Once an End-device has been admitted to the LAN (valid MAC etc.), what additional activities can we do, as follow up, to reduce risks?
. Query the Anti-Virus server (if there is one) and report online PCS with AVs out of date
. Query the WSUS server (if there is one) and report online PCS with Windows patches out of date?
. monitor for a MAC used on more than one port within one minute
. Add packet fence as an additional measure?
. Report "hubs" and compare it against a list of authorised hubs?
Feel free to add to this list, should help us in planning ..
Post admission checks
13 posts
• Page 1 of 1
Post admission checks
by sean » Fri Sep 29, 2006 8:30 am
- sean
- Posts: 557
- Joined: Thu Jun 22, 2006 4:40 pm
- Location: Switzerland
Check admin permissions
by megalore » Tue Mar 06, 2007 6:29 pm
Hi,
In a technological advance company, i'm faced with a problem that some users remove admin access to their machines (AV monitoring, Asset management, etc).
Wouldn't it be great if i could check after MAC validation if i have admin access to the machine and then remove them or not from the main vlan?
In a technological advance company, i'm faced with a problem that some users remove admin access to their machines (AV monitoring, Asset management, etc).
Wouldn't it be great if i could check after MAC validation if i have admin access to the machine and then remove them or not from the main vlan?
- megalore
- Posts: 6
- Joined: Tue Mar 06, 2007 6:21 pm
by megalore » Wed Mar 07, 2007 1:57 pm
Yes, sure
But it could be made simplier and also powerfull.
A simple check with a NETBIOS connection to the machine with a predefined user/password should be enough to check for local firewalls and admin removal.
Are you interested?
But it could be made simplier and also powerfull.
A simple check with a NETBIOS connection to the machine with a predefined user/password should be enough to check for local firewalls and admin removal.
Are you interested?
- megalore
- Posts: 6
- Joined: Tue Mar 06, 2007 6:21 pm
by sean » Wed Mar 07, 2007 2:30 pm
Well there are free tools such as emum3 (not sure of the exact name), that could extract lots of nice useful information (services, software), that could also be stored in the DB, to improve inventory data significantly.
Of course you need the appropriate domain rights, and nthe tools would have to run on a windows box
But my problem is a lack of time right now, are you proposing yourself?
Of course you need the appropriate domain rights, and nthe tools would have to run on a windows box
But my problem is a lack of time right now, are you proposing yourself?
- sean
- Posts: 557
- Joined: Thu Jun 22, 2006 4:40 pm
- Location: Switzerland
by megalore » Wed Mar 07, 2007 3:34 pm
I think i'm not explaining myself right, this would have to be done *without* installing anything on the machine.
For instance, i have some scripts that pull all kinds of information from machines without installing anything on them (just need access and rights, exactly what i want to check). This would be something similar, but i don't know how, if possible, to integrate these on your NAC.
Installing anything on the machines creates me another problem i have right now with the current inventory software...
I'm not a programmer, but i'm always open to new challenges and i'm sure i can contribute with great ideas for this issue if pointed in the right direction
Thanks
For instance, i have some scripts that pull all kinds of information from machines without installing anything on them (just need access and rights, exactly what i want to check). This would be something similar, but i don't know how, if possible, to integrate these on your NAC.
Installing anything on the machines creates me another problem i have right now with the current inventory software...
I'm not a programmer, but i'm always open to new challenges and i'm sure i can contribute with great ideas for this issue if pointed in the right direction
Thanks
- megalore
- Posts: 6
- Joined: Tue Mar 06, 2007 6:21 pm
by sean » Wed Mar 07, 2007 7:15 pm
The enum3 software can yes, be run remotely. It would not require an agent. But an interface to NAC woiuld have to be written, but the idea is interesting yes.
We have to think about a general policy interface that would allow such tools to be integrated.
We have to think about a general policy interface that would allow such tools to be integrated.
- sean
- Posts: 557
- Joined: Thu Jun 22, 2006 4:40 pm
- Location: Switzerland
by megalore » Fri Mar 09, 2007 3:47 pm
Unfortunately, GPO just allows me to create the local Administrators group as a whole, not add/remove single users to the already existing ones. And removing the users local admin rights would be great, if it wasn't impossible
But thanks for the tips!
But thanks for the tips!
- megalore
- Posts: 6
- Joined: Tue Mar 06, 2007 6:21 pm
by sean » Fri Mar 09, 2007 4:17 pm
Could you not have some kind of logon script that verifies the current list against an allow list, and adapts the membership accordingly?
So if a user managed to get local admin, after the next logon it would be gone again?
So if a user managed to get local admin, after the next logon it would be gone again?
- sean
- Posts: 557
- Joined: Thu Jun 22, 2006 4:40 pm
- Location: Switzerland
by megalore » Fri Mar 09, 2007 4:23 pm
Yes, that could be done, the problem is i cannot remove local admin rights, or else the users would not be able to work properly (mostly developers).
Hence my never ending quest for solutions to "catch" the misbeaving ones...
Hence my never ending quest for solutions to "catch" the misbeaving ones...
- megalore
- Posts: 6
- Joined: Tue Mar 06, 2007 6:21 pm
13 posts
• Page 1 of 1
Return to Roadmap + Feature Requests
Who is online
Users browsing this forum: No registered users and 1 guest