Re: Allow DHCP only to Client Computers?

On Mar 7, 11:08 am, Jon-Alfred Smith <jon...@xxxxxxxxxxxxxxxx> wrote:
On Fri, 7 Mar 2008 09:16:56 -0600, "Les Connor [SBS MVP]"

<les.con...@xxxxxxxxxxxx> wrote:
AFAIK, there's no way to prevent a machine plugged into your physical
network from getting an address from DHCP, short of turning off DHCP.

Just wondering. Don't have the time to experiment with it right now.
Couldn't you achieve such a thing with IPSec.

Set the DHCP server to require certificate-based IPSec on UDP ports 67
and 68 and to allow unsecured communication on all other ports. Set
all clients to respond only through a domain group policy.

jas  

Your ideas sound very interesting. Thanks for your thoughts on
this. The setclass method may work. It sounds simple and pretty easy
to setup, the only thing that may throw this one a little bit, would
be assigning the classid to the adaptor - if the adaptor has a
differnt name (like Local Network Connection (1)), or for wireless
laptops with multiple Network adaptors. Hmmm. maybe could write a
script to push out by GPO that would assign this classid to all the
adaptors on the client. This is probably sniffable, and would be easy
to get around, if the evil user knew what they were doing, but I think
we are mostly trying to stop nearby wireless users in other offices
from trying to steal internet access. This is being considered for
cases like we (well, client) recently had were WAP reset to factory
defaults and has thus allowed SBS to hand out IPs to these non-legit
users.

We don't need encrypted comminications (the IPSEC method), but if
it would accomplish both at the same time that would be fie too I
supose. I'm not so goo at setting up IPSEC stuff though so I'd need
help in figuring out how to set that up. How would that come into play
with users comming in via VPN or Remote Desktop? Especitally if the
computers they are connecting with are not in the domain.

Andrew
.

Relevant Pages

  • Re: assigning ip addresses on a secure way
    ... DHCP works off of broadcasts. ... has network access to a DHCP server can get an address as long as there are address ... allows you to filter mac addresses in a learn mode that can lock ports to the current ... Only W2K, XP Pro, and Windows 2003 are ipsec aware. ...
    (microsoft.public.security)
  • Re: Firewalls and PCI
    ... DHCP all an attacker with zero knowledge of the network configuration ... a comment about IPSec: ...
    (Security-Basics)
  • Re: stop DHCP
    ... Unfortunately since computers need network details before they can ... Limiting the scope of DHCP and reserving IPs for MAC ... One of the most effective solutions is to use IPSec AH (authentication ...
    (microsoft.public.windows.server.sbs)
  • Re: Malicious Software Removal Tool Errors Reported
    ... IPSec Services: IPSec Services failed to get the complete list of network ... IPSec policy agent changed: parameter PolicySource: parameter parameter ... Event Source: Dhcp ...
    (microsoft.public.windowsxp.general)
  • Re: Green Admin - Brute Force Attack - Pls Help
    ... Ipsec configuration is very similar [if ... specifics on how to use ipsec "filtering" policy to protect computers. ... is managing a network - particularly one in a hostile environment. ...
    (microsoft.public.security)
Loading