Go Back   TechArena Community > Technical Support > Computer Help > Windows Server > Active Directory
Become a Member!
Forgot your username/password?
Register Tags Active Topics RSS Search Mark Forums Read

Sponsored Links



Storing MAC addresses in AD

Active Directory


Reply
 
Thread Tools Search this Thread
  #1  
Old 27-07-2009
Member
 
Join Date: Jul 2009
Posts: 3
Storing MAC addresses in AD

Hi,

I run a set of AD managed servers (both unix and Windows) and keep most of my users in the normal schema. My users (on the whole) use a wide array of laptops/desktops to connect to these servers in a multi-team office and many users have more than one laptop or use VMs within their laptop and so have more than one mac-address associated with them.

To ensure that security requirements are met, I currently manage a list of mac-addresses that are allowed to connect to this network (for a Cisco VMPS server). At present, this is purely a flat, annotated file but I'd like to move this information into AD if possible.


I had hoped there would be a way to add custom attributes to a user but cannot yet find one.

Right now I can see two possible approaches (both should ignore disabled users):

1. write a custom script for our VMPS server to query AD directly

2. write a sync script to query all objects within AD and regenerate the flat file on a periodic basis.

Without adding custom attributes, all I can see is to make use of the notes field parse multiple mac-addresses out of this section.

Is this the best approach?

cheers,

Reply With Quote
  #2  
Old 27-07-2009
Richard Mueller [MVP]
 
Posts: n/a
Re: Storing MAC addresses in AD

"boris52" <boris52.3vzi3b@DoNotSpam.com> wrote in message
news:boris52.3vzi3b@DoNotSpam.com...
>
> Hi,
>
> I run a set of AD managed servers (both unix and Windows) and keep most
> of my users in the normal schema. My users (on the whole) use a wide
> array of laptops/desktops to connect to these servers in a multi-team
> office and many users have more than one laptop or use VMs within their
> laptop and so have more than one mac-address associated with them.
>
> To ensure that security requirements are met, I currently manage a list
> of mac-addresses that are allowed to connect to this network (for a
> Cisco VMPS server). At present, this is purely a flat, annotated file
> but I'd like to move this information into AD if possible.
>
>
> I had hoped there would be a way to add custom attributes to a user but
> cannot yet find one.
>
> Right now I can see two possible approaches (both should ignore
> disabled users):
>
> 1. write a custom script for our VMPS server to query AD directly
>
> 2. write a sync script to query all objects within AD and regenerate
> the flat file on a periodic basis.
>
> Without adding custom attributes, all I can see is to make use of the
> notes field parse multiple mac-addresses out of this section.
>
> Is this the best approach?
>
> cheers,
>
>
> --
> boris52
> ------------------------------------------------------------------------
> boris52's Profile: http://forums.techarena.in/members/118701.htm
> View this thread: Storing MAC addresses in AD
>
> http://forums.techarena.in
>


Do you currently, or do you plan to, do something with the MAC addresses
other than keep track of them in a list? Would the userWorkstation attribute
help? userWorkstations, a single-valued attribute, is a comma delimited list
of the NetBIOS names of the workstations the user is allowed to logon to. AD
actually enforces this. If there are any names in the list, the user can
only logon to those workstations. I don't see how you could enforce your
list of MAC addresses, other than to detect new addresses, perhaps in a
logon script.

If you keep track of MAC addresses in AD, you can save them in a comma
delimited list. The "info" attribute corresponds to the "Notes" field on the
"Telephones" tab of ADUC. Would it make more sense to save the MAC address
in an attribute of the computer object?

--
Richard Mueller
MVP Directory Services
--
Reply With Quote
  #3  
Old 27-07-2009
Joe Dunn
 
Posts: n/a
RE: Storing MAC addresses in AD


Managing a list of allowed MAC addresses is a lot of administrative overhead
to add what is only a thin line of security. MAC filtering is not a
particularly secure method of allowing and disallowing access to a network.
MACs can be easily impersonated. Have you considered 802.1x authentication
on your switches instead.

