Policies vs Network Access Control

IT-ADMIN

@marcinozga said in how to prevent non domain users from getting ip configuration:

Why do you allow them to wipe the PCs? Disable booting from USB, optical drives and floppy, and everything that's not the drive main OS is installed on, and password protect BIOS.

Next time you catch a user wiping their drive, take it to upper management and recommend termination of said employee. Once the word gets out, nobody will try any more shenanigans.

the user wipe his computer cuz the department in charge of helpdesk is not doint its job, it is a public sector, so as i security guy i want just to minimize the risk, it is complicated when we are talking about public sector, you don't have that control over the employee since you cant fire him lol

marcinozga

@IT-ADMIN said in how to prevent non domain users from getting ip configuration:

@marcinozga said in how to prevent non domain users from getting ip configuration:

Why do you allow them to wipe the PCs? Disable booting from USB, optical drives and floppy, and everything that's not the drive main OS is installed on, and password protect BIOS.

Next time you catch a user wiping their drive, take it to upper management and recommend termination of said employee. Once the word gets out, nobody will try any more shenanigans.

the user wipe his computer cuz the department in charge of helpdesk is not doint its job, it is a public sector, so as i security guy i want just to minimize the risk, it is complicated when we are talking about public sector, you don't have that control over the employee since you cant fire him lol

Then lock the PC properly. If their helpdesk is unwilling or unable to fix things, it's not your problem anymore. If this place is really such a mess, then why do you get involved? Get your concerns and recommendations in writing, pass it on to upper management, and let them handle it.

scottalanmiller

@IT-ADMIN said in how to prevent non domain users from getting ip configuration:

some users format their PCs in order to gain full access over their machine

And they don't get fired? If not, then management has approved this and IT should not be involved. This isn't a technical problem, this is an HR problem.

scottalanmiller

@IT-ADMIN said in how to prevent non domain users from getting ip configuration:

it is a public sector, so as i security guy i want just to minimize the risk, it is complicated when we are talking about public sector, you don't have that control over the employee since you cant fire him lol

You can't have any rules over employees? They can do literally anything? In the US, any employee doing this anywhere, even public sector or professors, would be fired immediately. Potentially charged with a crime as this would constitute "hacking" and is a federal crime to try to work around security, especially government security.

scottalanmiller

@IT-ADMIN said in how to prevent non domain users from getting ip configuration:

the user wipe his computer cuz the department in charge of helpdesk is not doint its job

So basically what you are describing is a rise of shadow IT because formal IT is failing. The users, who can't be fired which is the same as being authorized to do this, are doing so to work around a department refusing to let them work.

Sounds like the employees getting off of the domain are the good ones trying to get work done. Why stand in their way? If they can't be fired, then they aren't doing anything wrong (wrong for an employee = something you can be fired for), so why get between them and getting work done?

Dashrender

@scottalanmiller said in how to prevent non domain users from getting ip configuration:

@IT-ADMIN said in how to prevent non domain users from getting ip configuration:

some users format their PCs in order to gain full access over their machine

And they don't get fired? If not, then management has approved this and IT should not be involved. This isn't a technical problem, this is an HR problem.

This is the ultimate reality of the situation. If management doesn't have an issue with this - as much as it might pain you - you shouldn't have a problem with it either.

DustinB3403

@Dashrender said in how to prevent non domain users from getting ip configuration:

This is the ultimate reality of the situation. If management doesn't have an issue with this - as much as it might pain you - you shouldn't have a problem with it either.

While I generally would agree with this stance, I could easily disagree because, and I suspect that once these shadow-IT operators wipe their systems and can't do their jobs, they immediately complain that "IT is stopping me from doing my work" which then likely gets the management team up in arms who then should at @IT-ADMIN.

scottalanmiller

@DustinB3403 said in how to prevent non domain users from getting ip configuration:

I suspect that once these shadow-IT operators wipe their systems and can't do their jobs

That's why you don't want to go through any extra effort to block them from doing work. Don't become part of the "stopping people from working" chain, unless management tells you to.

Dashrender

@DustinB3403 said in how to prevent non domain users from getting ip configuration:

@Dashrender said in how to prevent non domain users from getting ip configuration:

This is the ultimate reality of the situation. If management doesn't have an issue with this - as much as it might pain you - you shouldn't have a problem with it either.

While I generally would agree with this stance, I could easily disagree because, and I suspect that once these shadow-IT operators wipe their systems and can't do their jobs, they immediately complain that "IT is stopping me from doing my work" which then likely gets the management team up in arms who then should at @IT-ADMIN.

