Re: stop DHCP
From: Stuart Mackie [MCSE MCSA] (newsgroups_at_--REMOVE_THIS-NO_SPAM--stu.uk.com)
Date: 02/18/05
- Next message: Allen M: "Re: Recommended Real-Time Blacklists (RBL) sites"
- Previous message: ChipW: "Allocated Memory Alerts, Services Randomly Stopping"
- In reply to: Louie: "stop DHCP"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 18 Feb 2005 23:40:10 -0000
Hi Louie. This type of problem arises quite often in the Win2k3 Newsgroups.
Unfortunately since computers need network details before they can
communicate on the network, it isn't possible to restrict DHCP to domain
only computers. Limiting the scope of DHCP and reserving IPs for MAC
addresses will provide some relief because these rogue systems won't
automatically be provided network details, but anyone could configure their
own IP address manually and again have access to the network.
There are a number of other solutions to consider:
1. One of the most effective solutions is to use IPSec AH (authentication
only so no Encryption overhead). Enabling IPSec on your Server and
Workstations will only allow domain computers to communicate with each
other. With this solution IPSec has to be configured to provide
unrestricted access for DHCP, DNS and any network equipment that doesn't
support IPSec. This means that any computer will be able to communicate
with DHCP and DNS and rogue computers will still be 'connected' to the
network, but they will be unable to communicate with any of your domain
computers or gain access to the internet. Microsoft calls this Domain
Isolation.
Documentation on configuring IPSec can be found at www.microsoft.com/ipsec/
2. You could use switches which support 802.1x authentication. In this
case the authentication has to take place before any access is provided to
the network. Unfortunately this isn't without problems. The 802.1x
authentication has a known flaw which is related to the authentication only
taking place once prior to connection, once connected packets aren't signed
etc. A rogue system could take over the IP and MAC address of an
authenticated system giving it access to the network.
3. Similar to reserving IP's for specific MAC addresses and using a DHCP
scope with the exact number of network computers you could make use of DHCP
Classes. DHCP Classes allows you to setup a class field on your DHCP scope.
Workstations are then configured with this class and when requesting network
details from your DHCP server they provide this class which then tells the
DHCP server which scope to use. If a rogue workstation connects to the
network without the correct class they will not be assigned any network
details. Again this is not a secure solution and is easily overcome.
Q240247 (http://support.microsoft.com/kb/240247/EN-US/) and Q235272
(http://support.microsoft.com/default.aspx?scid=kb;en-us;235272) have
instructions on configuring this on a Win2k DHCP server.
>From a security point of view the main solution which requires only the time
to configure it is IPSec. One stage further would be to use IPSec with
802.1x switches in an attempt to keep the rogue systems off all together
with the peace of mind of the IPSec AH between authorised systems.
-- Hth, Stuart Mackie www.stu.uk.com MCSA: & MCSE: Security "Louie" <Louie@discussions.microsoft.com> wrote in message news:4209C64A-3866-41BE-B0AB-B7F29FCE0E79@microsoft.com... > Hi I will like to know if any one knows how I would stop ip's from being > given out..This is what I want to do if posilble if the PC or notrbook is > not > part of the domain then they will not get an IP. I have a sbs 2003 that > has a > DHCP server onit and that's the only DHCP in the domain this is the only > way > the ip are given out. What can I do?
- Next message: Allen M: "Re: Recommended Real-Time Blacklists (RBL) sites"
- Previous message: ChipW: "Allocated Memory Alerts, Services Randomly Stopping"
- In reply to: Louie: "stop DHCP"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
