Going Beyond User Security and Device Controls: Three More Ways to Secure Your Network
Introduction
Now it is time to look beyond the user security and device controls for your network security. Let’s start with MAC
address filtering, login restrictions and SSLVPN remote access endpoint control. Best of all, you
may already own all you need to get this all done. Let’s take a look now.
1. MAC Filtering
Everything that gets an IP address assigned to it has a MAC (media access control) address.
You can think of it as the serial number of that network connection. This includes wired and
wireless devices, by the way. MAC filtering is a way of blocking the ability of unauthorized
devices from getting an IP address and therefore, of getting on your network. Long common in
wireless networks, MAC filtering is also available on wired networks. All versions of Windows
since 2008 R2 include MAC filtering. Worried that someone can connect to your network from
any Ethernet jack in the building? So setup your DHCP server to collect authorized MAC
addresses, and then enable MAC filtering for that extra measure of security.
2. Login Restrictions
One of the lesser used but highly useful capabilities of Windows networking is the ability of the
same user to login from multiple machines. Used in concert with “roaming profiles” you can
greatly improve the efficiency of users that move amongst machines. Locally installed software
doesn’t move with the user, but roaming profiles really provide a better experience for those that
need them. But what if you want to do that opposite; restrict users to just a few or a single
machine? Once again, that capability, integrated into Windows for more than a decade, just
needs to be configured. Login restrictions can also extend to times of day and days of weeks,
offering you that much more control over who uses what, when and where.
3. SSLVPN Endpoint Controls
If you are using the integrated remote access capabilities of Windows (RWW or RWA), you have
little control over the devices that access your network. For example, if an authorized user is
connecting from a compromised machine (infected with malware for example), you have no way
to identify, much less prevent that access using only basic Windows remote access options. But
most modern firewalls and SSLVPN devices provide you some degree of endpoint control. You
can set the device to verify that the remote device has an approved and updated antivirus client,
that it has updated patches and even that it runs only an approved operating system (all from a
list you specify). Once more, this capability may well be built into your firewall already, so use it.
Summary
If you manage a Windows network, you know that security is a constant challenge. But if you
are running a recent version of Windows Server, and have a modern firewall in place, you will
probably find all of these capabilities already at your fingertips. Just use them!
