my
> entire network. The can see computers, shares and files.
> Is there a way to stop this?
>

Are they signing into the domain with a correct username and password?
--


"I don't cheat to survive. I cheat to LIVE!!"
- Alceryes


> Hi,
>
> I have a mixed mode 2000 domain. we have a firewall in place.
> If someone plugs a laptop into one of our switches. They can browse my
> entire network. The can see computers, shares and files.
> Is there a way to stop this?
>
> Thanks
>
> Kurt



Posted by Steven L Umbach on June 29, 2005, 8:01 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
You mention firewall but that will normally only prevent access from the
internet unless the firewall is used to protect a network segment of your
network.

If the users are logging onto their laptops with their domain credentials
[even with local account] then they could have the same access as if they
are logging onto authorized domain computers. The solutions could be using
mac filtering or 802.1X authentication depending of the capabilities of your
network infrastructure or possibly ipsec implementation on the domain. A
computer with a require ipsec policy would not be availalbe to a non domain
computer in that by default ipsec uses kerberos computer authentication
before an ipsec session can be created between two computers. Domain
controllers however can not use ipsec secured communications to communicate
with domain members. Onlly Windows 2000/2003 and XP Pro are ipsec capable in
a domain. The advantage of ipsec is that it is built in and can be managed
via Group Policy. See the links below if interested in ipsec. You may also
want to implement a computer user policy that prohibits unauthorized
computers being connected to YOUR network. Seeing files may be the least of
your worries when you take worms and hacked computers with backdoors into
account as another security vulnerability from those computers. --- Steve

http://www.microsoft.com/windowsserver2003/technologies/networking/ipsec/default.mspx

--- most applies to W2K
http://www.microsoft.com/downloads/details.aspx?FamilyID=10359569-ef11-499a-9e1f-85da3fca608c&displaylang=en

--- using ipsec for server domain isolation.


> Hi,
>
> I have a mixed mode 2000 domain. we have a firewall in place.
> If someone plugs a laptop into one of our switches. They can browse my
> entire network. The can see computers, shares and files.
> Is there a way to stop this?
>
> Thanks
>
> Kurt



Posted by Roger Abell on June 30, 2005, 5:17 am
If you were  Registered and logged in, you could reply and use other advanced thread options
OK, so I am going to take a different approach.
If they are "just anyone" and they happen to find a jack to
plug into . . .
First, you could prevent them from getting a valid IP by how
you have defined DHCP, or better, use 802.1x.
Next, if they can see the names of files, then you do not have
share level permissions set correctly so that they need to
authenticate and be authorized. If they are able to see the
files' content then you also have not set NTFS permissions
adequately.
If you do not like them browsing and seeing all sorts of
machine names listed, then . . .
Why are the machines in the browse list in the first place?
Only machines that do share are of use in the list, so set
the others as hidden. For the reduced browse list, if you
machines required IPsec based on your AD to talk with
each other, then that rogue non-AD machine that gets plugged
in will not be able to get the browse list (or any other access
to machines in the AD for that matter).
So, for starting points . . .
- review your share and NTFS permissions of what is shared
- rethink how you control DHCP leases, and/or look at 802.1x
- reconsider how MS Networking brower is used and take
control over this rather than letting it default to all advertising
- consider using the new IPsec guides for domain isolation
also, although not directly implicated by what you have stated
- check the settings for (disallowing) anonymous enumerations

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
> Hi,
>
> I have a mixed mode 2000 domain. we have a firewall in place.
> If someone plugs a laptop into one of our switches. They can browse my
> entire network. The can see computers, shares and files.
> Is there a way to stop this?
>
> Thanks
>
> Kurt



Similar ThreadsPosted
Hide computer from network browse list June 6, 2007, 9:07 am
Secure web browse ... anonymous December 3, 2006, 9:20 pm
Corporate Network Connection w/ additional Untrusted Network via E February 24, 2006, 8:41 pm
NETWORK and NETWORK SERVICE accounts April 21, 2006, 10:05 am
RE: Network August 13, 2008, 6:12 pm
network + testing July 7, 2005, 3:15 am
network share help November 1, 2005, 7:32 pm
Network group November 4, 2005, 3:55 pm
Network Security May 27, 2005, 1:29 pm
Network disconnect October 20, 2006, 8:26 am

The site map in XML format XML site map

Contact Us | Privacy Policy