IP locker

[sufikasih]

hi, thanks for reading this, :laugh:

i wanna ask if anyone know any software that can lock IP address to a computer. meaning, one the IP is set, no one can change the IP of that computer. the os is windows based(98 or xp etc) :pinch:

any other method that you think relevant do tell me please. :woot:

for the moment im using admin acc to disable user from changing the ip but seem its not working well.

my objective is to ensure no one can manually change the IP address of certain computer.

thanks :D

[fault]

For Windows XP, as long as the user does not administrative privileges, they shouldn't be able to change such properties. Not too sure about Windows 98. I know you can set policies, but I'm not sure how well enforced these are (don't have first-hand experience with this sorry). Can you tell us what your environment is/what your circumstances are in a bit more detail? :ninja:

for the moment im using admin acc to disable user from changing the ip but seem its not working well.

I'm not sure exactly what you mean by this. How are you using the Administrator account to prevent users from changing the IP address? Why is it "not working"? Can you elaborate? :D

Edited May 9, 2007 by fault

[sufikasih]

For Windows XP, as long as the user does not administrative privileges, they shouldn't be able to change such properties. Not too sure about Windows 98. I know you can set policies, but I'm not sure how well enforced these are (don't have first-hand experience with this sorry). Can you tell us what your environment is/what your circumstances are in a bit more detail? :ninja:

I'm not sure exactly what you mean by this. How are you using the Administrator account to prevent users from changing the IP address? Why is it "not working"? Can you elaborate? :D

login as admin, n let user use limited acc. the problem is, somehow the user will eventualy know the admin password hehehe

need help plzzzzz, a simple method...

[VazaGothic]

Simple method: get a better password!

[sufikasih]

For Windows XP, as long as the user does not administrative privileges, they shouldn't be able to change such properties. Not too sure about Windows 98. I know you can set policies, but I'm not sure how well enforced these are (don't have first-hand experience with this sorry). Can you tell us what your environment is/what your circumstances are in a bit more detail? :ninja:

I'm not sure exactly what you mean by this. How are you using the Administrator account to prevent users from changing the IP address? Why is it "not working"? Can you elaborate? :D

login as admin, n let user use limited acc. the problem is, somehow the user will eventualy know the admin password hehehe

need help plzzzzz, a simple method...

[+BudMan]

login as admin, n let user use limited acc. the problem is, somehow the user will eventualy know the admin password hehehe

So if the user knows the admin password -- how exactly to think you can lock something down, so even the admin can not undo it??

If the user has admin on the box, then the user is god on the box - an there is nothing you can do to stop that.. Get a better password is the right answer! ;)

But also sorry to say, if the user has physical access to the machine - its going to be a pain to keep them from just booting the machine with a CD or floppy an changing the password of the admin account to whatever they want, or just grabbing the sam an hacking the password.

You could prevent boot from cd, floppy an set a bios password to try an stop this.

What I am curious about is why you care what the IP address of the machine is? Your trying to block some IP from access to somewhere Im guessing?

Lets forget about the IP address of the machine for a minute - what are you want to prevent the user from doing exactly??

[Matt]

You could prevent boot from cd, floppy an set a bios password to try an stop this.

What I am curious about is why you care what the IP address of the machine is? Your trying to block some IP from access to somewhere Im guessing?

Lets forget about the IP address of the machine for a minute - what are you want to prevent the user from doing exactly??

If im mistaken, if the user has access to the machine, he could reset the bios and clear the password if inclined to do so. And, out of curiousity as well, what are you trying to prevent the user from doing? That would help out a whole lot more as you see that you dont have many options to securing your system, especially if the user has physical access to the machine.

[sufikasih]

:no: thats the major problem, the user(many user more than 50) has physical access to the computer(each user own a pc), as almost everyone know, hacking admin password no matter how complex the password is, is just as easy as eating ice cream. what im thinking is having non common software that can passworded n lock files eg network setting cpl or any files related to ip changing. therefore it will be hard to discover the workaround to the locked files.

what im trying to do is , to stop user from changing theirs IP address. each computer with its own IP add. i dont have the luxuries of having a good server to control or to lock IPs n mac address...

come IP are allowed to access the internet n some are not...

any idea?

[Indy24]

Use a looping scrip that compares the IP in the reg file to the one in the scrip and if it is different have the scrip to change it back.

[+BudMan]

So you want to prevent access to the internet is your goal.. Then lock this down with having to auth vs just an IP.. This will require the to present a username an password to get on the internet.. or better yet a digital certificate signed by your CA..

