On Mon, Mar 30, 2009 at 08:31, John Hornbuckle
<[email protected]> wrote:
> The Auditor General's office has asked us how we prevent the introduction of 
> unauthorized DHCP/DNS servers on our network.
>
> Well, we kinda don't.
>
> How do you guys accomplish this? From the research I've done, there's no easy 
> way to do it.

Uh, the articles I sent were about detection, not prevention. Sorry.

However, I believe your observation is basically correct - it's not
really possible.

I had one engineer (a *manager*, fer crying out loud) fire up his
personal Linksys router and start ambushing innocent workstations with
bad DHCP reservations on his subnet - TWICE!

Aside from deploying policies that whitelist installable software and
deny all others, and locking down the ports in your switches to known
MAC addresses, there's not a lot you can do, aside from closing the
interval between installation and detection.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Reply via email to