Re: Group policy to restrict who Recieves an IP from DHCP???

DHCP is not a good security mechanism though you can use reservations that
map IP addresses to mac addresses. However I have heard of users trying such
and the DHCP server issued out reserved IP addresses that were not in use if
there were no more addresses in the DHCP scope and will not stop users from
configuring their own tcp/ip info it they are local administrators or can
become [authorized or not] local administrators.

Other solutions would be at the switches. Many managed switches [some HP
Procurves for example] offer mac port filtering and 802.1X port
authentication. The switches usually have a "memorize" feature that can
lock a single mac address to a port and close currently unused ports. Of
course mac addresses can be spoofed also but it does raise the bar for
entrance and can help draw the line between determined and malicious user
for disciplinary action. 802.1X is more complex to configure and requires
capable switches, compatible operating systems, PKI, and IAS server on the
network which Microsoft Servers can do.

http://www.hp.com/rnd/pdf_html/guest_vlan_paper.htm --- info on 802.1X.

Ipsec may be something to look at. Only Windows 2000/2003/XP Pro computers
are ipsec capable. In a domain an ipsec policy can be configured as
"required" on a domain computer and then only domain computers with a
compatible ipsec policy could access that computer with the require policy.
Ipsec however takes careful planning and testing and domain controllers must
be exempt from ipsec negotiated traffic with domain members as domain
controllers do the kerberos authentication for the domain which is the
default computer authentication mechanism for ipsec.

http://www.microsoft.com/windows2000/technologies/communications/ipsec/default.asp
-- link to ipsec information.

While you can use ipsec to protect domain computers, it is more difficult to
prevent internet access to non authorized users as they generally only need
a default gateway if port filtering/authentication is not possible. A
solution for such could be a Microsoft ISA server on the network that would
act as the internet gateway. Access to the ISA server could possibly be
restricted with ipsec or by requiring domain computers to be using the
firewall client for the ISA server.

As far as your last question on support level, I can't help you with that.
The answer will vary widely depending on the environment and commitment to
quality of service by those that manage the budget. In schools that level
tends to be lower than when customers are part of the equation. There is
also the problem in that most employers know there are many eager qualified
people who would be willing to take your place for the paycheck because the
supply of IT workers is much more then the demand currently sorry to
ay. --- Steve


"BoneMan" <BoneMan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:51CF49B7-29D3-4209-BBFD-4CFBE3D3D762@xxxxxxxxxxxxxxxx
> Ok I,m in a school, we run our network with DHCP, this means anyone can
> connect a laptop to our system and get an IP and start surfing the
> internet
> and connect any virus infected PC to our network. Can I restrict DHCP to
> only
> issue IP's to Domain member computers or am I looking at this from the
> wrong
> angle??? Basically I want to stop every one and his dog from getting a net
> connection. Remember this is a school and pupils will try everything, that
> includes attempted server hacks and sniffer programmes etc etc you get the
> picture Sorry for the typo in the title of my last post. Many thanks in
> advance.By the way does Microsoft have figures for the amount of support a
> server or client needs in terms of percentage of employee time. I alone
> run
> 5 servers Windows 2000, AD, Web, SQL,Terminal,Firewall 500 user accounts
> 220
> PC's and 28 printers etc etc. How many people should it take to support a
> system this size, which is used 6 solid days a week??? Many thanks in
> advance.


.

Relevant Pages

  • Re: prevent access to shared folder when not on a domain computer
    ... Unfortuneatly the shared folders reside on a Win 2003 Server that also acts ... > compatible ipsec policy to access the server. ... > controllers from ipsec ESP/AH with other domain computers for at least ...
    (microsoft.public.windows.server.security)
  • Re: prevent access to shared folder when not on a domain computer
    ... One solution would be to use ipsec with an ipsec server require policy on ... controllers from ipsec ESP/AH with other domain computers for at least ...
    (microsoft.public.windows.server.security)
  • Re: SBS Server keeps shutting down
    ... as we have had a few power cuts recently and the server kept chugging along. ... I have no idea what IPSec is ... multiple reboot mentioned above and some other troubleshooting steps ...
    (microsoft.public.windows.server.sbs)
  • Re: L2TP/IPSec Verbindung läuft mit XP SP2 nicht mehr
    ... In XPSP2 the IPsec driver needs a registry setting when either the ... server or workstation are behind a NAT gateway. ... 1- Client initiates to a server that is behind the NAT ... > Peer Private Addr ...
    (microsoft.public.de.german.windowsxp.networking)
  • Re: Should I install Certificate Authority to solve these problems ?
    ... You can use IPsec with or without certs from your PKI. ... negotiations to your AD machines or those trusting the ... > In the item 1 below, the tool in use is a HP server management tool (type ... >>> Management is pushing to get Certificate Authority ...
    (microsoft.public.win2000.security)