Question about DHCP Security

[bbbngowc]

I have an 2003 AD Domain using Windows DHCP. I would like to reconfigure the security of the network so that only authenticated computers get's an IP Address from the DHCP Server.

Anyone know how I can go about doing that?

[nitroshift]

Unfortunately, I don't think you can. When logging into a pc, it MUST have a valid IP address to communicate with the server in order for the credentials to be verified in AD. Remember, DHCP allocates an IP as soon as windows starts up on the client pc. One way to do it is to make reservations in DHCP based on the MAC addresses of the pc's that connect to the server and set the pool size to the number of pc's that will be in use.

[bbbngowc]

Thanks for responding Nitro. I'm aware that the Client request IP Address as soon as it boots. I was curious to know if there's a way to only offer IP Addresses to computers that are approved without using the mac associations.

[CoffeeFiend]

I don't see what problem this will solve anyways. Anyone can just set the IP manually regardless. Not quite sure why you want to do this.

Perhaps what you want is 802.1x? (assuming you want to protect network against unauthorized access)

[RogueSpear]

If your biggest concern is actually the security of your servers, you can configure IPsec in group policy. But as far as actual DHCP security goes, nitroshift's suggestion is the best I would come up with as well. In fact I've done just that in very small environments. Everything gets a DHCP reservation and the reservations make up the entire pool. This way you can at least push down network config changes (DNS server assignments for example) if need be.

DHCP by nature uses broadcasts, so if you wanted to completely eliminate any communication with unauthorized hosts you would need to configure the DHCP server to only accept packets from a white list of MAC addresses. But that's starting to get into the realm of micromanaging.

[nitroshift]

If your biggest concern is actually the security of your servers, you can configure IPsec in group policy. But as far as actual DHCP security goes, nitroshift's suggestion is the best I would come up with as well. In fact I've done just that in very small environments. Everything gets a DHCP reservation and the reservations make up the entire pool. This way you can at least push down network config changes (DNS server assignments for example) if need be.

DHCP by nature uses broadcasts, so if you wanted to completely eliminate any communication with unauthorized hosts you would need to configure the DHCP server to only accept packets from a white list of MAC addresses. But that's starting to get into the realm of micromanaging.

Thanks Rogue

Edited October 5, 2006 by nitroshift