I just started a job at a ski resort, and we have some unique problems. Our infrastructure is not physically secure; the switches are scattered all over the mountain, and many employees have physical access to the network hardware. They would not log in to anything or change configurations, but they would plug in just fine. There are many employees who literally live in their office. These people want internet, and will do anything to get it. Our DSL connection has been revoked by CenturyLink many times for illegal downloads.
The guy I am replacing dealt with it this way: no DHCP, static addresses for EVERYTHING, a class C subnet (currently maxed out at 254), and disabling unused ports on each switch. The idea was, if someone randomly chose a static IP, he would get an address conflict, so he would know someone was on the network. However, he had no way to track this person down other than wandering around looking for suspicious laptops.
I'm looking at a few different ways to handle this, but I'm not going to mention them, I'd rather just hear some ideas on how other admins would handle it.
Goals: 1) Can't get network access without authorization. (Over 100 workstations) Wireless is a separate issue, let's not talk about it now.
2) Restrict internet access to office use: bandwidth is precious up here, we beam in 15up/15down for the whole mountain. Video streaming kills us.
3) Can't keep gettting in trouble for torrents and piracy.
Info: Cisco ASA 5510, Cisco 1841, HP ProCurve 2650, 2850, 2626 smart switches, over 100 desktops on AD domain , mostly XP, a few Win 7, Server 2008 r2.
*EDIT* Forgot to mention, all the POS running XP are not on the domain. There is a RFID gate system tied into these POS machines, but on a different subnet.