how to prevent unauthorized machine from receiving DHCP

M

mmac

Is it possible to prevent users from hooking a laptop into a lan port and
then receive dhcp? I am about to have someone host a training session and I
wan't to make sure he doesn't set up all these machine to the network and put me
at risk.
The last time I had such a problem was when he hooked up a wireless access
point in his office and people outside noticed their wireless notebooks were
able to browse the internet.
I could get rid of DHCP and go static but since he knows the subnet that
wouldn't work for long. He can't join machines to the domain but I don't even
want them to have connectivity.
I can't fire the guy so how can I make myself the only person that can hook
into the network?
 
M

Marc Reynolds [MSFT]

DHCP does not have anny built in security. You could create reservations for
all of your clients and exclude any unreserved address in your scope. This
way there would not be any available DHCP addressed for unresreved clients.
BUT since the unauthorized user knows your subnet he couls still give his
client(s) static IP addresses.
More complicated and expensive is 802.1x authentication which would prevent
access to the network until a client is authenticated, but you need to
purchase hardware (switches) that support this.
The best answer is to have a network access clear policy and enforce it.

--

Thanks,
Marc Reynolds
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.
 
N

news.microsoft.com

Never done it but just a thought...

1. Make a file containing a list of all your computers that using DHCP
service and allowed to use it.
2. Run a periodically script (every 5 / 10 / or wahsoever min.) that
enumerate clients that currently using the DHCP service and compare it with
your list.

3. Release any dhcp client that not in your list.

Shai.
 
S

Steven Umbach

In addition to what Marc suggested, you can use ipsec on W2K/XP Pro computers to
protect domain machines. For instance a machine configure with an ipsec require
policy would refuse communications from a computer that could not authenticate
via kerberos within the forest. Ipsec incurs overhead, but it would be a lot
less if just AH is used instead of ESP [encryption]and AH [authentication]. Also
ipsec does not work well between domain members and domain computers and is not
officially supported, so you would want to exempt traffic to and from domain
controllers and domain members with a rule that uses the ip addresses of the
domain controllers. Of course any non ipsec aware client such as NT or W9X could
not communicate with a computer requiring ipsec negotiation. Be SURE to test out
ipsec policies before implementing as unexpected results can occur.

Another possibility is to use ipsec "filtering" or firewall rules to prevent
access of these computers to the internet gateway. If you did go static, you
could configure just your range of computers to pass outbound traffic to the
internet or if that is not possible for some reason at least use ipsec filtering
so that they can not access your internal dns server [probably domain
controller] and maybe none of your computers. Ipsec, either filtering or ESP/AH
traffic, can be applied to domain computers via Group Policy. --- Steve

http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
http://support.microsoft.com/?kbid=254949
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top