breaking the network

Given a Windows Active Directory domain. Multiple departments, but all using the same OS image. Users have local admin rights on their own computer, but "guest" access on community PCs that have roaming profiles. No physical access, BIOS access, or boot device choice on community PCs. Secure wireless provided, but first access attempt requires MAC registration. Printing has cost tracking system. Bandwidth quotas are in place on a per-user basis.

Problem 1: the same local administrator password is used for all images. Thus users with a dedicated machine can determine their local administrator password (LM hashes are enabled). This allows two routes: admin access to remote PCs (windows file sharing is turned on) and admin access on community PCs.

Solution: use local admin passwords that are department-specific. While not the perfect solution, it minizes cross contamination between departments, while introducing relatively low administrative costs.

Problem 2: New devices require MAC address registration. However, since a user can determine the MAC of a community PC (using ipconfig /all), they can introduce a new device and use etherchange to impersonate that community PC. [remember to turn of the community PC to avoid MAC address conflicts]

Problem 3: by using a non-windows OS, bandwidth quotas based on username are circumvented. This results in either unlimited bandwidth, or drastically reduced to "non-registered user" quotas.

Problem 4: managed switches in use fail over to "hub" mode when flooded with MAC addresses. [That is bad if the attacker is monitoring traffic using driftnet and wireshark.]