Policies vs Network Access Control



  • @marcinozga said in how to prevent non domain users from getting ip configuration:

    Why do you allow them to wipe the PCs? Disable booting from USB, optical drives and floppy, and everything that's not the drive main OS is installed on, and password protect BIOS.

    Next time you catch a user wiping their drive, take it to upper management and recommend termination of said employee. Once the word gets out, nobody will try any more shenanigans.

    the user wipe his computer cuz the department in charge of helpdesk is not doint its job, it is a public sector, so as i security guy i want just to minimize the risk, it is complicated when we are talking about public sector, you don't have that control over the employee since you cant fire him lol



  • @IT-ADMIN said in how to prevent non domain users from getting ip configuration:

    @marcinozga said in how to prevent non domain users from getting ip configuration:

    Why do you allow them to wipe the PCs? Disable booting from USB, optical drives and floppy, and everything that's not the drive main OS is installed on, and password protect BIOS.

    Next time you catch a user wiping their drive, take it to upper management and recommend termination of said employee. Once the word gets out, nobody will try any more shenanigans.

    the user wipe his computer cuz the department in charge of helpdesk is not doint its job, it is a public sector, so as i security guy i want just to minimize the risk, it is complicated when we are talking about public sector, you don't have that control over the employee since you cant fire him lol

    Then lock the PC properly. If their helpdesk is unwilling or unable to fix things, it's not your problem anymore. If this place is really such a mess, then why do you get involved? Get your concerns and recommendations in writing, pass it on to upper management, and let them handle it.



  • @IT-ADMIN said in how to prevent non domain users from getting ip configuration:

    some users format their PCs in order to gain full access over their machine

    And they don't get fired? If not, then management has approved this and IT should not be involved. This isn't a technical problem, this is an HR problem.



  • @IT-ADMIN said in how to prevent non domain users from getting ip configuration:

    it is a public sector, so as i security guy i want just to minimize the risk, it is complicated when we are talking about public sector, you don't have that control over the employee since you cant fire him lol

    You can't have any rules over employees? They can do literally anything? In the US, any employee doing this anywhere, even public sector or professors, would be fired immediately. Potentially charged with a crime as this would constitute "hacking" and is a federal crime to try to work around security, especially government security.



  • @IT-ADMIN said in how to prevent non domain users from getting ip configuration:

    the user wipe his computer cuz the department in charge of helpdesk is not doint its job

    So basically what you are describing is a rise of shadow IT because formal IT is failing. The users, who can't be fired which is the same as being authorized to do this, are doing so to work around a department refusing to let them work.

    Sounds like the employees getting off of the domain are the good ones trying to get work done. Why stand in their way? If they can't be fired, then they aren't doing anything wrong (wrong for an employee = something you can be fired for), so why get between them and getting work done?



  • @scottalanmiller said in how to prevent non domain users from getting ip configuration:

    @IT-ADMIN said in how to prevent non domain users from getting ip configuration:

    some users format their PCs in order to gain full access over their machine

    And they don't get fired? If not, then management has approved this and IT should not be involved. This isn't a technical problem, this is an HR problem.

    This is the ultimate reality of the situation. If management doesn't have an issue with this - as much as it might pain you - you shouldn't have a problem with it either.



  • @Dashrender said in how to prevent non domain users from getting ip configuration:

    This is the ultimate reality of the situation. If management doesn't have an issue with this - as much as it might pain you - you shouldn't have a problem with it either.

    While I generally would agree with this stance, I could easily disagree because, and I suspect that once these shadow-IT operators wipe their systems and can't do their jobs, they immediately complain that "IT is stopping me from doing my work" which then likely gets the management team up in arms who then should at @IT-ADMIN.



  • @DustinB3403 said in how to prevent non domain users from getting ip configuration:

    I suspect that once these shadow-IT operators wipe their systems and can't do their jobs

    That's why you don't want to go through any extra effort to block them from doing work. Don't become part of the "stopping people from working" chain, unless management tells you to.



  • @DustinB3403 said in how to prevent non domain users from getting ip configuration:

    @Dashrender said in how to prevent non domain users from getting ip configuration:

    This is the ultimate reality of the situation. If management doesn't have an issue with this - as much as it might pain you - you shouldn't have a problem with it either.

    While I generally would agree with this stance, I could easily disagree because, and I suspect that once these shadow-IT operators wipe their systems and can't do their jobs, they immediately complain that "IT is stopping me from doing my work" which then likely gets the management team up in arms who then should at @IT-ADMIN.

    If their wiping of their machines is what caused them to not be able to work - then they themselves caused the problem - not IT.

    I'd be curious what was driving them to wipe and reload their machines in the first place? They want to visit pokemon sites and the corporate image won't allow that, so they wipe to bypass something? LOL

    I mean - come on, what business reason are they using for wiping their machine?



  • @scottalanmiller right, but things like accessing an smb share could be complicated from just unbinding from the domain.

