Policies vs Network Access Control
-
@IT-ADMIN said in how to prevent non domain users from getting ip configuration:
it is a public sector, so as i security guy i want just to minimize the risk, it is complicated when we are talking about public sector, you don't have that control over the employee since you cant fire him lol
You can't have any rules over employees? They can do literally anything? In the US, any employee doing this anywhere, even public sector or professors, would be fired immediately. Potentially charged with a crime as this would constitute "hacking" and is a federal crime to try to work around security, especially government security.
-
@IT-ADMIN said in how to prevent non domain users from getting ip configuration:
the user wipe his computer cuz the department in charge of helpdesk is not doint its job
So basically what you are describing is a rise of shadow IT because formal IT is failing. The users, who can't be fired which is the same as being authorized to do this, are doing so to work around a department refusing to let them work.
Sounds like the employees getting off of the domain are the good ones trying to get work done. Why stand in their way? If they can't be fired, then they aren't doing anything wrong (wrong for an employee = something you can be fired for), so why get between them and getting work done?
-
@scottalanmiller said in how to prevent non domain users from getting ip configuration:
@IT-ADMIN said in how to prevent non domain users from getting ip configuration:
some users format their PCs in order to gain full access over their machine
And they don't get fired? If not, then management has approved this and IT should not be involved. This isn't a technical problem, this is an HR problem.
This is the ultimate reality of the situation. If management doesn't have an issue with this - as much as it might pain you - you shouldn't have a problem with it either.
-
@Dashrender said in how to prevent non domain users from getting ip configuration:
This is the ultimate reality of the situation. If management doesn't have an issue with this - as much as it might pain you - you shouldn't have a problem with it either.
While I generally would agree with this stance, I could easily disagree because, and I suspect that once these shadow-IT operators wipe their systems and can't do their jobs, they immediately complain that "IT is stopping me from doing my work" which then likely gets the management team up in arms who then should at @IT-ADMIN.
-
@DustinB3403 said in how to prevent non domain users from getting ip configuration:
I suspect that once these shadow-IT operators wipe their systems and can't do their jobs
That's why you don't want to go through any extra effort to block them from doing work. Don't become part of the "stopping people from working" chain, unless management tells you to.
-
@DustinB3403 said in how to prevent non domain users from getting ip configuration:
@Dashrender said in how to prevent non domain users from getting ip configuration:
This is the ultimate reality of the situation. If management doesn't have an issue with this - as much as it might pain you - you shouldn't have a problem with it either.
While I generally would agree with this stance, I could easily disagree because, and I suspect that once these shadow-IT operators wipe their systems and can't do their jobs, they immediately complain that "IT is stopping me from doing my work" which then likely gets the management team up in arms who then should at @IT-ADMIN.
If their wiping of their machines is what caused them to not be able to work - then they themselves caused the problem - not IT.
I'd be curious what was driving them to wipe and reload their machines in the first place? They want to visit pokemon sites and the corporate image won't allow that, so they wipe to bypass something? LOL
I mean - come on, what business reason are they using for wiping their machine?
-
@scottalanmiller right, but things like accessing an smb share could be complicated from just unbinding from the domain.
So even a passive, not done thing on the part of IT, could land it in the hotseat because management doesn't understand how AD works.
-
@DustinB3403 said in how to prevent non domain users from getting ip configuration:
right, but things like accessing an smb share could be complicated from just unbinding from the domain.
He can't block unbinding, he can only block them being able to work once they do.
If he blocks them from working, ever, that's when he risks being the one fired. When IT starts becoming the barrier between someone honestly trying to work and being able to, that's when IT is likely to be removed. Like the helpdesk that isn't working.
-
@DustinB3403 said in how to prevent non domain users from getting ip configuration:
So even a passive, not done thing on the part of IT, could land it in the hotseat because management doesn't understand how AD works.
Sounds like the obvious answer is to remove AD because AD isn't functional in the organization (because of the helpdesk.)
-
@scottalanmiller said in how to prevent non domain users from getting ip configuration:
@DustinB3403 said in how to prevent non domain users from getting ip configuration:
right, but things like accessing an smb share could be complicated from just unbinding from the domain.
He can't block unbinding, he can only block them being able to work once they do.
If he blocks them from working, ever, that's when he risks being the one fired. When IT starts becoming the barrier between someone honestly trying to work and being able to, that's when IT is likely to be removed. Like the helpdesk that isn't working.
