Group policy to restrict who Recieves an IP from DHCP???

[Guest]

Ok I,m in a school, we run our network with DHCP, this means anyone can
connect a laptop to our system and get an IP and start surfing the internet
and connect any virus infected PC to our network. Can I restrict DHCP to only
issue IP's to Domain member computers or am I looking at this from the wrong
angle??? Basically I want to stop every one and his dog from getting a net
connection. Remember this is a school and pupils will try everything, that
includes attempted server hacks and sniffer programmes etc etc you get the
picture Sorry for the typo in the title of my last post. Many thanks in
advance.By the way does Microsoft have figures for the amount of support a
server or client needs in terms of percentage of employee time. I alone run
5 servers Windows 2000, AD, Web, SQL,Terminal,Firewall 500 user accounts 220
PC's and 28 printers etc etc. How many people should it take to support a
system this size, which is used 6 solid days a week??? Many thanks in advance.

 

[Simon Geary]

There is no Group Policy to restrict who can get a DHCP address but you can
use MAC address restrictions on the DHCP server so that addresses will only
be given out to specific network cards. Requires a bit of work beforehand to
collect all the MACs though.
As for the second question, no I don't believe they have. As every network
is different that's the sort of question that only you can answer I think

 

[Guest]

Many thanks Simon I will start slowly collecting and labeling Mac addresses
on machines.On the other hand the more smart Students could type in a fixed
IP and still connect providing there is no IP conflict. Hmmm I think this
needs more thought thanks for your suggestion I will consider the mac address
method.

Mike

 

[Steven L Umbach]

DHCP is not a good security mechanism though you can use reservations that
map IP addresses to mac addresses. However I have heard of users trying such
and the DHCP server issued out reserved IP addresses that were not in use if
there were no more addresses in the DHCP scope and will not stop users from
configuring their own tcp/ip info it they are local administrators or can
become [authorized or not] local administrators.

Other solutions would be at the switches. Many managed switches [some HP
Procurves for example] offer mac port filtering and 802.1X port
authentication. The switches usually have a "memorize" feature that can
lock a single mac address to a port and close currently unused ports. Of
course mac addresses can be spoofed also but it does raise the bar for
entrance and can help draw the line between determined and malicious user
for disciplinary action. 802.1X is more complex to configure and requires
capable switches, compatible operating systems, PKI, and IAS server on the
network which Microsoft Servers can do.

http://www.hp.com/rnd/pdf_html/guest_vlan_paper.htm --- info on 802.1X.

Ipsec may be something to look at. Only Windows 2000/2003/XP Pro computers
are ipsec capable. In a domain an ipsec policy can be configured as
"required" on a domain computer and then only domain computers with a
compatible ipsec policy could access that computer with the require policy.
Ipsec however takes careful planning and testing and domain controllers must
be exempt from ipsec negotiated traffic with domain members as domain
controllers do the kerberos authentication for the domain which is the
default computer authentication mechanism for ipsec.

http://www.microsoft.com/windows2000/technologies/communications/ipsec/default.asp
-- link to ipsec information.

While you can use ipsec to protect domain computers, it is more difficult to
prevent internet access to non authorized users as they generally only need
a default gateway if port filtering/authentication is not possible. A
solution for such could be a Microsoft ISA server on the network that would
act as the internet gateway. Access to the ISA server could possibly be
restricted with ipsec or by requiring domain computers to be using the
firewall client for the ISA server.

As far as your last question on support level, I can't help you with that.
The answer will vary widely depending on the environment and commitment to
quality of service by those that manage the budget. In schools that level
tends to be lower than when customers are part of the equation. There is
also the problem in that most employers know there are many eager qualified
people who would be willing to take your place for the paycheck because the
supply of IT workers is much more then the demand currently sorry to
ay. --- Steve

 

[lforbes]

Many thanks Simon I will start slowly collecting and labeling
Mac addresses
on machines.On the other hand the more smart Students could
type in a fixed
IP and still connect providing there is no IP conflict. Hmmm I
think this
needs more thought thanks for your suggestion I will consider
the mac address
method.

Mike

Hi,

I had this same problem. The neat thing is you "Can" just go into
DHCP and export your Address List to get a list of all the Mac
Address. I do this all the time.

Basically what I do is a check my DHCP regularly and make a note of
any machines that are Not allowed in my network. I then take their Mac
Address and assign them an IP of 172.16.10.0 or 172.16.11.0 DHCP won’t
let you do a registration of an IP that is out of the scope. However,
with the 0 it is not an active IP so it doesn’t work.

Cheers,

Lara