How to block arp -a command domain wide .

Archived from groups: microsoft.public.win2000.security (More info?)

Hi all,
I am running windows 2000 server and Exchange server
2000 and we hahe around 200 clients in a single network.
i found that some users are using the command arp -a and
finding the mac id of servers.then by editing the mac id
of their machine the are trying to bring down our servers.
How to disable this arp command. or how to get rid of this
security risk?

Can anybody help.

Thanks in advance
1 answer Last reply
More about block command domain wide
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    First you enable auditing of object acces for all your computers and then
    audit the arp file on each computer and you fire or expel those users who
    are trying to compromise your server. That should stop that activity real
    quick. For more info on auditing see the link below. Note that they may not
    be using arp from the default location in \winnt\system32. There are also
    programs like Ethereal that can be used to monitor packet traffic and can
    use filters to narrow down the search or software firerwalls like Sygate
    that can be used just for their logging capabilities.

    http://www.microsoft.com/technet/security/guidance/secmod144.mspx

    To answer your question, you can use Group Policy to manage file
    permissions. For instance to change permissions for arp at the default
    location you would make and entry for %systemroot%\system32\arp and
    configure permissions and select replace. Do that under computer
    configuration/Windows settings/security settings/file system. For users you
    could also try to go to user configuration/administrative templates/system
    and add arp.exe to the list of disallowed Windows applications where you may
    also want to disable the command prompt and registry editing while there
    after reading the full explaination of what these settings do. Note that is
    extremely hard to restrict users that have power user or administrator
    access to their local computer. --- Steve


    "Venoy" <anonymous@discussions.microsoft.com> wrote in message
    news:203b601c4590a$c0f679a0$a501280a@phx.gbl...
    > Hi all,
    > I am running windows 2000 server and Exchange server
    > 2000 and we hahe around 200 clients in a single network.
    > i found that some users are using the command arp -a and
    > finding the mac id of servers.then by editing the mac id
    > of their machine the are trying to bring down our servers.
    > How to disable this arp command. or how to get rid of this
    > security risk?
    >
    > Can anybody help.
    >
    > Thanks in advance
Ask a new question

Read More

Command Prompt Servers Windows