    So even a passive, not done thing on the part of IT, could land it in the hotseat because management doesn't understand how AD works.



  • @DustinB3403 said in how to prevent non domain users from getting ip configuration:

    right, but things like accessing an smb share could be complicated from just unbinding from the domain.

    He can't block unbinding, he can only block them being able to work once they do.

    If he blocks them from working, ever, that's when he risks being the one fired. When IT starts becoming the barrier between someone honestly trying to work and being able to, that's when IT is likely to be removed. Like the helpdesk that isn't working.



  • @DustinB3403 said in how to prevent non domain users from getting ip configuration:

    So even a passive, not done thing on the part of IT, could land it in the hotseat because management doesn't understand how AD works.

    Sounds like the obvious answer is to remove AD because AD isn't functional in the organization (because of the helpdesk.)



  • @scottalanmiller said in how to prevent non domain users from getting ip configuration:

    @DustinB3403 said in how to prevent non domain users from getting ip configuration:

    right, but things like accessing an smb share could be complicated from just unbinding from the domain.

    He can't block unbinding, he can only block them being able to work once they do.

    If he blocks them from working, ever, that's when he risks being the one fired. When IT starts becoming the barrier between someone honestly trying to work and being able to, that's when IT is likely to be removed. Like the helpdesk that isn't working.

    End users should never be able to unbind an domain joined computer (at least on Windows) you need elevated permissions to do this properly aka without having to reload their computers to do their job.

    I get what you're saying, but I still would put a lot of blame on these Shadow-IT persons for circumventing the systems that the business has implemented so they can do their jobs.

    If they can't do their jobs because of those policies, then the policies and process needs to be updated to something that does work. (what that may be is anyones guess)



  • @DustinB3403 said in how to prevent non domain users from getting ip configuration:

    End users should never be able to unbind an domain joined computer

    If they need to to do their jobs because AD is blocking them from working they sure should.



  • @DustinB3403 said in how to prevent non domain users from getting ip configuration:

    you need elevated permissions to do this properly aka without having to reload their computers to do their job.

    But they just reload. No issue there.



  • @DustinB3403 said in how to prevent non domain users from getting ip configuration:

    I get what you're saying, but I still would put a lot of blame on these Shadow-IT persons for circumventing the systems that the business has implemented so they can do their jobs.

    As a business owner, you really can never put any blame on shadow IT if they do it to do their jobs. And if they ever are in a position where that makes sense to do, the team in the way should be in trouble. Circumventing someone sabotaging the business should never be a bad thing.



  • @DustinB3403 said in how to prevent non domain users from getting ip configuration:

    If they can't do their jobs because of those policies, then the policies and process needs to be updated to something that does work. (what that may be is anyones guess)

    All they need is a policy to let them work around it, which apparently there is, and they can work. It's not the best approach, but it's working.



  • @scottalanmiller said in how to prevent non domain users from getting ip configuration:

    @DustinB3403 said in how to prevent non domain users from getting ip configuration:

    If they can't do their jobs because of those policies, then the policies and process needs to be updated to something that does work. (what that may be is anyones guess)

    All they need is a policy to let them work around it, which apparently there is, and they can work. It's not the best approach, but it's working.

    That may be the current marching orders, but IT has their own set obviously which is causing this issue. So management needs to get their heads out of the sand and get everyone on a uniform policy.



  • Sounds like this place has no company policies or no enforced company policies.



  • @DustinB3403 said in how to prevent non domain users from getting ip configuration:

    That may be the current marching orders, but IT has their own set obviously which is causing this issue.

    No reason to believe that. It's common (and we see it here) that IT will add unneeded, or un-requested controls. Unless we know that management made this a policy, we have to assume that it is not. And we can essentially prove it is not by whether or not management enforces it. Which we know that they do not. So we have our answer. Maybe the require IT to offer it, but that seems extremely unlikely. But they definitely not require that people use it.



  • @Obsolesce said in how to prevent non domain users from getting ip configuration:

    Sounds like this place has no company policies or no enforced company policies.

    That's one possibility. But it's also very possible that some department added AD without there being a policy. Policies could exist to block things like AD, but a "negative" policy is unlikely.



  • But what @IT-ADMIN explained is that there is, to kind of give it an overview, an overarching "no policy, policy" that basically says that by policy, people can do pretty much whatever they want. That's the one key policy here.

    Given that, no, it would seem that there are very few policies beyond that. But I think making the assumption that IT is attempting to run off of policy while everyone else is attempting to work around policy is unfounded and unlikely. Possible, to be sure, but not what we'd expect given the rest of what we know. Far more likely that IT is adding challenges that it either feels are useful or just feels that it is what everyone does and isn't thinking about it at all... how many SMBs implement AD without evaluating it for their needs... easily most. Likely that is all that happened here.



  • @scottalanmiller said in how to prevent non domain users from getting ip configuration:

    But what @IT-ADMIN explained is that there is, to kind of give it an overview, an overarching "no policy, policy" that basically says that by policy, people can do pretty much whatever they want. That's the one key policy here.

