Allow only Domain PCs to access Network

[taco]

I have been searching for a solution using MS IAS and cisco switches to allow
only PCs that are JOINED to the domain to get access to the network (using
8021.x and MD5 password authentication).

Using Mac security was ok but if a user formats his PC he will gain access
to the network without be joined to the domain, since by entering only
credentials (while leaving the domain field blank) opens the connection.

I want some advice on the proper approach required to solve this problem

Thanks in advance

 

[Mervin Pearce [SACS]]

IPSEC

 

[Dobromir Todorov]

Taco,

What's the business case behind this requirement? Although what you require
may be technically doable, it makes sense to analyse how this benefits
business.

If you want to use IAS, I see the following somewhat reasonable option:
Configure 802.1x on Cisco switches and then set IAS to use EAP-TLS for client
authentication, and require client certificates (as in - Computer
certificates - see the Smart Card or Other Certificate option). Make sure
that users haven't got admin access to computer certificate stores (this may
be tricky - see note below) and can't export client certificates and
associated private keys. Configure automatic provisioning for computer
certificates.

Another option that doesn't require certificates would be to request PEAP
authentication for computer accounts. Configure all the domain members to
only use PEAP and use ONLY computer credentials to authenticate. In AD, add
all the computer accounts (and only computer accounts) to a global or
universal group (say - Domain Computers). In IAS, allow PEAP as the only
authentication method, and only allow this for the Domain Computer accounts.
Now users can't authenticate to the network using their user accounts and
passwords, as they are not allowed to authenticate on IAS. Obtaining the
computer account password is only possible if they have local admin rights
(please see my note below on obtaining admin access), or by offline attacks
(if they manage to steal a backup of the computer SAM database).

Now, the issue is that you CAN'T take away admin access from users unless
they really have no physical access to computers. If they have physical
access, they can always boot from a CD into another OS, or boot from the
network, or disconnect the hard disk from the local computer and acquire
admin access to the operating system, then potentially export the computer
certificate from the local computer store, then potentially circuimvent the
above IAS/802.1x controls. Alternatively, you may consider storing computer
certificates on SmartCards, or in TPMs but this may require an admin to start
the computer every time it is used, which is definitely cumbersome. Full Disk
Encryption software may also be an option here, and help you protect the
integrity of the operating system and associated data.

--
HTH,
Dob

Visit http://www.iamechanics.com


"taco" wrote:

> I have been searching for a solution using MS IAS and cisco switches to allow
> only PCs that are JOINED to the domain to get access to the network (using
> 8021.x and MD5 password authentication).
>
> Using Mac security was ok but if a user formats his PC he will gain access
> to the network without be joined to the domain, since by entering only
> credentials (while leaving the domain field blank) opens the connection.
>
> I want some advice on the proper approach required to solve this problem
>
> Thanks in advance

 

[taco]

Thanks for the generous replies.

So from what I understand is that the main problem that will arise if users
have physical access to the PCs is that they can transport the certificates
to another PC/OS, given such users have considerable IT awareness. I feel
encryption is very necessary here, and yes, we need to have this kind of
security unfortunately.

Any idea whether NAC solutions form Cisco, Symantec etc. provide different
approaches or configuring 802.1x is a must in all solutions available?

Regards

"Dobromir Todorov" wrote:

> Taco,
>
> What's the business case behind this requirement? Although what you require
> may be technically doable, it makes sense to analyse how this benefits
> business.
>
> If you want to use IAS, I see the following somewhat reasonable option:
> Configure 802.1x on Cisco switches and then set IAS to use EAP-TLS for client
> authentication, and require client certificates (as in - Computer
> certificates - see the Smart Card or Other Certificate option). Make sure
> that users haven't got admin access to computer certificate stores (this may
> be tricky - see note below) and can't export client certificates and
> associated private keys. Configure automatic provisioning for computer
> certificates.
>
> Another option that doesn't require certificates would be to request PEAP
> authentication for computer accounts. Configure all the domain members to
> only use PEAP and use ONLY computer credentials to authenticate. In AD, add
> all the computer accounts (and only computer accounts) to a global or
> universal group (say - Domain Computers). In IAS, allow PEAP as the only
> authentication method, and only allow this for the Domain Computer accounts.
> Now users can't authenticate to the network using their user accounts and
> passwords, as they are not allowed to authenticate on IAS. Obtaining the
> computer account password is only possible if they have local admin rights
> (please see my note below on obtaining admin access), or by offline attacks
> (if they manage to steal a backup of the computer SAM database).
>
> Now, the issue is that you CAN'T take away admin access from users unless
> they really have no physical access to computers. If they have physical
> access, they can always boot from a CD into another OS, or boot from the
> network, or disconnect the hard disk from the local computer and acquire
> admin access to the operating system, then potentially export the computer
> certificate from the local computer store, then potentially circuimvent the
> above IAS/802.1x controls. Alternatively, you may consider storing computer
> certificates on SmartCards, or in TPMs but this may require an admin to start
> the computer every time it is used, which is definitely cumbersome. Full Disk
> Encryption software may also be an option here, and help you protect the
> integrity of the operating system and associated data.
>
> --
> HTH,
> Dob
>
> Visit http://www.iamechanics.com
>
>
> "taco" wrote:
>
> > I have been searching for a solution using MS IAS and cisco switches to allow
> > only PCs that are JOINED to the domain to get access to the network (using
> > 8021.x and MD5 password authentication).
> >
> > Using Mac security was ok but if a user formats his PC he will gain access
> > to the network without be joined to the domain, since by entering only
> > credentials (while leaving the domain field blank) opens the connection.
> >
> > I want some advice on the proper approach required to solve this problem
> >
> > Thanks in advance

 

[Dobromir Todorov]

Taco,

Cisco NAC and Microsoft NAP may be either 802.1x "on steroids" (EAP packets
with health information in them), or may be more complicated with layer 3
NAC, where TCP/UDP traffic may be used to connect to a policy server (rather
than layer 2 EAP over Ethernet frames, which is the case with 802.1x).

At the same time, Cisco NAC and Microsoft NAP (despite the popular
misconception of them providing ultimate security) suffer from the same
problems. If you give users administrative access, they may potentially
circumvent the NAC or NAP restrictions. NAC and NAP only work if you can
guarantee the integrity of client side components. Let's say you've got a
policy that requires all users to have a personal firewall enabled. If a
user with admin rights replaces the client side NAC/NAP component (Health
Agent) that checks whether the firewall is enabled, and always returns True
(as in - firewall is enabled), then this admin user has already found a way
around NAC/NAP.

Trusted Platfrom Modules (TPM) in combination with a third party FDE or
BitLocker may be able to guarantee the integrity of some parts of the
operating system but not NAC/NAP components, at least not straight out of
the box. Then again, certificates stored in TPMs or SmartCards are even
better but you may end up having to boot up every PC manually every day, or
every time it is rebooted.

Bottom line is: physical access can still prevail, unless you are willing to
sacrifice convenience of use.