End users should never be able to unbind an domain joined computer (at least on Windows) you need elevated permissions to do this properly aka without having to reload their computers to do their job.
I get what you're saying, but I still would put a lot of blame on these Shadow-IT persons for circumventing the systems that the business has implemented so they can do their jobs.
If they can't do their jobs because of those policies, then the policies and process needs to be updated to something that does work. (what that may be is anyones guess)
-
@DustinB3403 said in how to prevent non domain users from getting ip configuration:
End users should never be able to unbind an domain joined computer
If they need to to do their jobs because AD is blocking them from working they sure should.
-
@DustinB3403 said in how to prevent non domain users from getting ip configuration:
you need elevated permissions to do this properly aka without having to reload their computers to do their job.
But they just reload. No issue there.
-
@DustinB3403 said in how to prevent non domain users from getting ip configuration:
I get what you're saying, but I still would put a lot of blame on these Shadow-IT persons for circumventing the systems that the business has implemented so they can do their jobs.
As a business owner, you really can never put any blame on shadow IT if they do it to do their jobs. And if they ever are in a position where that makes sense to do, the team in the way should be in trouble. Circumventing someone sabotaging the business should never be a bad thing.
-
@DustinB3403 said in how to prevent non domain users from getting ip configuration:
If they can't do their jobs because of those policies, then the policies and process needs to be updated to something that does work. (what that may be is anyones guess)
All they need is a policy to let them work around it, which apparently there is, and they can work. It's not the best approach, but it's working.
-
@scottalanmiller said in how to prevent non domain users from getting ip configuration:
@DustinB3403 said in how to prevent non domain users from getting ip configuration:
If they can't do their jobs because of those policies, then the policies and process needs to be updated to something that does work. (what that may be is anyones guess)
All they need is a policy to let them work around it, which apparently there is, and they can work. It's not the best approach, but it's working.
That may be the current marching orders, but IT has their own set obviously which is causing this issue. So management needs to get their heads out of the sand and get everyone on a uniform policy.
-
Sounds like this place has no company policies or no enforced company policies.
-
@DustinB3403 said in how to prevent non domain users from getting ip configuration:
That may be the current marching orders, but IT has their own set obviously which is causing this issue.
No reason to believe that. It's common (and we see it here) that IT will add unneeded, or un-requested controls. Unless we know that management made this a policy, we have to assume that it is not. And we can essentially prove it is not by whether or not management enforces it. Which we know that they do not. So we have our answer. Maybe the require IT to offer it, but that seems extremely unlikely. But they definitely not require that people use it.
-
@Obsolesce said in how to prevent non domain users from getting ip configuration:
Sounds like this place has no company policies or no enforced company policies.
That's one possibility. But it's also very possible that some department added AD without there being a policy. Policies could exist to block things like AD, but a "negative" policy is unlikely.
-
But what @IT-ADMIN explained is that there is, to kind of give it an overview, an overarching "no policy, policy" that basically says that by policy, people can do pretty much whatever they want. That's the one key policy here.
Given that, no, it would seem that there are very few policies beyond that. But I think making the assumption that IT is attempting to run off of policy while everyone else is attempting to work around policy is unfounded and unlikely. Possible, to be sure, but not what we'd expect given the rest of what we know. Far more likely that IT is adding challenges that it either feels are useful or just feels that it is what everyone does and isn't thinking about it at all... how many SMBs implement AD without evaluating it for their needs... easily most. Likely that is all that happened here.
-
@scottalanmiller said in how to prevent non domain users from getting ip configuration:
But what @IT-ADMIN explained is that there is, to kind of give it an overview, an overarching "no policy, policy" that basically says that by policy, people can do pretty much whatever they want. That's the one key policy here.
Given that, no, it would seem that there are very few policies beyond that. But I think making the assumption that IT is attempting to run off of policy while everyone else is attempting to work around policy is unfounded and unlikely. Possible, to be sure, but not what we'd expect given the rest of what we know. Far more likely that IT is adding challenges that it either feels are useful or just feels that it is what everyone does and isn't thinking about it at all... how many SMBs implement AD without evaluating it for their needs... easily most. Likely that is all that happened here.
I don't see the issue then. If they're allowed to do what they want without breaking any policies, and they are still doing their job and working efficiently, then what's there to fix?