RE: [ActiveDir] Getting better control over DHCP

[joe]

There is nothing you can do around a DHCP server that will really help you as you point out. You simply need to plug into a port, enter any IP address or let one of the 169 addresses kick in and turn on a sniffer and you start seeing enough traffic to figure out where to come up with a random IP address at. All the DHCP server is is a helper, it doesn't give you network access, it helps you find it. This type of thing needs to be controlled either at the network level where the switches say, sorry you can't route packets anywhere but this private secured network or you need to make all proper network traffic secure with some kind of tunneling/vpn type tech. The later is quite popular for companies with wireless, you get on the wireless network and then have to VPN into the corporate network. That way anyone who compromises the WAPs still doesn't get anything but a network and all traffic from everyone properly on the network is encrypted. At best the company may allow you to surf out to the internet, this is especially good for companies who have visitors from other companies dropping by their facilities or are in close vicinity to other companies who may pick up their WAPs.   You really want to start looking into Network Quarantine//Network Access Protection/etc. It is not a simple whip out in an hour solution, it will take forethought and possibly upgrades of network infrastructure and your machines to do it correctly. But with it you can set specific policy on who gets to get on the real network and who doesn't, this includes things like domain membership as well as what software is installed on machines and virus definition levels or OS fix levels, etc. You write the policy that the clients have to meet or else they don't get anything but a dead network.   I would recommend going to google, typing in network quarantine and hit enter. You will almost certainly see several hits on MS because they have been spending a lot of time and energy the last 4 or so years working on this stuff and getting all of the right hardware people together to make a good solution. They had some preliminary stuff done a couple of years ago that people were really interested in but started redesigning some of it to make it more flexible/capable. I expect most of what happens in this space will most likely fall out of Cisco and Microsoft.     joe   -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm      From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Friday, February 03, 2006 7:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Getting better control over DHCP Assigning IP’s based off of MAC addresses would be a huge headache!  Besides, just as you said the “network savvy” person can easily find out the IP range if needed and assign them self an IP and spoof the MAC if needed.   If something like this is possible, I would like to have a more concrete solution.   But thank you very much for your reply.   Edwi   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc A. Mapplebeck Sent: Friday, February 03, 2006 7:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Getting better control over DHCP   I'm not sure if it's the best way to do it, but you could set your entire scope to be in one exclusion range, then assign static DHCP to authorised MACs. After that, for added security, you could set a second scope to give out leases outside your network range so that unauth ppl will get a lease, but not be able to see anybody, only downside to that would be that the network savvy user could look under network settings and see what the IP of the DHCP server is and then assign a static IP within that range. HTH - Marc   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: February 3, 2006 20:13 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Getting better control over DHCP Is it possible within a domain on an authorized DHCP server to restrict what machines get a DHCP IP Address?  For example, I want to prevent someone from bringing in an unauthorized laptop and getting an IP Address on the network.  I want it to be so that if the machine is not a part of the domain, it does not get any network connectivity from the DHCP server.   Thanks, Edwin