Jump to content

Question about DHCP Security

bbbngowc

By bbbngowc
in Networks and the Internet

 Share

Recommended Posts

bbbngowc

bbbngowc

Posted
Posted

I have an 2003 AD Domain using Windows DHCP. I would like to reconfigure the security of the network so that only authenticated computers get's an IP Address from the DHCP Server.

Anyone know how I can go about doing that?


nitroshift

nitroshift

Posted
Posted

Unfortunately, I don't think you can. When logging into a pc, it MUST have a valid IP address to communicate with the server in order for the credentials to be verified in AD. Remember, DHCP allocates an IP as soon as windows starts up on the client pc. One way to do it is to make reservations in DHCP based on the MAC addresses of the pc's that connect to the server and set the pool size to the number of pc's that will be in use.

bbbngowc

bbbngowc

Posted
  • Author
Posted

Thanks for responding Nitro. I'm aware that the Client request IP Address as soon as it boots. I was curious to know if there's a way to only offer IP Addresses to computers that are approved without using the mac associations.

CoffeeFiend

CoffeeFiend

Posted
Posted

I don't see what problem this will solve anyways. Anyone can just set the IP manually regardless. Not quite sure why you want to do this.

Perhaps what you want is 802.1x? (assuming you want to protect network against unauthorized access)

RogueSpear

RogueSpear

Posted
Posted

If your biggest concern is actually the security of your servers, you can configure IPsec in group policy. But as far as actual DHCP security goes, nitroshift's suggestion is the best I would come up with as well. In fact I've done just that in very small environments. Everything gets a DHCP reservation and the reservations make up the entire pool. This way you can at least push down network config changes (DNS server assignments for example) if need be.

DHCP by nature uses broadcasts, so if you wanted to completely eliminate any communication with unauthorized hosts you would need to configure the DHCP server to only accept packets from a white list of MAC addresses. But that's starting to get into the realm of micromanaging.

nitroshift

nitroshift

Posted
Posted (edited)
If your biggest concern is actually the security of your servers, you can configure IPsec in group policy. But as far as actual DHCP security goes, nitroshift's suggestion is the best I would come up with as well. In fact I've done just that in very small environments. Everything gets a DHCP reservation and the reservations make up the entire pool. This way you can at least push down network config changes (DNS server assignments for example) if need be.

DHCP by nature uses broadcasts, so if you wanted to completely eliminate any communication with unauthorized hosts you would need to configure the DHCP server to only accept packets from a white list of MAC addresses. But that's starting to get into the realm of micromanaging.

Thanks Rogue :thumbup

Edited by nitroshift

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...