Harris,
Are all of your machines bound to your AD domain? There are probably a series of registry checks to restrict access only to your domain machines. I check for our WSUS server here to perform different checks on domain machines compared to non-domain machines. Bruce Osborne Liberty University From: Cisco Clean Access Users and Administrators [mailto:[EMAIL PROTECTED] On Behalf Of Newman, Harris Sent: Friday, March 28, 2008 3:47 PM To: [email protected] Subject: [CLEANACCESS] System validation rules I beginning a NAC rollout and was wondering if this is possible: We wish to only allow our workstations on our internal network. In looking at the rules available, I can check for registry entries and files, and the contents of each (and date/time stamps for the files). If this information were to get out, it would not be of any use. Once the information becomes known, these checks are worthless. What is needed is some way of ensuring that the equipment is ours. In the Cam users guide there is a discussion of a "Launch Programs Example" which utilizes a valid data signature signed by certificates in order to have a rule check to see if a service is running that is signed. (What is to stop someone from writing a service with the same name to get around this?). I guess my question is: Is there a way to programmatically check to see if the system is "ours", ie: use public/private keys to validate the system is "ours". Harris S. Newman, CBCP, CISSP, GCFA Coordinator, Disaster Recovery Communications and Technology Management City of Austin IM (jabber): [EMAIL PROTECTED] (512) 974-2456 work, (512) 762-4417 cell, (512) 802-6721 pager, (512) 974-9070 fax Manager: Teri Pennington, [EMAIL PROTECTED], (512) 974-7761 work, (512)653-3433 cell Deputy CIO.: Paul Hopingardner [EMAIL PROTECTED], (512) 974-2408 work, (512) 422-6807 cell
