Finding and Controlling Personal Computers on Company NetworkPhil Biundo
Finding and Controlling Personal Computers on a Company Network
Finding and controlling personal computers on a company network can be a difficult task, but there are several things that an IT manager can do to restrict the use of personal computers on the company network. This requires cooperation from management and the establishment of clear IT policies. Without proper controls, users and visitors will connect their personal computers to the company network, which may strain resources such as the bandwidth.
The use of pirated software can surface with the use of personal computers. This software may have viruses and malware and can affect the performance of network computers, spread viruses, or perform actions contrary to company policies. Another threat is copying company software and data to personal machines.
It is important to find and identify personal devices, either to block them, to control what they can access, or simply for record-keeping purposes. Most companies prohibit the use of personal computers to download company emails or other documents. Individual computers can either have all unused ports on the network switches blocked or be blocked by only allowing authorized Mac addresses. This again requires the backing of management; without their support, there is very little that one can do.
Using Standard Names and DHCP Leases to Identify Personal Computers
If the machine names are not standard, consider implementing a naming process that uses the serial number, asset tag or any other convenient form of ID. This will make it easier to identify the machines, owners and locations. You may need to create an inventory that matches the device to a user so that you can also keep track of what goes out or is replaced.
Implementing a naming standard requires that you physically go to each machine and change its setting. It is a cumbersome process initially, but it makes things easier in the long run. It might also be possible to change the settings through remote access, but this might be a challenge on non-domain machines.
Once you have a standard naming standard, use the DHCP leases and identify the computers that are non-compliant. If you want to deny them access to the network, get their MAC addresses, find the port on the network, and switch and disable that port and any other that may not be in use. This will prevent users from getting access to those ports using third-party network scan tools.
Tools like Spiceworks are useful in identifying various properties of machines connected to the network. However, for the system to recognize what is or is not authorized, there must be standard parameters set and implemented on all the company computers. The machines will then share some identifiable features, such as host names that can be used to differentiate them from the personal computers.
Follow the Steps Below to Find the Personal Computers
1. Create a list of all company machines.
You will need to create an asset list of all computers belonging to workgroups, domain and non-domain. There are various ways to do this, and it is easier if you have administrative rights; otherwise, you will have to use other tools. Obtain a list of all domain-joined computers by querying the Active Directory. It may be simpler to get a list of the company’s non-domain computers from the inventory or from the IT personnel.
2. Generate a list of both company and personal computers.
Use Spiceworks software to scan and generate an inventory of all wired and wireless computers on the network. This will represent the list of all the machines connected to your network.
3. Compare the list of active computers and company computers.
Compare the Spiceworks list with the company computers list to identify the personal computers.
4. Configure for alerts.
Once the system is set and all machines have been identified as either personal or belonging to the company, Spiceworks can be configured to send and notify the admin of any new computer detected on the network.
Allowing Limited Access for Personal Computers
Personal computers can be connected to a company network if they adhere to company policies with regard to the software they have, their use and what they can access. In addition, the owners will be required to have effective security software and virus-free machines.
Companies can allow personal computers to connect to the network but only through a virtual private network rather than directly through the server. The machines will then be allowed to access limited functionalities such as the internet but not the company servers and data. The mobile devices can then be allowed to connect through Mobile Device Management platforms (MDMs), which can be configured to disable some settings on the devices, such as blocking access to apps stores.
Sometimes, there is a way to authorize only specific and approved computers, either by white-listing their MAC addresses or by other control methods, such as manually installing a certificate in the machine.
There are various ways of identifying personal computers that connect to a company network. However, a few requirements make this possible. One needs a record of all the company computer names or Mac addresses. In addition, you will need some network administrative rights to perform some of the activities.
To identify the personal computers, create a list of all active computers on the network. You can simply use the directory listing in Explorer or scan using third-party tools such as Spiceworks. Comparing the active machines list with the known record of company machines will help identify personal computers because they will have parameters that differ from those of the company computers.
This may require repetition several times a month to see any new additions. This can be done manually or by configuring Spiceworks or another third-party program to send an alert whenever it detects a new machine on the network.