Hi Harris, I guess the question I have is:
What is your goal? Is it to only allow machines that are owned by your organization onto the network? Or is it to allow users on the network regardless of the machine, as long as the machine meets your security policy? Mike On Fri, Mar 28, 2008 at 3:47 PM, Newman, Harris < [EMAIL PROTECTED]> wrote: > I beginning a NAC rollout and was wondering if this is possible: > > We wish to only allow our workstations on our internal network. In > looking at the rules available, I can check for registry entries and files, > and the contents of each (and date/time stamps for the files). If this > information were to get out, it would not be of any use. Once the > information becomes known, these checks are worthless. > > What is needed is some way of ensuring that the equipment is ours. > > In the Cam users guide there is a discussion of a "Launch Programs > Example" which utilizes a valid data signature signed by certificates in > order to have a rule check to see if a service is running that is signed. > (What is to stop someone from writing a service with the same name to get > around this?). > > I guess my question is: Is there a way to programmatically check to see if > the system is "ours", ie: use public/private keys to validate the system is > "ours". > > Harris S. Newman, CBCP, CISSP, GCFA > Coordinator, Disaster Recovery > Communications and Technology Management > City of Austin > IM (jabber): [EMAIL PROTECTED] > (512) 974-2456 work, (512) 762-4417 cell, (512) 802-6721 pager, > (512) 974-9070 fax > > Manager: Teri Pennington, [EMAIL PROTECTED], (512) 974-7761 > work, (512)653-3433 cell > Deputy CIO.: Paul Hopingardner [EMAIL PROTECTED], (512) > 974-2408 work, (512) 422-6807 cell >
