Preventing Network Connections Outside the Corporate Network

Murat Yildirimoglu, murat@muratyildirimoglu.com, November 2006

 

One of our clients asked us to prevent corporate laptops from being connected to the networks other than the corporate network. I found a solution for this request.

First, some background info. When a user logs on, his/her authentication is done thru a DC. The knowledge of the DC authenticating the user can be seen in the “logonserver” environment variable (you can see the environment variables and their data when you issue “set” command in a command prompt). The logon information about the user is also cached in the client machine in case the DCs are unavailable. When the client machine cannot reach a DC, the user is authenticated using this cached information. And in this latter case also, logonserver variable reports the last DC.

On the DCs there is a share called “Netlogon”. Every user has a permission to access there. The user profiles are stored under the Documents and Settings folder, in the system partition. Under the Documents and Settings folder, there is the All Users folder, containing the files and settings for all users.

Now, we can make use of these information.

1) I place a file in the Netlogon share, for example, test.txt

2) On the machines to be restricted, I place a batch file (text files with .bat extensions) under the \Documents and Settings\All Users\Start menu\Programs\ Startup. In this batch file, the commands are as follows:

@echo off

if exist %logonserver% \netlogon\ test.txt goto :end

ipconfig /release tskill svchost

:end

 

First line prevents the echoing the commands. Second line tests the existence of the test file. If there is the file (hence the client machine can reach out the DC) nothing is done. But if there is not a file (that is, the client machine cannot reach out the DCs because the machine is on a different network), the IP address is released in the third line, and, DHCP client (and some related services) are killed; so that the client machine cannot obtain a valid IP address).

This batch file is run everytime a user logs on to the machine. There are two cases:

1) The computer is on the corporate network. In this case, the machine obtains an IP address from a DHCP server and with this IP address, it can reach the DC and the existence of the test file can be verified successfully. Batch file does nothing to prevent the connection in this case.

 2) The computer is not on the corporate network. In this case, the machine obtains an IP address from a DHCP server on that network. It will not be possible to access to the DCs and hence, the existence of the test file cannot be verified, the IP address is released, and the DHCP client service is stopped. The machine cannot connect to anywhere.

 

The above solution assumes that the user has administrative rights on the computer (to release the IP address and to stop the svchost.exe, the administrator has to have administrative rights). If not, the solution can be modified so that the batch files does its work regardless the users.

 

Windows 2000 and above computers has something called startup script. Start up scripts are run when the computer boots up. Startup scripts are placed in the  \Windows\system32\grouppolicy\machine\scripts\startup folder. And in the startup scripts logonserver variable cannot be used because when the

 

Murat Yildirimoglu

www.muratyildirimoglu.com