--
---
HTH,
Dobromir

Vist http://www.iamechanics.com


"taco" <taco@discussions.microsoft.com> wrote in message
news:9C956DF0-0734-40EF-8922-9DA43CCA9148@microsoft.com...
> Thanks for the generous replies.
>
> So from what I understand is that the main problem that will arise if
> users
> have physical access to the PCs is that they can transport the
> certificates
> to another PC/OS, given such users have considerable IT awareness. I feel
> encryption is very necessary here, and yes, we need to have this kind of
> security unfortunately.
>
> Any idea whether NAC solutions form Cisco, Symantec etc. provide different
> approaches or configuring 802.1x is a must in all solutions available?
>
> Regards
>
> "Dobromir Todorov" wrote:
>
>> Taco,
>>
>> What's the business case behind this requirement? Although what you
>> require
>> may be technically doable, it makes sense to analyse how this benefits
>> business.
>>
>> If you want to use IAS, I see the following somewhat reasonable option:
>> Configure 802.1x on Cisco switches and then set IAS to use EAP-TLS for
>> client
>> authentication, and require client certificates (as in - Computer
>> certificates - see the Smart Card or Other Certificate option). Make sure
>> that users haven't got admin access to computer certificate stores (this
>> may
>> be tricky - see note below) and can't export client certificates and
>> associated private keys. Configure automatic provisioning for computer
>> certificates.
>>
>> Another option that doesn't require certificates would be to request PEAP
>> authentication for computer accounts. Configure all the domain members to
>> only use PEAP and use ONLY computer credentials to authenticate. In AD,
>> add
>> all the computer accounts (and only computer accounts) to a global or
>> universal group (say - Domain Computers). In IAS, allow PEAP as the only
>> authentication method, and only allow this for the Domain Computer
>> accounts.
>> Now users can't authenticate to the network using their user accounts and
>> passwords, as they are not allowed to authenticate on IAS. Obtaining the
>> computer account password is only possible if they have local admin
>> rights
>> (please see my note below on obtaining admin access), or by offline
>> attacks
>> (if they manage to steal a backup of the computer SAM database).
>>
>> Now, the issue is that you CAN'T take away admin access from users unless
>> they really have no physical access to computers. If they have physical
>> access, they can always boot from a CD into another OS, or boot from the
>> network, or disconnect the hard disk from the local computer and acquire
>> admin access to the operating system, then potentially export the
>> computer
>> certificate from the local computer store, then potentially circuimvent
>> the
>> above IAS/802.1x controls. Alternatively, you may consider storing
>> computer
>> certificates on SmartCards, or in TPMs but this may require an admin to
>> start
>> the computer every time it is used, which is definitely cumbersome. Full
>> Disk
>> Encryption software may also be an option here, and help you protect the
>> integrity of the operating system and associated data.
>>
>> --
>> HTH,
>> Dob
>>
>> Visit http://www.iamechanics.com
>>
>>
>> "taco" wrote:
>>
>> > I have been searching for a solution using MS IAS and cisco switches to
>> > allow
>> > only PCs that are JOINED to the domain to get access to the network
>> > (using
>> > 8021.x and MD5 password authentication).
>> >
>> > Using Mac security was ok but if a user formats his PC he will gain
>> > access
>> > to the network without be joined to the domain, since by entering only
>> > credentials (while leaving the domain field blank) opens the
>> > connection.
>> >
>> > I want some advice on the proper approach required to solve this
>> > problem
>> >
>> > Thanks in advance

 

[Anteaus]

It might also be worth considering that whether joined or not, security is
only as good as the user password. Joining the domain actually gives the
computer greater rights -such as remote administration rights- than one which
is not joined.

Though I see your point in that computers set-up in a nonstandard manner can
jeopardise the maintainability of the system as a whole. For example a
computer which makes numerous unauthorised UNC accesses to a shares can
create a situation where the data in that share can never be moved.

"Dobromir Todorov" wrote:

> I have been searching for a solution using MS IAS and cisco switches to
> allow only PCs that are JOINED to the domain to get access to the network

 

[taco]

Thanks for the reply

I think I am closing in on a solution, unless there are downpoints that I
can't discover yet.

Our systems administrator uses Reflex Disknet Pro on all LAN clients to
restrict usb ports, software installation, and for other policies. He claims
that there is no way that a user, even with Local Admin rights, can remove
the local Reflex agent, and according to the website, it seems to be true.

Now we are looking for a NAC solution that can recognize Reflex product, so
once a PC connects to our LAN the NAC Policy server should search for Reflex
agent (with appropriate policies) on that PC and if it is not there, network
access is denied. If a user installs a parallel OS and installs Reflex agent,
policies will be downloaded on his machine to lock it down.

Symantec NAC solution, namely has a DHCP enforcer plug in for AD, seems to
be great, but I didnt have time to go in detail, specially for PC with static
IPs.