As it seems you have discovered, if a user has physical access to a machine - they can do about anything they want to the machine.. So to control access to something you need to use something that they do not have physical access to, ie a user name an password.

[[deXter]]

First, set the BIOS boot order to HDD first, then CDROM. This way, they won't be able to use any bootable discs that crack Admin passwords.

Second, set a BIOS password so they won't be able to enter the BIOS and change the settings.

Now I don't think they would actually go to the extent of opening up the PC and resetting the BIOS, right? Is that place completly unmonitored? No one to supervise them? If so, then get a cabinet lock- these things go at the place where the cabinet screws are and it's nearly impossible to open them without a key. Of course, if the user has a dremel, its a different issue :whistle:

[sufikasih]

thanks for the replies. the problem is the place is so big consist 4-5 building with more than 100s of computer. some ip are set that enable it to access to the internet. the major problem is having people bringing notebooks , plug into the network, stealing internet enable ip, and set the computer name or user name to blank.

when i try to trace it , the only information i can find is the mac address. as what i m saying before, its hard to block mac addresses, as the computer might no be a notebook...

all computer are connected with fiber optic hub, i do not know where the exact location of the computer just by know it mac address.

thanks :( :(

[TurboTuna]

Without sounding rude, are you in charge of this network? If so, i don't evny being in your position. You sound as though you have no idea what your doing. 4-5 buildings with 100 or so computers in each, fiber networking and you can't even get the proper equipment to handle your internet distribution?

I think you need more help then what anyone can give on a forum

[+BudMan]

I'm with TT on this one -- sounds like you really need some help.

For starters.. Keeping people from just plugging any device into your network and getting an IP could be done with a few different methods, port security comes to mind. Ie 802.1x

http://en.wikipedia.org/wiki/802.1X

802.1X is available on certain network switches, and can be configured to authenticate hosts which are equipped with supplicant software, denying unauthorized access to the network at the data link layer.

You really need to setup some form of central userbase an auth.. say AD. Machines would need to be a member of the domain to talk an use your network.. This does not stop someone from gaining local access to a piece of hardware they have access too.. but it can be used to keep them from talking on your network, and or using your internet connection.

Like I said before - you need to setup a method of having to auth to use your internet vs just any ip that is on your network. Something as simple as squid in transparent mode could stop machines from accessing the internet unless they auth with the proper credentials.

It really does sound like your way over your head here, I would suggest you pull in some help to secure your lan.. It sounds more like the wild west than any type of business lan.

[[deXter]]

Well, now that you've given the complete picture, I think the easiest solution would be to first disable normal internet sharing and run a socks 5 proxy server. Then configure the machines that require net access to use the proxy server.

Additionally, you could deploy a script that'll prevent the user from changing the IP address.

Edited May 10, 2007 by [deXter]

[sufikasih]

yup, i know what u all are thinking, if only the management level understand, ive already deploy proxy server etc. the problem is, i cant request extra budget to fulfill the objective. this is just a short term solution before i get to the management n talk about it.thanks a lot

[+BudMan]

Additionally, you could deploy a script that'll prevent the user from changing the IP address.

Please show this script.. Sorry but if they are admin to the box, there is no possible way to stop the user from doing anything they want to that machine - period.

For that matter - you could lock down the os all you want, could just boot a CD an run some other OS an surf the net, etc..

[Bgnn32]

If you already have a proxy server what else is needed money wise, Most proxy servers will allow you to set up user auth. Also you will need to set a rule on your router to only allow traffic from the proxy, that will take care of your problems and whatever you have for equipment should be able to handle that.

[[deXter]]

Please show this script.. Sorry but if they are admin to the box, there is no possible way to stop the user from doing anything they want to that machine - period.

All that's required is social engineering / stealth. Just compile the script and rename it to svchost.exe and you'd be fooling most experienced users. Or even better, bundle the exe with a legit file like explorer.exe so that it autostarts without creating a registry entry. Or more advanced - create a rootkit.

Anyways, the easiest way to do this would be to deny write access to this key : MACHINE\SYSTEM\CurrentControlSet\Services\#SERVICE-NAME#\Parameters\Tcpip using SetACL, for example.

(Where #SERVICE-NAME# is the name of the service under the SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\1 subkey)

Not many people would guess that the ACLs have been explicitly set, and even fewer would know how to edit the ACLs.

For that matter - you could lock down the os all you want, could just boot a CD an run some other OS an surf the net, etc..

That's why I had suggested the use of a BIOS password to prevent booting from a second OS.

