RE: information harvesting from within the network

["Andrew Shore" <andrew.shore () holistecs com>]

VLANs are a management tool not a security tool. There are many ways to
"jump" vlans with in a switch.

Andy

-----Original Message-----
From: Jason Lopez [mailto:jaylpz () sbcglobal net] 
Sent: 21 May 2005 03:32
To: 'ddjjembe 2'
Cc: security-basics () securityfocus com
Subject: RE: information harvesting from within the network

If you have any manage switches, you could put them on separate VLans,
and
deny them access to your private network...

My two-cents
jay
-----Original Message-----
From: ddjjembe 2 [mailto:ddjjembe2 () hotmail com] 
Sent: Thursday, May 19, 2005 7:40 PM
To: security-basics () securityfocus com
Subject: information harvesting from within the network

Background:
I work in a university that has university typical security practices.  
Currently any authenticated user can scan the parts of the network with 
tools like LANguard or Nessus and obtain a considerable amount of 
information from them.   Most of the computers in our network are
windows 
computers.  We also have departments with MACs and *nix machines.

Goal:
If possible, lock down the Windows computers with group policies and/or 
templates to disable this potential unauthorized information harvesting 
users and then restrict scanning ability to the security group with LDAP

permissions.  Am I on the right track here?

I would like to achieve this without using a host based firewall.

Group policies have large pool of settings to pick from.  Narrowing it
down 
to a few that disable at least portions would be appreciated.

Thanks,

ddjembe

_________________________________________________________________
Don't just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/