Securing DHCP [Prevent Rogue Wkstns]

[Harry Paratestes]

Anyone have good ways to prevent rogue workstations from popping up on their
(wired) network?

We have static IPs for servers, printers and a few mission-critical
workstations. We have DHCP pool for the rest. Occassionally we have 'guest
laptops' from other company divisions connected to our network. Our
corporate policy allows for official visitors to do this, but the IT
Security shop needs to ensure latest anti-virus and Windows patches are
loaded first. Visitors and/or their sponsors don't always come by to see IT
Security before connecting to the network.

Other than filtering MAC addresses at the switch, is there a way in W2K
Server to filter/limit/restrict MAC or hostnames from getting IPs via DHCP?
via GPO? Or at a minimum, is there a way to get an alert when unknown
MAC/hostname pops up on the network?

HP sends

 

[Steven L Umbach]

The only way I know of [other than mac filtering or 801.1x switches] is to use only
reserved dhcp addresses which would be probably out of the question for all but the
smallest networks and still not prevent someone with a static address from getting
access. Ipsec negotiation within a forest can be used to at least protect servers
with a require policy, but that would block access to all but W2K or XP workstations
which would present a problem if you have downlevel clients on the network. There is
a program called arpwatch [non Windows] that may be of interest, but I have not tried
it myself. --- Steve

http://www.securityfocus.com/tools/142

 

[Karl Levinson [x y] mvp]

The usual answer to this is either:

1) to use DHCP reservations on the server to bind a particular MAC address /
NIC card to a particular IP address [which might be a lot of work for the
administrator to do if the network was large],

2) use a network IDS product to monitor MAC address to IP address mappings
[which would possibly generate a lot of false alarms and extra work and
would just be detective and not preventative] or

3) use some form of per-user authentication at the switch, proxy server or
firewall.

You could consider a third party authentication product that automatically
puts new users into a DMZ until the product confirms their patch level,
policy settings and/or antivirus. I've heard a suggestion that the Windows
2003 Quarantine server feature could be modified to work for users on your
LAN, and companies like Sygate might have a solution to do this as well.

 

[TIMOTHY WASALSKI]

Harry--
I found an easy way to do it. But it takes you and your staff to activly
look out for these rogue nodes. What I did was to create a bogus scope on
the DHCP server that hands out a range of addresses that are not on your
network say like 128.x.x.x then when you monitor and discover an invalid
client by hostname in DHCP just write down the Hostname and MAC address.

Next you wanna open up the DHCP console scroll down to the scope named
"BOGUS" then open up RESERVATIONS. Right click the RESERVATIONS folder an
choose new reservation. Then go ahead and add the hostname and mac address.
That's it!!! No more access for them anywhere on our network.

Let me know if you have any problems and have fun!