Re: DHCP lease to Domain members only
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Wed, 20 Sep 2006 22:17:10 -0500
"Rich L" <RichL@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:059CE40A-F1D9-4E94-9E63-1BBEB9E2AA1A@xxxxxxxxxxxxxxxx
Is there a way - or group policy - or anything I can do to lock down the
DHCP
server so that it only gives IP's out to those computers whose computer
accounts are registered in the Active Direcory?
No, not practically, but there are other ways to accomplish
this is you are serious enough (time and effort).
DHCP is a promiscuous service that is neither specific to
domain, OS, version or anything else particularly.
1) First way to fake it: Give every station a Reservation so
that no one with an unidentified NIC (MAC address) can
get one -- it's not truly secure but will stop causal abuse.
2): Setup a "User ClassID" on your DHCP server
scopes and give it to your client machines with
"ipconfig /setclassid".
3) Then override the DEFAULT but TERRIBLE settings on
the DHCP scope options with "ClassID options." (DNS,
Default Router, etc.) It's not secure either but it might
discourage them.
4) Install truly secure hubs/switches which use something
like PEAP, Certificates etc. to authenticate clients before
allowing network access.
5) Best but obnoxious to setup for this: IPSec and only
grant access to your network for those who can authenticate
using either domain (computer) account or certificate. This
doesn't actual address the DHCP issue but it is the most
secure. Combine with one or two of the others to get the
full effects.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
.
- Prev by Date: Single user issue; best troubleshooting
- Next by Date: Re: Single user issue; best troubleshooting
- Previous by thread: Single user issue; best troubleshooting
- Next by thread: Re: Export AD Data
- Index(es):
Relevant Pages
|
