How to isolate laptops from domain until AV is current.

Hello, I need some help! We are having a problem with
users logging on to the domain with laptops that are
infected. Is there a way to isolate systems until their AV
definitions are brought current. We are using NAV
Corporate Edition.

Lanwench
Mon Aug 23 20:57:54 CDT 2004

here's a good one wrote:
> Hello, I need some help! We are having a problem with
> users logging on to the domain with laptops that are
> infected. Is there a way to isolate systems until their AV
> definitions are brought current. We are using NAV
> Corporate Edition.

Very simple: Company policy. Nobody is to plug a laptop the network without
bringing their laptop to the IT staff to be 'scrubbed' six ways to Sunday
first. Anyone caught doing so will be fully or partially decapitated,
depending on the management's whims.

Or, simpler still: nobody is to plug their laptop/home computer/toaster into
the network at all ever no matter what.

You can make this somewhat easier by not leaving 'vacant' cubicles/desks
whatnot patched into your switch.

Steven
Mon Aug 23 21:56:52 CDT 2004

I agree with Lanwench. Technical solutions may be to look into switches that can
manage port access by mac filtering or 802.1X authentication which is not something
easily implemented though mac filtering can be which can allow only certain mac
address to access the port and can be configured with a memorize mode of currently
connected computers. When you implement your network use policy make sure you have
users sign a copy that states they understand the policy and consequences. The HP
Procurve 2524 is a reasonably priced switch with advanced security features. ---
Steve



"here's a good one" <anonymous@discussions.microsoft.com> wrote in message
news:bdd201c4895a$2c3b1cf0$a601280a@phx.gbl...
> Hello, I need some help! We are having a problem with
> users logging on to the domain with laptops that are
> infected. Is there a way to isolate systems until their AV
> definitions are brought current. We are using NAV
> Corporate Edition.

Leon
Tue Aug 24 05:52:52 CDT 2004

here's a good one wrote:
> Hello, I need some help! We are having a problem with
> users logging on to the domain with laptops that are
> infected. Is there a way to isolate systems until their AV
> definitions are brought current. We are using NAV
> Corporate Edition.

We've made a system whereby if an unregistered ethernet card is plugged into
the network then the dhcp server issues them an IP address from a temporary
pool which uses a separate dns server which resolves everything to one
machine. This machine has Apache on it with a 404 document that displays a
message saying they have not registered their machine, therefore when
someone plugs in their machine and tries to e.g. pick up their hotmail, they
get the message saying the need to disconnect . You could just leave it
there with instructions such as "Unplug your machine from the network and
bring your laptop to the IT support desk to have it checked and registered"
but we went a bit further and made an ActiveX scanner, so if the person's
computer is up to date, it will register them on the network. If not, it
will tell them to fix their machine first!

levinson_k
Tue Aug 24 08:36:24 CDT 2004

"here's a good one" <anonymous@discussions.microsoft.com> wrote in message news:<bdd201c4895a$2c3b1cf0$a601280a@phx.gbl>...
> Hello, I need some help! We are having a problem with
> users logging on to the domain with laptops that are
> infected. Is there a way to isolate systems until their AV
> definitions are brought current. We are using NAV
> Corporate Edition.

There are a number of ways to do this.

Use Windows 2003 with Quarantine Server enabled. This is intended to
be for remote access users, but people have used 802.11 authentication
to allow it to work for LAN users as well.

Search the www.symantec.com page for any such solutions they offer.

Also, check with your switch manufacturer. Cisco and other switch
manufacturers offer such solutions as well.

Note that you probably also want a solution that can also check for
Microsoft patches as well. A system with anti-virus but is missing
Microsoft patches still gets infected, and in some cases may still be
able to spread and infect other machines.