Limiting DHCP

  • Thread starter Thread starter Ken Robinson
  • Start date Start date
K

Ken Robinson

We have an open environment where there are alot of
people always coming and going. We are also a 24/7
operation. I have a problem where people are unplugging
network equipment at night, plugging in a laptop, and
getting internet access over my T1. My question is, is
there a way in Windows 2000 Advanced Server DHCP to limit
the machines that are allowed to get an address from
DHCP, maybe by authorized MAC addresss?
 
This was just discussed here a day or two ago, see link below that talks
about managed or 801.1x switches, dhcp reservations, or intrustion detection
software. I think you also need to look into some sort if signed user
policy prohibiting such with enforced consequences. I have been self
employed for fifteen years, but remeber the day where we would not dare
doing such with company equipment because those that did were severely dealt
with. --- Steve

http://tinyurl.com/ymnj
 
Hello Ken,
If Internet access is your main concern you can setup a proxy server and
enforce authentication to access the internet. Auditing will also give you
data on who's circumventing your policies.

297922 HOW TO: Provide Internet Access Through a Firewall in Internet
Security
http://support.microsoft.com/?id=297922

This posting is provided "AS IS" with no warranties, and confers no rights.
 
You can absolutely set up static mac-to-IP address mappings in Windows DHCP,
the main problem in large environments being the overhead and the
inconvenience to users that have to call first to get you to reconfigure
DHCP to get an IP. Also, controlling DHCP does nothing to prevent someone
from choosing a static IP to gain access. Another solution might be to
configure something like "port security" on your switch ports so that only
mac address X can use port Y.

The usual answer to this is either:

1) to use DHCP reservations on the server to bind a particular MAC address /
NIC card to a particular IP address [which might be a lot of work for the
administrator to do if the network was large],

2) use a network IDS product to monitor MAC address to IP address mappings
[which would possibly generate a lot of false alarms and extra work and
would just be detective and not preventative] or

3) use some form of per-user authentication at the switch, proxy server or
firewall.

You could consider a third party authentication product that automatically
puts new users into a DMZ until the product confirms their patch level,
policy settings and/or antivirus. I've heard a suggestion that the Windows
2003 Quarantine server feature could be modified to work for users on your
LAN, and companies like Sygate might have a solution to do this as well.
 
Back
Top