Sign in with
Sign up | Sign in
Your question

How to block arp -a command domain wide .

Last response: in Windows 2000/NT
Share
Anonymous
June 23, 2004 7:13:39 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi all,
I am running windows 2000 server and Exchange server
2000 and we hahe around 200 clients in a single network.
i found that some users are using the command arp -a and
finding the mac id of servers.then by editing the mac id
of their machine the are trying to bring down our servers.
How to disable this arp command. or how to get rid of this
security risk?

Can anybody help.

Thanks in advance
Anonymous
June 23, 2004 8:09:26 PM

Archived from groups: microsoft.public.win2000.security (More info?)

First you enable auditing of object acces for all your computers and then
audit the arp file on each computer and you fire or expel those users who
are trying to compromise your server. That should stop that activity real
quick. For more info on auditing see the link below. Note that they may not
be using arp from the default location in \winnt\system32. There are also
programs like Ethereal that can be used to monitor packet traffic and can
use filters to narrow down the search or software firerwalls like Sygate
that can be used just for their logging capabilities.

http://www.microsoft.com/technet/security/guidance/secm...

To answer your question, you can use Group Policy to manage file
permissions. For instance to change permissions for arp at the default
location you would make and entry for %systemroot%\system32\arp and
configure permissions and select replace. Do that under computer
configuration/Windows settings/security settings/file system. For users you
could also try to go to user configuration/administrative templates/system
and add arp.exe to the list of disallowed Windows applications where you may
also want to disable the command prompt and registry editing while there
after reading the full explaination of what these settings do. Note that is
extremely hard to restrict users that have power user or administrator
access to their local computer. --- Steve


"Venoy" <anonymous@discussions.microsoft.com> wrote in message
news:203b601c4590a$c0f679a0$a501280a@phx.gbl...
> Hi all,
> I am running windows 2000 server and Exchange server
> 2000 and we hahe around 200 clients in a single network.
> i found that some users are using the command arp -a and
> finding the mac id of servers.then by editing the mac id
> of their machine the are trying to bring down our servers.
> How to disable this arp command. or how to get rid of this
> security risk?
>
> Can anybody help.
>
> Thanks in advance
!