How to block a non-company laptop from infecting the network
My company has a Win2000 environment with only one domain. Without the IT deptartment's pre-approval, a user brought in his Win2000 home laptop and connected it to the company network. He set it to join a workgroup instead of the domain. This way, he won't need to log on to the domain, but still can map to a few known shared folders. We would like to find a way to block this method to avoid any non-company laptop infecting the network with viruses. Is there a way to disable the 'workgroup' under Win2000?
No, you cannot disable workgroup. And, if a user brings in a computer and plugs it in, if his computer is infected with a virus or worm, it may spread itself in many ways -- not just by connecting to a file share. One solution, however, to prevent rogue computers from connecting to a file share, is to write an IP security policy for file servers that requires connections from workstations to negotiate the policy. If you require Kerberos for authentication of the IPSec policy negotiation, no computer that is not a domain member, will be able to successfully negotiate a connection.
This was first published in November 2003