Re: information harvesting from within the network

[Alexander Klimov <alserkli () inbox ru>]

On Fri, 20 May 2005, ddjjembe 2 wrote:

> Background:
> I work in a university that has university typical security practices.
> Currently any authenticated user can scan the parts of the network with
> tools like LANguard or Nessus and obtain a considerable amount of
> information from them.   Most of the computers in our network are windows
> computers.  We also have departments with MACs and *nix machines.
>
> Goal:
> If possible, lock down the Windows computers with group policies and/or
> templates to disable this potential unauthorized information harvesting
> users and then restrict scanning ability to the security group with LDAP
> permissions.  Am I on the right track here?
>
> I would like to achieve this without using a host based firewall.

Probably you should first make clear why you want to stop this
`unauthorized information harvesting.' Note that the names of your
hosts are likely known from `Entire Network,' and it is very likely
that in a university environment every host is more or less the same
with respect to what services it runs and what `vulnearabilities' it
has, e.g., if you have VNC installed on one host most likely it is
installed on almost every other host (and even with the same
password).

Note that whatever you do to stop scanning from windows would not
stop somebody plugging in his laptop and run nmap from it (or just
booting linux live CD on the host).

-- 
Regards,
ASK