Best Regards
Joe Dunn
MCSE, MCTS, CCNA


"boris52" wrote:

>
> Hi,
>
> I run a set of AD managed servers (both unix and Windows) and keep most
> of my users in the normal schema. My users (on the whole) use a wide
> array of laptops/desktops to connect to these servers in a multi-team
> office and many users have more than one laptop or use VMs within their
> laptop and so have more than one mac-address associated with them.
>
> To ensure that security requirements are met, I currently manage a list
> of mac-addresses that are allowed to connect to this network (for a
> Cisco VMPS server). At present, this is purely a flat, annotated file
> but I'd like to move this information into AD if possible.
>
>
> I had hoped there would be a way to add custom attributes to a user but
> cannot yet find one.
>
> Right now I can see two possible approaches (both should ignore
> disabled users):
>
> 1. write a custom script for our VMPS server to query AD directly
>
> 2. write a sync script to query all objects within AD and regenerate
> the flat file on a periodic basis.
>
> Without adding custom attributes, all I can see is to make use of the
> notes field parse multiple mac-addresses out of this section.
>
> Is this the best approach?
>
> cheers,
>
>
> --
> boris52
> ------------------------------------------------------------------------
> boris52's Profile: http://forums.techarena.in/members/118701.htm
> View this thread: Storing MAC addresses in AD
>
> http://forums.techarena.in
>
>

Reply With Quote
  #4  
Old 27-07-2009
Member
 
Join Date: Jul 2009
Posts: 3
Re: Storing MAC addresses in AD

Quote:
Originally Posted by Richard Mueller [MVP] View Post
"boris52"
> ...
> Right now I can see two possible approaches (both should ignore
> disabled users):
>
> 1. write a custom script for our VMPS server to query AD directly
>
> 2. write a sync script to query all objects within AD and regenerate
> the flat file on a periodic basis.
>
> Without adding custom attributes, all I can see is to make use of the
> notes field parse multiple mac-addresses out of this section.
>
> Is this the best approach?
>
> cheers,
>
>
> --
> boris52
> ------------------------------------------------------------------------
> boris52's Profile: http://forums.techarena.in/members/118701.htm
> View this thread: Storing MAC addresses in AD
>
> http://forums.techarena.in
>[/color]

Do you currently, or do you plan to, do something with the MAC addresses
other than keep track of them in a list? Would the userWorkstation attribute
help? userWorkstations, a single-valued attribute, is a comma delimited list
of the NetBIOS names of the workstations the user is allowed to logon to. AD
actually enforces this. If there are any names in the list, the user can
only logon to those workstations. I don't see how you could enforce your
list of MAC addresses, other than to detect new addresses, perhaps in a
logon script.

If you keep track of MAC addresses in AD, you can save them in a comma
delimited list. The "info" attribute corresponds to the "Notes" field on the
"Telephones" tab of ADUC. Would it make more sense to save the MAC address
in an attribute of the computer object?

--
Richard Mueller
MVP Directory Services

--
I have a set of users who are using arbitrary desktops/laptops that I don't control running a mixture of MacOS, Linux and Windows. My interest in this kit is to ensure that only specific hardware can use the network ports to access the servers, while by default anyone else cannot. Given the complexity I don't ever expect to add these into the AD.

I think I want to use the 'userWorkstations' for this either, since I may want to use this functionality to restrict access to servers on a per user basis.

Since I need to support multiple mac-addresses it does sound like I will need to use the notes field. I had thought of extending the schema to add this parameter in somehow, but even if I did that, the new attribute(s) would not be controllable from the 'user properties' panel.

Have I missed something?

cheers
Reply With Quote
  #5  
Old 27-07-2009
Member
 
Join Date: Jul 2009
Posts: 3
Re: Storing MAC addresses in AD

Hi,

I'm aware of the limitations of mac-filtering and the abilities to spoof past this. However, the thin line of security is sufficient for our needs since the majority of people we wish to exclude from using this network are the non-technical ones. Basically, we need to stop people just plugging in and using it.

802.1x is a sledgehammer to crack a nut in this instance and while it can provide a bullet proof solution in all(?) circumstances, the administrative overhead in both the backend and on a wide variety of frontend clients would significantly outweight the added security.

cheers


Quote:
Originally Posted by Joe Dunn View Post
Managing a list of allowed MAC addresses is a lot of administrative overhead
to add what is only a thin line of security. MAC filtering is not a
particularly secure method of allowing and disallowing access to a network.
MACs can be easily impersonated. Have you considered 802.1x authentication
on your switches instead.

>[/color]
Reply With Quote
Reply

  TechArena Community > Technical Support > Computer Help > Windows Server > Active Directory
Tags:



Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads for: "Storing MAC addresses in AD"
Thread Thread Starter Forum Replies Last Post
Storing of Application On SD Card In HTC Plokstar Portable Devices 4 20-01-2011 10:20 PM
Storing database data into Map Miles Runner Software Development 5 20-02-2010 12:17 AM
Storing photos on dvd mohandas Windows Software 3 06-08-2009 12:53 PM
Storing images in SQL database using Asp.net Booth Software Development 2 17-01-2009 05:25 PM
Storing Tables In Xml file. Miss Kelly Software Development 2 01-01-2009 09:58 PM


All times are GMT +5.5. The time now is 01:29 AM.