DHCP Security

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

There is no easy way to do this. Clients use broadcasts to discover DHCP
server and there is no authentication process in this.

This would be possible using IEEE 802.1x. "Problem" with this solution is
usually the price and technical implementation. Among other things you need
network switches that support IEEE 802.1x, clients that support it (e.g.
Windows 2000 SP4 or newer operating system) and database to check against
(e.g. active directory). Before client is allowed on the network it has to
authenticate with network switch. If the client sends valid user information
(checked against active directory) the client get e.g. DHCP assigned IP.

There are few more things you can do for safety of your network. Don't patch
all network outlets to your network. Patch only the ones in use. Implement
IPSec. Only computers that are in domain will be able to participate in
IPSec protected network (if you configure it so). So any outside computers
that would be plugged on your network would not be able to attack your
server or infect them with e.g. worms/virus.

You could also implement proxy on your network (e.g. ISA server -- again it
is not cheap solution). This proxy could require domain authentication. If
computer would not be in domain, it could not access internet...

Microsoft is looking into providing secure access on the network, but this
will only be available some time next year and only to the latest version of
Microsoft clients. Again as it looks now, this will only work as long as
clients will use DHCP. If they will manually assign themselves an IP address
they will bypass this network security check...

Network Access Protection
http://www.microsoft.com/windowsse [...] fault.mspx

Mike

"RWD" <ryanwdavis-removetosend-@yahoo.com> wrote in message
news:jJU8d.7467$nj.6535@newssvr13.news.prodigy.com...
> We keep having problems on our WAN with users putting PCs on their local
WAN
> without authorization to do so. Although the PC does not have any access
to
> our Windows network it does have the ability to use other network
resources
> including the internet. I know this probably sounds like a stuid question
> but is there any way to secure DHCP to only work with authorized machines.
> Is there any other way that could limit machines from being connected
> without my authorizeation?
>
> Thanks
> RWD
>
>

Archived from groups: microsoft.public.win2000.security (More info?)

Thank you guys for those suggestions.

"RWD" <ryanwdavis-removetosend-@yahoo.com> wrote in message
news:jJU8d.7467$nj.6535@newssvr13.news.prodigy.com...
> We keep having problems on our WAN with users putting PCs on their local
WAN
> without authorization to do so. Although the PC does not have any access
to
> our Windows network it does have the ability to use other network
resources
> including the internet. I know this probably sounds like a stuid question
> but is there any way to secure DHCP to only work with authorized machines.
> Is there any other way that could limit machines from being connected
> without my authorizeation?
>
> Thanks
> RWD
>
>