Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1645
Views
0
Helpful
2
Replies

NAC - Check client machine is on the domain or running soe?

Go to solution
alastair_holloway
Level 1
Level 1

‎03-22-2011 09:33 PM - edited ‎02-21-2020 04:17 AM

Just wondering if there is a way to check the client is on a SOE (standard operating environment) and/or computer is part of the domain?

Basically have a requirement that only SOE machines are allowed to connect. At the moment user auth is working and some standard checks like AV. That still works though if they bring thier own machine from home and use AD credentials on that machine instead, which is what trying to avoid.

At the moment I have only come up with custom check for the domain value in the registry

HKLM\System\currentcontrolset\services\tcpip\parameters\domain = abc.com

I assume that can be forged by anyone keen enough, where machine authentication/domain membership cant. Is there a better way to do this? searched around a bit and can't find anything.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thejman85
Level 1
Level 1

‎03-23-2011 04:02 PM

We have a similar policy for Faculty/Staff at the University I work for. We do something similar but use a couple keys from HKCU\Volatile Environment but this is combined with checks for ONLY the AV version we centrally push to our clients and some additional software we deploy via logon scripts. Having the AV rule only check for the specific McAfee versions we deploy catches most personal computers but the regkey checks catch the few others that happen to have the same version.

Your best options here (IMHO) are keeping the things you check for closely guarded so that people really have to put effort into knowing what they have to change in order to be complaint. Of course you will see them fail over and over if they are doing this to check their work so be on the look out for that too

View solution in original post

0 Helpful
2 Replies 2

Go to solution
thejman85
Level 1
Level 1

‎03-23-2011 04:02 PM

We have a similar policy for Faculty/Staff at the University I work for. We do something similar but use a couple keys from HKCU\Volatile Environment but this is combined with checks for ONLY the AV version we centrally push to our clients and some additional software we deploy via logon scripts. Having the AV rule only check for the specific McAfee versions we deploy catches most personal computers but the regkey checks catch the few others that happen to have the same version.

Your best options here (IMHO) are keeping the things you check for closely guarded so that people really have to put effort into knowing what they have to change in order to be complaint. Of course you will see them fail over and over if they are doing this to check their work so be on the look out for that too

0 Helpful

Go to solution
alastair_holloway
Level 1
Level 1
In response to thejman85

‎03-24-2011 05:27 PM

Thanks, assume by lack of other responses this is probably the best way to do it. I'll investigate adding some more registry keys. There really should be a way for the NAC client to perform Machine Authentication as a Check/Rule or combined with the User Auth component.

Security through Obscurity does not seem like the best solution that should be available. This should be a fairly common requirement for companies who have a SOE deploying NAC.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card