DHCP And Security

[Gary]

IF I have DHCP running on DC Server 2000 and the workstations TCP/IP
properties are set to "Let IP address assigned automatically" as well as the
DNS, will a foreign (not authorised on the Domain) computer having the same
TCP/IP settings be denied access to IP Address on the LAN and then the
Internet?
Is there a way to assign IP Address to member computers of the domain only?

TIA

 

[Richard G. Harper]

Unfortunately, a foreign computer on your network will be able to use your
DHCP server and obtain basic TCP/IP connectivity, and there is no way to
prevent this using Microsoft Server software. Many switches and routers can
either permit or block access by MAC address though.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Steven L Umbach]

DHCP can not be used as a effective security mechanism. Using switches that
can manage access based on mac addresses can help and many have an auto
memorize feature that can make this a pretty easy process though which will
keep out the idle curious. More determined users can spoof mac addresses and
something like using 802.1X authentication for switches would be much more
secure though it requires compatible operating systems, the use of a
Certificate Server and an IAS server on the network - all of which Windows
2000 can do. Other options would be to implement ipsec policy on the domain
requiring computers to authentication with another computer before access is
allowed. Ipsec is a somewhat complex topic and should not be implemented
without a good understanding of it and testing. Blocking internet access is
difficult since all the computer needs is a default gateway. You would need
something like ISA server which is a proxy server and firewall that is the
default gateway for the network. ISA 2004 for instance can require user
authentication before allowing internet access. --- Steve

 

[Gary]

Was thinking of implementing ISA Server anyway for a new Exchange Setup and
create a tighter reign on the VPN's, so this answers the question of how to
lock out foreign computers. Problem is we have guests arrive now and again
and need the net to check mail on their base servers. I suppose I could make
a one time access in ISA Server to allow them in, but don't have to part of
our domain. Can this be done?

On DHCP, I gather this is on the same level as TCP/IP itself, where
authentication requires a higher level of kit as found in only OS's. Netbios
is a similar access pattern? Ipsec.....more overheads.......another day!

 

[Steven L Umbach]

Yeah. DHCP does not require any sort of computer authentication and largely
uses broadcasts. ISA 2004 is extremely powerful. Not all internet access has
to be user authenticated for ISA, you can specify that in each access rule.
You could for instance have a rule that allows access to mail servers or
protocols but requires user authentication for http/https. Give ISA 2004 a
try as you can try it for free for 120 days by downloading from Microsoft. I
recently posted my review of Tom Shinder's ISA 2004 at Amazon if you want to
read my thoughts on ISA 2004. --- Steve

 

[Gary]

Hi Steven,

Read the review on Amazon, made it very clear to me which way to go. Your
review of the book and ISA was concise and to the point, well done.

Now to seek a machine to run it on....