[SOLVED] Lock Down Ethernet Dongle to Only One System?

[cray47]

I work in a secured and air-gapped facility, where we do not allow any internet access on our SecureNet domain. The only way to access the internet directly from a local system is by having a dedicated system on our OpenNet domain. One domain can not see the other.

The issue I am seeing is many laptops do not have on-board Ethernet and many people have USB Ethernet dongles. The possible security issue is that one could take a dongle that was registered to an OpenNet system and plug it into a computer only meant to be on the SecureNet. This would expose any and all data on that SecureNet system to the outside.

My question is, is there any way to lock down an Ethernet dongle to a specific machine? The problem I see is that they are generally plug-and-play and do not care what system they are plugged in to. I am just trying to figure out a way that one of these dongles could be locked down, so that moving it from one computer to another, would not work.

Even if it meant buying a specialized Ethernet dongle with the capability to lock it down to a particular computer. I would appreciate any input or ideas for this.

Thanks!

 

[USAFRet]

Unsure of what the specific commands would be, but a GPO on the 'secured' system to disable use of those dongles and ethernet in general.

Don't lock the dongle to specific systems, instead, prevent the secure systems from using one.

 

[kanewolf]

You need to lock the USB down on the secure machines rather than the dongles. You don't want USB storage or network adapters to be possible unless it is a privileged user with admin access. Those accesses would be logged.

This should be handled py group policies in the Windows domain.

 

[bill001g]

It is going to be really hard since you can generally change the MAC address with a simple option so there is no way to really know what hardware is being used.

I am no expert in microsoft domain but from using machines in a large corporation I know they can be locked by things like certificates installed on the machine and/or the security is based on a user login where a person can use any machine with his credentials. This is all part of microsofts domain manager.

I know the certificate method kept any device that was not authorized from even connecting to the network. They were using 802.1x on the switches to even prevent a device from getting a IP address.

 

[cray47]

Thanks all, these answers kind of confirm my suspicions. There really is no way to allow a laptop to use only one specified dongle, or for an Ethernet dongle to be linked to one machine and not function if inserted into a different system.

I have been parroting this to the higher powers here as this being a huge security hole for a facility so intent on being air-gapped and protected from the outside.

 

[bill001g]

This tends to be why USB ports and any other form of removable media are locked on machines that need to be secured. This can be done by group policy settings but I do not know the details since this was always done by the server guys not the network team.

 

[Wrecker75]

This is WELL above my head and my post will be more likely for my education than helpful, but wouldn't the address on the computer that the dongle it plugged into be different?

Edit: reread the other part, basing this scenario on it being an employee... Wouldn't they still have to drag a wire with internet access over to the secure machine which shouldn't have functional usb ports?