bbbngowc Posted September 26, 2006 Share Posted September 26, 2006 I have an 2003 AD Domain using Windows DHCP. I would like to reconfigure the security of the network so that only authenticated computers get's an IP Address from the DHCP Server. Anyone know how I can go about doing that? Link to comment Share on other sites More sharing options...
nitroshift Posted September 27, 2006 Share Posted September 27, 2006 Unfortunately, I don't think you can. When logging into a pc, it MUST have a valid IP address to communicate with the server in order for the credentials to be verified in AD. Remember, DHCP allocates an IP as soon as windows starts up on the client pc. One way to do it is to make reservations in DHCP based on the MAC addresses of the pc's that connect to the server and set the pool size to the number of pc's that will be in use. Link to comment Share on other sites More sharing options...
bbbngowc Posted September 27, 2006 Author Share Posted September 27, 2006 Thanks for responding Nitro. I'm aware that the Client request IP Address as soon as it boots. I was curious to know if there's a way to only offer IP Addresses to computers that are approved without using the mac associations. Link to comment Share on other sites More sharing options...
CoffeeFiend Posted September 27, 2006 Share Posted September 27, 2006 I don't see what problem this will solve anyways. Anyone can just set the IP manually regardless. Not quite sure why you want to do this.Perhaps what you want is 802.1x? (assuming you want to protect network against unauthorized access) Link to comment Share on other sites More sharing options...
RogueSpear Posted September 27, 2006 Share Posted September 27, 2006 If your biggest concern is actually the security of your servers, you can configure IPsec in group policy. But as far as actual DHCP security goes, nitroshift's suggestion is the best I would come up with as well. In fact I've done just that in very small environments. Everything gets a DHCP reservation and the reservations make up the entire pool. This way you can at least push down network config changes (DNS server assignments for example) if need be.DHCP by nature uses broadcasts, so if you wanted to completely eliminate any communication with unauthorized hosts you would need to configure the DHCP server to only accept packets from a white list of MAC addresses. But that's starting to get into the realm of micromanaging. Link to comment Share on other sites More sharing options...
nitroshift Posted October 5, 2006 Share Posted October 5, 2006 (edited) If your biggest concern is actually the security of your servers, you can configure IPsec in group policy. But as far as actual DHCP security goes, nitroshift's suggestion is the best I would come up with as well. In fact I've done just that in very small environments. Everything gets a DHCP reservation and the reservations make up the entire pool. This way you can at least push down network config changes (DNS server assignments for example) if need be.DHCP by nature uses broadcasts, so if you wanted to completely eliminate any communication with unauthorized hosts you would need to configure the DHCP server to only accept packets from a white list of MAC addresses. But that's starting to get into the realm of micromanaging.Thanks Rogue Edited October 5, 2006 by nitroshift Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now