Re: Limit DHCP addresses

Hi Trevor,

Currently there is no easy way of doing this. You get DHCP IP by
broadcasting the need for IP. DHCP was not designed with goal of assigning
IP addresses to only specific computer (or devices) but to any device that
requests it.

There are few solutions out there -- but more or less all of them (can) cost
quite a bit - first one to mention is 802.1x where you authenticate computer
on switch port. For this to work you need switch that supports
authentication and enough ports to connect every PC to one of these ports.
Next, you need to setup RADIUS server and certificates etc... In the end you
need clients that know how to work with 802.1x (e.g. Windows 2000 SP4 or
later).
Another option would be to build IPSec policy. In this case you use your
existing infrastructure (if you have Active Directory set up). What the
policy defines is that only computers joined to domain can talk among
themselves. Any computer not member of domain (or that does not have
appropriate certificate) will not be able to talk to other computers that
members of domain. When I do this for a customer, I usually also disable
access to Internet from clients that are not members of domain... If user
still brings computer to the network and the computer will get IP address
assigned, but it can't talk to anyone.

Mitigating the Threats of Rogue Machines-802.1X or IPsec?
http://www.microsoft.com/technet/community/columns/secmgmt/sm0805.mspx

Another option thing that should be practiced more often is to not patch all
network outlets -- but only the one in use.

Last option that I also highly recommend is to write a corporate policy
where you prohibit connection of any device that is not a property of your
company to company network. Of course you must define what consequences are
and your management must sign such policy.

--
Mike
Microsoft MVP - Windows Security

"Dumb Luck" <trevor.christiansen@xxxxxxxxx> wrote in message
news:1136988533.049076.12510@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> DHCP hands out addresses to anyone who asks for it, which could be a
> problem. What I want to try to prevent is unauthorized computers from
> accessing the network and using the internet resources. How can I do
> that? Network: NT4 network (still, I know!). Xp workstations.
>
> Thanks,
> Trevor
>


.

Relevant Pages

  • 2 pc network....XP and Win95 problem-help needed badly
    ... The current problem I've come up with is this: It seems that DHCP in XP is ... assigning an improper IP address to it's own NIC, ... machines and set it to default on 95. ... accessed (message "Network address not found"). ...
    (microsoft.public.windowsxp.network_web)
  • Re: Network help anyone?
    ... control panel select Network connections, ... You can usually define the range of DHCP addresses available within ... Why not try assigning a static ip address of say: ...
    (microsoft.public.windowsxp.general)
  • RE: 2 pc network - XP and Win95 - help needed badly!
    ... assigning the proper IP addresses, and the network is functioning perfectly. ... > connection is waiting for a DHCP assigned IP address". ...
    (microsoft.public.windowsxp.network_web)
  • Re: Fixed Lease DHCP Doesnt Work After Connecting Different Netwo
    ... Shouldn't be the one on the network you aren't connected to! ... then changing back to DHCP. ... One way around this would be to do an ipconfig /release *before* shutting ... Why is this happening and who can I fix it without assigning myself ...
    (microsoft.public.windowsxp.network_web)
  • Re: Certificate-based DHCP authentication
    ... DHCP was not designed with goal of assigning ... another option would be to build IPSec policy. ... > same IP subnet as our other office PCs. ...
    (microsoft.public.windows.server.security)