    Given that, no, it would seem that there are very few policies beyond that. But I think making the assumption that IT is attempting to run off of policy while everyone else is attempting to work around policy is unfounded and unlikely. Possible, to be sure, but not what we'd expect given the rest of what we know. Far more likely that IT is adding challenges that it either feels are useful or just feels that it is what everyone does and isn't thinking about it at all... how many SMBs implement AD without evaluating it for their needs... easily most. Likely that is all that happened here.

    I don't see the issue then. If they're allowed to do what they want without breaking any policies, and they are still doing their job and working efficiently, then what's there to fix?



  • @Obsolesce said in Policies vs Network Access Control:

    @scottalanmiller said in how to prevent non domain users from getting ip configuration:

    But what @IT-ADMIN explained is that there is, to kind of give it an overview, an overarching "no policy, policy" that basically says that by policy, people can do pretty much whatever they want. That's the one key policy here.

    Given that, no, it would seem that there are very few policies beyond that. But I think making the assumption that IT is attempting to run off of policy while everyone else is attempting to work around policy is unfounded and unlikely. Possible, to be sure, but not what we'd expect given the rest of what we know. Far more likely that IT is adding challenges that it either feels are useful or just feels that it is what everyone does and isn't thinking about it at all... how many SMBs implement AD without evaluating it for their needs... easily most. Likely that is all that happened here.

    I don't see the issue then. If they're allowed to do what they want without breaking any policies, and they are still doing their job and working efficiently, then what's there to fix?

    That's basically what I am saying... it sounds like any attempt to stop the workers from rebuilding their machines and leaving the domain should be avoided, because they are the ones trying to do their jobs and are not breaking any rules in doing so. Or at least no enforced rules, which amounts to the same thing. I think the attempt to stop them from getting network access shouldn't happen because if the helpdesk makes it so that they can't work because of AD, then any attempt to keep them on AD is an attempt to keep them from working.



  • I kind of agree with @scottalanmiller in principal, but from a business point of view this is so ass backwards that it isn't really fixable with any IT tool(s)

    • IT staff heads need roll. They so fundamentally failed their job at this point there is no way you can trust the leadership of IT to fix this. I mean its so far behind what we usually call poor IT.

    • Policies and Procedures must be drafted and reviewed by management and employees. It is important that every involved manager and employee signs that they have read, understand, and agree to follow said policies and procedures.

    • This is likely going to take at least a year to begin this process because you have to first of all implement proper controls, then implement policies and procedures, and finally get complete buy in from everyone and force them to read and sign everything.



  • This is not a problem that can be fixed with compensating controls. It needs to be nuked from orbit and rebuilt properly with employee buy in.



  • @IRJ said in Policies vs Network Access Control:

    I kind of agree with @scottalanmiller in principal, but from a business point of view this is so ass backwards that it isn't really fixable with any IT tool(s)

    • IT staff heads need roll. They so fundamentally failed their job at this point there is no way you can trust the leadership of IT to fix this. I mean its so far behind what we usually call poor IT.

    • Policies and Procedures must be drafted and reviewed by management and employees. It is important that every involved manager and employee signs that they have read, understand, and agree to follow said policies and procedures.

    • This is likely going to take at least a year to begin this process because you have to first of all implement proper controls, then implement policies and procedures, and finally get complete buy in from everyone and force them to read and sign everything.

    https://media1.tenor.com/images/5d35f9f67fca22f09bb55f9ce02046a4/tenor.gif?itemid=5368101



  • @IRJ said in Policies vs Network Access Control:

    This is not a problem that can be fixed with compensating controls. It needs to be nuked from orbit and rebuilt properly with employee buy in.

    At this point - that seems very unlikely if you have users who are willing to nuke their own machines and reinstall. They'll likely demand or at least attempt to demand local admin rights.



  • @Dashrender said in Policies vs Network Access Control:

    @IRJ said in Policies vs Network Access Control:

    This is not a problem that can be fixed with compensating controls. It needs to be nuked from orbit and rebuilt properly with employee buy in.

    At this point - that seems very unlikely if you have users who are willing to nuke their own machines and reinstall. They'll likely demand or at least attempt to demand local admin rights.

    Really just becomes the same as BYOD. Easy enough to manage. Not ideal, but doable.



  • @scottalanmiller said in Policies vs Network Access Control:

    @Dashrender said in Policies vs Network Access Control:

    @IRJ said in Policies vs Network Access Control:

    This is not a problem that can be fixed with compensating controls. It needs to be nuked from orbit and rebuilt properly with employee buy in.

    At this point - that seems very unlikely if you have users who are willing to nuke their own machines and reinstall. They'll likely demand or at least attempt to demand local admin rights.

    Really just becomes the same as BYOD. Easy enough to manage. Not ideal, but doable.

    Exactly - better model in most cases anyhow.
    Just change how you (the OP) deliver services.


Log in to reply