I am currently managing a windows server 2003 network enviornment with 80 computers and a couple of clark connect firewalls. Is there anyway to block out rogue computers (IE Laptops people bring in from home and plug in) using either the server OS or perhaps my firewalls? I only ask because I am unaware of anything other than using managed switches.

Thanks all.

Well the easiest way would be to only allow one connection per desk and have that connected to the PC you supply. That way they won't have extra free connections to put personal laptops on. You could also do very tight DHCP so that you only have as many IPs as needed.

You would probably want to do that in combination with something to prevent them from disconnecting the PC you supply though. You don't have managed switches? What do you want exactly, just the personal laptop to no be able to connect to anything on the network?

I have ip addresses refresh every 3 days so i guess could do static IPs and and narrow the range as you suggested erik, But to answer your questions no I dont want home laptops on my network, for some reason home users dont believe in anti-virus software or at least scanning thier computers. At least not a my work.:)

If you dont want rogue machines on your network you are limited without managed switches. However do this

Keep using DHCP, BUT set the DHCP server to use ONLY "reservations" for all the PCs assentialy staticly mapping MAC addresses to the IP addresses DHCP will hand out. (you also have the MAC addresses in your DHCP table right now so setup is very easy)

This way ...

1. rogue computers will not get an IP address at all.

2. set you firewall to only allow these IP addresses out (incase they get wise and put a static address in)

3. you didnt have to go to each computer and set static addresses and still have the ability to push down routes, domains, default gateways, change netbios node type, etc.. through the DHCP server.

Problem is if they do use static they will have access to internal network resources since you do not have managed switches.

Also you could still create a dynamic range on the DHCP server so rogue boxes will be able to get to internal resources but not to the internet since they would be outside the reservation addresses and not get past the firewall.