Your thoughts on such a solution are welcome

"Dobromir Todorov" wrote:

> Taco,
>
> Cisco NAC and Microsoft NAP may be either 802.1x "on steroids" (EAP packets
> with health information in them), or may be more complicated with layer 3
> NAC, where TCP/UDP traffic may be used to connect to a policy server (rather
> than layer 2 EAP over Ethernet frames, which is the case with 802.1x).
>
> At the same time, Cisco NAC and Microsoft NAP (despite the popular
> misconception of them providing ultimate security) suffer from the same
> problems. If you give users administrative access, they may potentially
> circumvent the NAC or NAP restrictions. NAC and NAP only work if you can
> guarantee the integrity of client side components. Let's say you've got a
> policy that requires all users to have a personal firewall enabled. If a
> user with admin rights replaces the client side NAC/NAP component (Health
> Agent) that checks whether the firewall is enabled, and always returns True
> (as in - firewall is enabled), then this admin user has already found a way
> around NAC/NAP.
>
> Trusted Platfrom Modules (TPM) in combination with a third party FDE or
> BitLocker may be able to guarantee the integrity of some parts of the
> operating system but not NAC/NAP components, at least not straight out of
> the box. Then again, certificates stored in TPMs or SmartCards are even
> better but you may end up having to boot up every PC manually every day, or
> every time it is rebooted.
>
> Bottom line is: physical access can still prevail, unless you are willing to
> sacrifice convenience of use.
>
> --
> ---
> HTH,
> Dobromir
>
> Vist http://www.iamechanics.com
>
>
> "taco" <taco@discussions.microsoft.com> wrote in message
> news:9C956DF0-0734-40EF-8922-9DA43CCA9148@microsoft.com...
> > Thanks for the generous replies.
> >
> > So from what I understand is that the main problem that will arise if
> > users
> > have physical access to the PCs is that they can transport the
> > certificates
> > to another PC/OS, given such users have considerable IT awareness. I feel
> > encryption is very necessary here, and yes, we need to have this kind of
> > security unfortunately.
> >
> > Any idea whether NAC solutions form Cisco, Symantec etc. provide different
> > approaches or configuring 802.1x is a must in all solutions available?
> >
> > Regards
> >
> > "Dobromir Todorov" wrote:
> >
> >> Taco,
> >>
> >> What's the business case behind this requirement? Although what you
> >> require
> >> may be technically doable, it makes sense to analyse how this benefits
> >> business.
> >>
> >> If you want to use IAS, I see the following somewhat reasonable option:
> >> Configure 802.1x on Cisco switches and then set IAS to use EAP-TLS for
> >> client
> >> authentication, and require client certificates (as in - Computer
> >> certificates - see the Smart Card or Other Certificate option). Make sure
> >> that users haven't got admin access to computer certificate stores (this
> >> may
> >> be tricky - see note below) and can't export client certificates and
> >> associated private keys. Configure automatic provisioning for computer
> >> certificates.
> >>
> >> Another option that doesn't require certificates would be to request PEAP
> >> authentication for computer accounts. Configure all the domain members to
> >> only use PEAP and use ONLY computer credentials to authenticate. In AD,
> >> add
> >> all the computer accounts (and only computer accounts) to a global or
> >> universal group (say - Domain Computers). In IAS, allow PEAP as the only
> >> authentication method, and only allow this for the Domain Computer
> >> accounts.
> >> Now users can't authenticate to the network using their user accounts and
> >> passwords, as they are not allowed to authenticate on IAS. Obtaining the
> >> computer account password is only possible if they have local admin
> >> rights
> >> (please see my note below on obtaining admin access), or by offline
> >> attacks
> >> (if they manage to steal a backup of the computer SAM database).
> >>
> >> Now, the issue is that you CAN'T take away admin access from users unless
> >> they really have no physical access to computers. If they have physical
> >> access, they can always boot from a CD into another OS, or boot from the
> >> network, or disconnect the hard disk from the local computer and acquire
> >> admin access to the operating system, then potentially export the
> >> computer
> >> certificate from the local computer store, then potentially circuimvent
> >> the
> >> above IAS/802.1x controls. Alternatively, you may consider storing
> >> computer
> >> certificates on SmartCards, or in TPMs but this may require an admin to
> >> start
> >> the computer every time it is used, which is definitely cumbersome. Full
> >> Disk
> >> Encryption software may also be an option here, and help you protect the
> >> integrity of the operating system and associated data.
> >>
> >> --
> >> HTH,
> >> Dob
> >>
> >> Visit http://www.iamechanics.com
> >>
> >>
> >> "taco" wrote:
> >>
> >> > I have been searching for a solution using MS IAS and cisco switches to
> >> > allow
> >> > only PCs that are JOINED to the domain to get access to the network
> >> > (using
> >> > 8021.x and MD5 password authentication).
> >> >
> >> > Using Mac security was ok but if a user formats his PC he will gain
> >> > access
> >> > to the network without be joined to the domain, since by entering only
> >> > credentials (while leaving the domain field blank) opens the
> >> > connection.
> >> >
> >> > I want some advice on the proper approach required to solve this
> >> > problem
> >> >
> >> > Thanks in advance
>
>
>