Besides, if a proxy server with auth is used, it won't matter what system they're using - they'll not be able to access the net without the password.

[+BudMan]

Besides, if a proxy server with auth is used, it won't matter what system they're using - they'll not be able to access the net without the password.

Which is exactly why I suggested both the proxy an bios password - before you even posted in this thread ;)

So your suggesting he rootkit the machines?? Yeah ok that makes sense ;)

An lets be clear about something Social engineering/Stealth does not stop an admin account from removing whatever you put in place. It only ups the skill set required to find the block But all that would be required to find your block would be running of regmon, which would point to where the problem is if you did a deny on a specific reg key.

Also

people bringing notebooks , plug into the network, stealing internet enable ip

How exactly do you plan on installing your rootkit/stealth block to machines that are not even owned by the company?

[[deXter]]

An lets be clear about something Social engineering/Stealth does not stop an admin account from removing whatever you put in place. It only ups the skill set required to find the block But all that would be required to find your block would be running of regmon, which would point to where the problem is if you did a deny on a specific reg key.

Not if the script blocks regmon too :p With just one line of code, you could block all utilities made by Sysinternals. ;)

Also How exactly do you plan on installing your rootkit/stealth block to machines that are not even owned by the company?

There's no easy wat to do that.

But I thought we agreed that the proxy server solution would be the best?

I was just elaborating on the script method because I was looking at the possibilities if it were to be implemented. The scope of the script is of course limited to the computers the company ownes. The point I want to establish by elaborating on the working of the script is that just because the user had admin privlidges doesn't mean that script would be useless. I'm not saying that it'd be 100% foolproof either, but for all practical purposes, it's very much viable and implementable.

[+BudMan]

An how exactly are you running this script? Since they are admin they could block the running of the script..

Anything that is put in place, can be removed or prevented from running when your admin.. Sorry but that is the point of the admin account ;)

Sure you can rootkit your own machines to the point that normal skilled users would never figure out how to break it, but it only takes one person to figure it out.. then its in the userbase very quickly.

Having to rootkit your own machines to prevent users from changing something is not what any normal admin should ever have to work out.. for starters users in any normal company do not have admin rights, an if found circumventing company security on a company machine they should be fired on the spot.. This would prevent any user from attempting such a thing in the future ;)

Your idea of locking down the registry to where the actual ip change takes place is pretty sneaky, and I agree it more than likely would drive most users nuts trying to figure out why their ip wont change ;) But it should not be the direction anyone would look to in locking down "their" network.

It is quite simple an can be done really for FREE to require auth to access your internet connection.. Squid is FREE, all it would take is the short amount of time to configure it.. All that is required is a machine to run it on.

It makes no sense to attempt to lock down every machine that could connect to your network, when all you need to do is lock the door to the internet. Thats like putting combination locks on all the windows, an leaving the door wide open..

[[deXter]]

An how exactly are you running this script? Since they are admin they could block the running of the script..

Anything that is put in place, can be removed or prevented from running when your admin.. Sorry but that is the point of the admin account ;)

Theoretically, yes, but not when the user has no idea of what's going on. How would they block something when they have no idea what to block?

[Intelligen]

deXter, i don't think your grasping Budman's responses...... what you want to do is not 100% solution since it can "fixed" with anyone with knowledge. It doesn't matter if a select few don't know how to fix it, all it takes is one as budman said.

Users should not have admin access rights, PERIOD.

[[deXter]]

deXter, i don't think your grasping Budman's responses...... what you want to do is not 100% solution since it can "fixed" with anyone with knowledge. It doesn't matter if a select few don't know how to fix it, all it takes is one as budman said.

Users should not have admin access rights, PERIOD.

I agree with that too, users should never have admin rights. But it isn't 100% foolproof either. There are plenty of ways one can escalate privileges - even on vista - and all that info is available freely on the net. Besides, if you read the first post, the author mentions that not all PCs are running XP - some are using 98 too. What would you do for security in those PCs running 98?

Why, even proxy servers are not 100% secure - one could use a network sniffer to find out the passwords directly, or if its encrypted, they could capture the hashes and brute force / rainbow attack at their leisure.

This is why I'm saying using scripts would help - since it's custom made and there is no publicly available information about it, they wouldn't know how to defeat it. Atleast, it'd be more difficult than getting admin rights on a system.

[Bgnn32]

deXter give up, your script idea is worthless, if the users are smart enough to crack the admin password then it would not be unreasonable to think they would be smart enough to see through your script. Budman's analogy is perfect it would be like locking every door in your house but the front door.