If their wiping of their machines is what caused them to not be able to work - then they themselves caused the problem - not IT.

I'd be curious what was driving them to wipe and reload their machines in the first place? They want to visit pokemon sites and the corporate image won't allow that, so they wipe to bypass something? LOL

I mean - come on, what business reason are they using for wiping their machine?

DustinB3403

@scottalanmiller right, but things like accessing an smb share could be complicated from just unbinding from the domain.

So even a passive, not done thing on the part of IT, could land it in the hotseat because management doesn't understand how AD works.

scottalanmiller

@DustinB3403 said in how to prevent non domain users from getting ip configuration:

right, but things like accessing an smb share could be complicated from just unbinding from the domain.

He can't block unbinding, he can only block them being able to work once they do.

If he blocks them from working, ever, that's when he risks being the one fired. When IT starts becoming the barrier between someone honestly trying to work and being able to, that's when IT is likely to be removed. Like the helpdesk that isn't working.

scottalanmiller

@DustinB3403 said in how to prevent non domain users from getting ip configuration:

So even a passive, not done thing on the part of IT, could land it in the hotseat because management doesn't understand how AD works.

Sounds like the obvious answer is to remove AD because AD isn't functional in the organization (because of the helpdesk.)

DustinB3403

@scottalanmiller said in how to prevent non domain users from getting ip configuration:

@DustinB3403 said in how to prevent non domain users from getting ip configuration:

right, but things like accessing an smb share could be complicated from just unbinding from the domain.

He can't block unbinding, he can only block them being able to work once they do.

If he blocks them from working, ever, that's when he risks being the one fired. When IT starts becoming the barrier between someone honestly trying to work and being able to, that's when IT is likely to be removed. Like the helpdesk that isn't working.

End users should never be able to unbind an domain joined computer (at least on Windows) you need elevated permissions to do this properly aka without having to reload their computers to do their job.

I get what you're saying, but I still would put a lot of blame on these Shadow-IT persons for circumventing the systems that the business has implemented so they can do their jobs.

If they can't do their jobs because of those policies, then the policies and process needs to be updated to something that does work. (what that may be is anyones guess)

scottalanmiller

@DustinB3403 said in how to prevent non domain users from getting ip configuration:

End users should never be able to unbind an domain joined computer

If they need to to do their jobs because AD is blocking them from working they sure should.

scottalanmiller

@DustinB3403 said in how to prevent non domain users from getting ip configuration:

you need elevated permissions to do this properly aka without having to reload their computers to do their job.

But they just reload. No issue there.

scottalanmiller

@DustinB3403 said in how to prevent non domain users from getting ip configuration:

I get what you're saying, but I still would put a lot of blame on these Shadow-IT persons for circumventing the systems that the business has implemented so they can do their jobs.

As a business owner, you really can never put any blame on shadow IT if they do it to do their jobs. And if they ever are in a position where that makes sense to do, the team in the way should be in trouble. Circumventing someone sabotaging the business should never be a bad thing.

scottalanmiller

@DustinB3403 said in how to prevent non domain users from getting ip configuration:

If they can't do their jobs because of those policies, then the policies and process needs to be updated to something that does work. (what that may be is anyones guess)

All they need is a policy to let them work around it, which apparently there is, and they can work. It's not the best approach, but it's working.

DustinB3403

@scottalanmiller said in how to prevent non domain users from getting ip configuration:

@DustinB3403 said in how to prevent non domain users from getting ip configuration:

If they can't do their jobs because of those policies, then the policies and process needs to be updated to something that does work. (what that may be is anyones guess)

All they need is a policy to let them work around it, which apparently there is, and they can work. It's not the best approach, but it's working.

That may be the current marching orders, but IT has their own set obviously which is causing this issue. So management needs to get their heads out of the sand and get everyone on a uniform policy.

Obsolesce

Sounds like this place has no company policies or no enforced company policies.

scottalanmiller

@DustinB3403 said in how to prevent non domain users from getting ip configuration:

That may be the current marching orders, but IT has their own set obviously which is causing this issue.

No reason to believe that. It's common (and we see it here) that IT will add unneeded, or un-requested controls. Unless we know that management made this a policy, we have to assume that it is not. And we can essentially prove it is not by whether or not management enforces it. Which we know that they do not. So we have our answer. Maybe the require IT to offer it, but that seems extremely unlikely. But they definitely not require that people use it.