Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DHCP Security

Status
Not open for further replies.
seerockcity

seerockcity

IS-IT--Management
Sep 8, 2006
20
US
I am looking to configure my DHCP server (2003 SBS) so that it only assigns IP addresses to MAC addresses that are on our network. How do I do this. I know how to create a reservation and such. Is this the same thing? Thanks in advance!!
 
Sort by date Sort by votes
Sure there must be a better way to do this, but...

if you have, say, 10 reservations 192.168.0.1 through to 192.168.0.10), you could right click on your scope and select properties, then enter the start IP (192.168.0.1) and your end IP (192.168.0.10) for distribution. This way there would be no more IP addresses for distribution as the only one's available would be reserved.

However, this approach would not stop someone from manually entering the correct TCP/IP info manually on a computer and hence, would have access to the network. Does anyone know how to overcome this problem?

Thanks

 
Upvote 0 Downvote
I have never heard of or seen a way to limit the Microsoft DHCP server like this OTHER than using reservations and limiting the scope. In addition, as dotobi points out, all one has to do is enter the correct IP info manually and they get on your network.

If you want this type of security, you're probably better off using a Linux DHCP server or possibly some of the DHCP servers built in to managable switches/routers like Cisco's. Note: you CAN use other DHCP servers with Active Directory, you just have to make sure they give out correct information.
 
Upvote 0 Downvote
To answer your original questions: yes, limit your scope to 10 addresses and create a reservation for each address.

To go beyond your topic and address other questions raised: there are also devices that limit access to the network to clients that have a certificate. The protocol standard that defines this is 802.1X if you want to Google for devices that support it. You can also read more about it here:


The article is mainly about wireless connections, but it also applies to wired.

And here:

One thing you could do (after researching the particulars and their effects) is switch on the 802.1X capability that is in XP (turned on by default) and 2003 Servers and enforce certificated encryption of all communication on your network. That might still allow someone to use your router, but you should also be able to specify a narrow range of addresses on your router that are able to use it. Some routers allow you to limit access by MAC address.

All this to say, you may already have the materials you need to make your network unusable for someone who plugs into it, even if they assign an IP that's in your subnet.

ShackDaddy
 
Upvote 0 Downvote
In theory, you could also limit your infrastructure equipment to allow traffic from certain MAC addresses.

Seems like a lot of admin overhead, though.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

kbryii
  • Locked
  • Question
AD and DHCP issue
Replies
1
Views
102
gbaughma
gbaughma
techbrain1
  • Locked
  • Question
dhcp server errors
Replies
1
Views
86
jknichols
jknichols
amanua
  • Locked
  • Question
Event ID 4776 Security Log
Replies
0
Views
100
amanua
amanua
matt.a.mcbeath
  • Locked
  • Question
DHCP and DNS of old server migrating to new?
Replies
0
Views
60
matt.a.mcbeath
matt.a.mcbeath
Bigbadjoe
  • Locked
  • Question
Issue with Security sharing folder on Server 2012.
Replies
0
Views
59
Bigbadjoe
Bigbadjoe

Part and Inventory Search

Sponsor

Back
Top