The thing I'm not wild about with third-party clients (OSX etc.) is that they often don't play well with security features like SMB signing - if the Macs are hitting a Windows file server, most of the Apple documentation will tell you to turn it off entirely. Similar things can also happen if you've got Windows clients needing to hit Samba shares.
It's really just one of those basic tenets: complexity is the arch-enemy of security, etc. etc. - Laura On 6/8/06, Noah Eiger <[EMAIL PROTECTED]> wrote:
Thanks, Brian. Don't you sleep? It's late in Chicago ;-) 802.1x is the direction they are heading. Right now, it is cost-prohibitive. So the question is less "can I control this access" but "should I"? Is that over-reacting? Again with the VPN. My thoughts were to push it with an MSI, so I see how to control its distribution. The question is should I limit it to just the domain computers? How big is the risk? If the risk from home computers is virus and malware, how do I justify preventing folks from running it on their home Macs? Thanks. -- nme ________________________________ From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 07, 2006 10:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts My suggestion is that you implement 802.1x port auth to implement port based authentication. You can use this to implement guest vlans with the policy routing you describe. Isn't the Cisco VPN a MSI? Use Group Policy or SMS if you have it. You can do some NAC stuff with Cisco VPN as well as the personal firewall built into it. I don't see how you plan to prohibit OS X at least – put it on the guest vlan if you must, but, realize that the marketing, pr, etc people may live in a Mac world. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, June 08, 2006 12:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Security Policy Thoughts Hi: I am facing some IT policy questions and wanted to get some perspectives. In each of these areas, I am trying determine how restrictive I need to be. The client has four sites connected over high-speed links. I have good backing from management but will undoubtedly get resistance on some of these. The client is small, under 200 employees with most in one office. Some small field offices are not managed (i.e., have workgroup networks, often with a small server, but no AD). There are no SOX requirements and the data are not sensitive (e.g., no credit cards). Almost entirely Windows XP; all DC's run W2k3. Any thoughts on these topics welcome. Connecting to the wired network. They do not run any IDS or machine-based authentication. Given that, written policy carries some weight. I want to require all non-domain machines to connect only to a "public" VLAN that goes only to the Internet. I would apply this even to staff "personal" computers, those of contractors (including me), and machines from those field offices that are not on the domain. VPN. They run a Cisco VPN. I want to distribute the client only to domain-based machines. Others want the client for their home computers, etc. Other Operating Systems. I don't want to allow other OS's on the network, unless we manage them. But what is the threat posed by a Linux or OS X box on the network? As always, many thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006 Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006
-- ----------------------- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
