• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

  • 1
Sign in to follow this  

IP locker

Question

sufikasih    0

hi, thanks for reading this, :laugh:

i wanna ask if anyone know any software that can lock IP address to a computer. meaning, one the IP is set, no one can change the IP of that computer. the os is windows based(98 or xp etc) :pinch:

any other method that you think relevant do tell me please. :woot:

for the moment im using admin acc to disable user from changing the ip but seem its not working well.

my objective is to ensure no one can manually change the IP address of certain computer.

thanks :D

Share this post


Link to post
Share on other sites

Recommended Posts

  • 0
[deXter]    0
deXter give up, your script idea is worthless, if the users are smart enough to crack the admin password then it would not be unreasonable to think they would be smart enough to see through your script. Budman's analogy is perfect it would be like locking every door in your house but the front door.

Sorry, you don't make a valid point. I still stand by my earlier point - there's plenty of info out there on how to crack admin passwords and so on, but with no information whatsover on this script, how would they see through it?

If you think the script idea is worthless, give me some points on areas where it could fail or how it can be defeated, and I'll try to provide solutions for it.

Share this post


Link to post
Share on other sites
  • 0
Bgnn32    8

Simple THEY ARE ADMINS ON THE MACHINE! that means anything run on the machine (i.e. your script) they have control over and can stop it. Any semi knowledgeable person could figure out what is going on.

1st they will realize they cannot change the IP Address so then they will look for a cause, using tools like regmon and other freely available tools they could find the script disable it and be on their merry way.

Not a hard concept for most to grasp.

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,544

BTW you have not posted your "script" you have posted a reg key that you believe would stop it from happening -- if you deny permissions on..

I believe your talking about a one time setting of permissions, there would not be a script that always runs, etc..

BTW -- I have just set DENY to the local administrators group to key in question.. an I am still able to change the IP.

I will reboot to see for sure

post-14624-1179261261_thumb.jpg

edit: Back to the drawing board.. that clearly does nothing..

C:\>ipconfig

Windows IP Configuration

Ethernet adapter local:

Connection-specific DNS Suffix . :

IP Address. . . . . . . . . . . . : 10.40.0.63

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 10.40.0.254

C:\>ipconfig

Windows IP Configuration

Ethernet adapter local:

Connection-specific DNS Suffix . :

IP Address. . . . . . . . . . . . : 192.168.1.100

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

As you can see the machine booted up dhcp.. and then I was able to change it.. I set DENY to the local admins group, and removed all other permissions.

And still able to change the IP, etc..

Edited by BudMan

Share this post


Link to post
Share on other sites
  • 0
[deXter]    0
Simple THEY ARE ADMINS ON THE MACHINE! that means anything run on the machine (i.e. your script) they have control over and can stop it. Any semi knowledgeable person could figure out what is going on.

1st they will realize they cannot change the IP Address so then they will look for a cause, using tools like regmon and other freely available tools they could find the script disable it and be on their merry way.

Not a hard concept for most to grasp.

Ever been infected by the Virtumonde trojan? I challenge you to remove Virtumonde without booting into any other OS and remove it from within your OS. You can try booting in Safe Mode, you can try setting it to Delete on Reboot, and you can try any general Sysinternals utility like Process Explorer, Autoruns, ProcMon, etc. To be fair, don't use any anti-malware app like Spybot.

And what do you find? That it's nearly impossible to manually delete it. If you try to terminate the process or delete the file, you get an "Access Denied". If you set the PendingFileRenameOperations to delete it on bootup, it'll delete that reg entry. If you delete the autostart registry keys, it'll write it again. It even starts in safe mode so you can't even delete it from there! My point is, a well written program can easily thwart any 'semi knowledgeable' person, even if they're able to figure out what's causing the problem.

--

Besides, if you read my earlier posts, I said its quite easy for the script to disable regmon and similar tools - it just takes a single line of code.

I know you won't believe me, so I made a demo program : NoSysinternals.

Download

This program will block all sysinternals utilities. It will appear with a blank icon in your system tray and right-clicking it will give you an option to exit. As long as it's active, you won't be able to open any sysinternals utility. In no time at all, I can easily add support for other tools, I can emulate group policy settings like disabling the task manager, I can even use the same tricks that Virtumonde uses.

-----

@BudMan:

The script and reg-key are two different things. One could set the permissions on the regkey as the first line of defence. The script could be used for added protection to disable registry, debugging and monitoring tools.

Btw, you set the permissions wrongly.

Here's the right way to do it:

tcpippermissions1ps1.th.png

• Open the Permissions box and click on "Advanced".

• Uncheck the option "Inherit from parent the permission....". In the "Security" box that pops up, click the "Remove" button. This should clear up all the permission entries. If it doesn't, then manually select them and remove.