 

[S. Pidgorny]

All those solutions are compromised by physical access to the network in
question:

http://sl.mvps.org/docs/802dot1x.htm

Again, what is the requirement? IPsec seems to be robust approach to
securing networks end-to-end. With certs in hardware, even better.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"taco" <taco@discussions.microsoft.com> wrote in message
news:9C956DF0-0734-40EF-8922-9DA43CCA9148@microsoft.com...
> Thanks for the generous replies.
>
> So from what I understand is that the main problem that will arise if
> users
> have physical access to the PCs is that they can transport the
> certificates
> to another PC/OS, given such users have considerable IT awareness. I feel
> encryption is very necessary here, and yes, we need to have this kind of
> security unfortunately.
>
> Any idea whether NAC solutions form Cisco, Symantec etc. provide different
> approaches or configuring 802.1x is a must in all solutions available?
>
> Regards
>
> "Dobromir Todorov" wrote:
>
>> Taco,
>>
>> What's the business case behind this requirement? Although what you
>> require
>> may be technically doable, it makes sense to analyse how this benefits
>> business.
>>
>> If you want to use IAS, I see the following somewhat reasonable option:
>> Configure 802.1x on Cisco switches and then set IAS to use EAP-TLS for
>> client
>> authentication, and require client certificates (as in - Computer
>> certificates - see the Smart Card or Other Certificate option). Make sure
>> that users haven't got admin access to computer certificate stores (this
>> may
>> be tricky - see note below) and can't export client certificates and
>> associated private keys. Configure automatic provisioning for computer
>> certificates.
>>
>> Another option that doesn't require certificates would be to request PEAP
>> authentication for computer accounts. Configure all the domain members to
>> only use PEAP and use ONLY computer credentials to authenticate. In AD,
>> add
>> all the computer accounts (and only computer accounts) to a global or
>> universal group (say - Domain Computers). In IAS, allow PEAP as the only
>> authentication method, and only allow this for the Domain Computer
>> accounts.
>> Now users can't authenticate to the network using their user accounts and
>> passwords, as they are not allowed to authenticate on IAS. Obtaining the
>> computer account password is only possible if they have local admin
>> rights
>> (please see my note below on obtaining admin access), or by offline
>> attacks
>> (if they manage to steal a backup of the computer SAM database).
>>
>> Now, the issue is that you CAN'T take away admin access from users unless
>> they really have no physical access to computers. If they have physical
>> access, they can always boot from a CD into another OS, or boot from the
>> network, or disconnect the hard disk from the local computer and acquire
>> admin access to the operating system, then potentially export the
>> computer
>> certificate from the local computer store, then potentially circuimvent
>> the
>> above IAS/802.1x controls. Alternatively, you may consider storing
>> computer
>> certificates on SmartCards, or in TPMs but this may require an admin to
>> start
>> the computer every time it is used, which is definitely cumbersome. Full
>> Disk
>> Encryption software may also be an option here, and help you protect the
>> integrity of the operating system and associated data.
>>
>> --
>> HTH,
>> Dob
>>
>> Visit http://www.iamechanics.com
>>
>>
>> "taco" wrote:
>>
>> > I have been searching for a solution using MS IAS and cisco switches to
>> > allow
>> > only PCs that are JOINED to the domain to get access to the network
>> > (using
>> > 8021.x and MD5 password authentication).
>> >
>> > Using Mac security was ok but if a user formats his PC he will gain
>> > access
>> > to the network without be joined to the domain, since by entering only
>> > credentials (while leaving the domain field blank) opens the
>> > connection.
>> >
>> > I want some advice on the proper approach required to solve this
>> > problem
>> >
>> > Thanks in advance