• Now in the "Advanced Security Settings" box, click the "Add" button.

• Click the "Advanced" button.

• Click the "Find Now" button.

• Select "Everyone" in the list and click "OK".

• Click "OK".

• In the "Permission Entry" box that opens up, enter the 'Deny' permissions as you see in the above picture. Check the rest of them as "Allow". Do not check the "Full Control" in either the deny or allow permissions.

• If you did the above correctly, you'll find two permission entries for 'Everyone' of 'Allow' and 'Deny' type. Once again, confirm this with the above picutre.

• Click on OK on all the open boxes and get back to regedit.

• If you try to modify or delete a key, you'll get an error like this:

tcpippermissions2bs7.png

It means that you've done this sucessfully. Now you need to repeat the same for these three other keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\#SERVICE-NAME#

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\#SERVICE-NAME#\Parameters\Tcpip

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\#SERVICE-NAME#

Now try changing your IP address, from say, the TCP/IP properties of your network connection in control panel. Now here's the best part: It'll prompt you saying that you need to reboot for the changes to take place. It looked like it worked and all, so you reboot, and after the reboot you'll find that your IP address hasn't changed at all! No error messages, and everything looked normal - this would flummox even experienced users- they won't have a clue as to why the IP never changed!

Share this post


Link to post
Share on other sites
  • 0
Simon-    492

I think that it's worth mentioning that DHCP servers can assign the same IP address each time by setting a reservation based on the MAC address

Share this post


Link to post
Share on other sites
  • 0
Bgnn32    8

:no: If these users are smart enough to get the admin password (which from the sounds of things they are getting it using a program like OphCrack or some other Hash cracking program. Then they are most likely smart enough to clean a script from a machine. You can continue to make yourself look foolish if you wish but the fact is you are flat out wrong.

Besides as Budman has said repeatly where is this script you speak of?

Fact is your dealing with smarter than average users with Admin rights, there is nothing they can't do.

What I would like to know is if the users are this smart at this company and this guy can't get a proxy with a user auth set up then why is he the one in charge of the computers.

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,544

Your nosysinternals is pretty kewl.. but how exactly do you plan on running this? And what if I use a different tool? It does not stop command line sysinternal stuff btw ;) But it did shut down procmon and regmon -- nice.. care to share the source?

You should not have to freaking rootkit the machines your in charge of to lock them down ;)

Your example of the virus is suppose to show what exactly? BTW there are tools to remove that without having to boot another OS, reboot yet - different OS no..

So your wanting to use the methods viruses use to lock down your machine?? Is that what your trying to say?? Does that sound like good advice to you? Does that sound like the most efficient method of locking down his gateway? Rootkit all the machines on his network?

Nor does your method stop them from booting another OS, or as already stated bringing in other hardware, etc.. Don't get me wrong -- blocking the reg entries would stop most users.. But once the userbase figured out how it was done, the fix would be a wildfire. Then you would have to figure out another way, etc.. Never ending battle to rootkit your own hardware ;)

I think we agree the most logical way to control his problem is to lockdown the gateway.

@QR dhcp reservations do not stop the user with admin rights from setting a static. Or changing the mac address ;)

Share this post


Link to post
Share on other sites
  • 0
IrfanL    30

This has been very interesting discussion. But as BudMan recommended earlier, the IEEE802.1x enabled internet gateway (proxy) is the only reasonable solution for this scenario.

I faced a similar kind of problem at one of the customer site. But the problem goes a step higher as after implementing 802.1x mechanism, the Users started to share their username & passwords with (non-authorized) user. As a solution, we had to use PEAP extension with 802.1x and issued Digital Certificates for each authorized user.

Share this post


Link to post
Share on other sites
  • 0
Echilon    1

Interesting thread, but do you think you could be over-estimating the intelligence of your users? Most of the people I work with would have no idea how to change their IP.

Share this post


Link to post
Share on other sites
  • 0
+Leddy    0

If your users can get admin access on their own machines, then you'll have to control access on the server-side. A proxy server is your only solution.

Or you can set MAC deny on your wireless APs and assess each user individually for internet access.

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,544
over-estimating the intelligence of your users?
That really has nothing to do with it, its clear someone was smart enough ;) Or he would not had to ask the question.. It only takes one, to show the rest. Does not take a rocket scientist to bring in their laptop btw.

Share this post


Link to post
Share on other sites
  • 0
Sophism    8

Following budmans suggestions will solve your problem, however i think the bigger issue is why the hell employees are getting away with this ****? Make an example of a couple people and put up notices that outside devices (laptops etc) will be grounds for dismissal.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.