Jump to content

Restricting DHCP to specific users

Guest Neil

By Guest Neil
in Windows 2003 Server

 Share

Recommended Posts

Guest Neil

Guest Neil

Posted
Posted

We often have users at branch offices bringing their laptops from

home. As always these systems pose a security risk.

 

How can I have my DHCP server NOT assign IP address to these untrusted

users.

 

OR

 

Is there a way so that these users get a diff IP address and I can

move them to a different vlan

 

Thank you for your help.

  • Replies 9
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Anthony

Guest Anthony

Posted
Posted

Re: Restricting DHCP to specific users

 

Neil,

You can't do it directly in DHCP. Your options, in order:

1) Limit the number of IP addresses in the pool, and give them all a fixed

reservation for the machines you want to connect. Then anything else will

not get an address

2) Assign the ports on the switch to specified MACs. You can also create a

separate VLAN connected only to the internet, and connect other ports to

this one

3) Set up a wireless network with connection only to the internet. Assign

all ports on the switch to Allowed computers.

4) Cisco Network Admission Control, or similar

5) Windows Server 2008 Network Access Protection

Hope that helps,

Anthony, http://www.airdesk.com

 

 

 

"Neil" <bothranilesh@gmail.com> wrote in message

news:3bb44231-b032-4c1f-a441-b0a88ab61a2a@a39g2000pre.googlegroups.com...

> We often have users at branch offices bringing their laptops from

> home. As always these systems pose a security risk.

>

> How can I have my DHCP server NOT assign IP address to these untrusted

> users.

>

> OR

>

> Is there a way so that these users get a diff IP address and I can

> move them to a different vlan

>

> Thank you for your help.

Guest The_Nite_Owl

Guest The_Nite_Owl

Posted
Posted

Re: Restricting DHCP to specific users

 

My company does not restrict IP address assignment but all the network

resources require domain authentication to access them. Any device that has

not been added to the domain and logged into with a domain account cannot

access domain resources. They still get internet access and can get to any

non-domain restricted locations like drives shared off other individuals PCs

but for the most part that is locked down as well.

 

"Neil" <bothranilesh@gmail.com> wrote in message

news:3bb44231-b032-4c1f-a441-b0a88ab61a2a@a39g2000pre.googlegroups.com...

> We often have users at branch offices bringing their laptops from

> home. As always these systems pose a security risk.

>

> How can I have my DHCP server NOT assign IP address to these untrusted

> users.

>

> OR

>

> Is there a way so that these users get a diff IP address and I can

> move them to a different vlan

>

> Thank you for your help.

Guest Roger

Guest Roger

Posted
Posted

Re: Restricting DHCP to specific users

 

What happens if somebody with malware or a virus plugs into the network? That

computer won't need to authenticate to exploit vulnerabilities on your

network. What happens if somebody plugs a WAP into the network? Will you know?

 

You'll want to keep them off your network with port security, endpoint

security, vlans, etc. We use port security because it's cheap but effective.

We're then alerted in realtime when the port goes disabled because an

unauthorized device was plugged in.

 

Best practice is to use multiple layers of security to protect your network.

 

Good luck

Roger

 

 

 

"The_Nite_Owl" wrote:

> My company does not restrict IP address assignment but all the network

> resources require domain authentication to access them. Any device that has

> not been added to the domain and logged into with a domain account cannot

> access domain resources. They still get internet access and can get to any

> non-domain restricted locations like drives shared off other individuals PCs

> but for the most part that is locked down as well.

Guest The_Nite_Owl

Guest The_Nite_Owl

Posted
Posted

Re: Restricting DHCP to specific users

 

Good question but I do not know the answer.

The company is large with about 20,000 network users, some in this office

some in others.

The turnover of computers is high with new devices being deployed all the

time and even more often large numbers of people being moved internally to

other locations in the various buildings so there is no easy method to lock

a device to a specific port (if I understand the suggestion) in this type of

setup.

There are multiple layers of security involved in our network but they are

handled by other areas.

 

"Roger" <Roger@discussions.microsoft.com> wrote in message

news:613268C8-41F1-4081-92D4-9DDA1680C0AF@microsoft.com...

> What happens if somebody with malware or a virus plugs into the network?

> That

> computer won't need to authenticate to exploit vulnerabilities on your

> network. What happens if somebody plugs a WAP into the network? Will you

> know?

>

> You'll want to keep them off your network with port security, endpoint

> security, vlans, etc. We use port security because it's cheap but

> effective.

> We're then alerted in realtime when the port goes disabled because an

> unauthorized device was plugged in.

>

> Best practice is to use multiple layers of security to protect your

> network.

>

> Good luck

> Roger

>

>

>

> "The_Nite_Owl" wrote:

>

>> My company does not restrict IP address assignment but all the network

>> resources require domain authentication to access them. Any device that

>> has

>> not been added to the domain and logged into with a domain account cannot

>> access domain resources. They still get internet access and can get to

>> any

>> non-domain restricted locations like drives shared off other individuals

>> PCs

>> but for the most part that is locked down as well.

>

Guest Roger

Guest Roger

Posted
Posted

Re: Restricting DHCP to specific users

 

I definitely understand that managing security for a large network can be

tedious and time consuming, but it's still necessary. Good change management

is key.

 

You should test it for yourself. Grab a machine not on the domain and

pretend it's unauthorized. Then run a port scan and check out what's

available to you. Did you remember to set a password on every single switch?

Every printer? Every router? Do you want any staff (or guest, vendor, audit

personnel, etc) in any of your locations to have this kind of access? Put a

WAP on the network and now the kids across the street can run the same scans

against you.

 

Router ACLs, port authentication, port security, endpoint security, etc can

all help reduce risk.

 

Just something to think about.

 

Good luck

Roger

 

"The_Nite_Owl" wrote:

> Good question but I do not know the answer.

> The company is large with about 20,000 network users, some in this office

> some in others.

> The turnover of computers is high with new devices being deployed all the

> time and even more often large numbers of people being moved internally to

> other locations in the various buildings so there is no easy method to lock

> a device to a specific port (if I understand the suggestion) in this type of

> setup.

> There are multiple layers of security involved in our network but they are

> handled by other areas.

>

> "Roger" <Roger@discussions.microsoft.com> wrote in message

> news:613268C8-41F1-4081-92D4-9DDA1680C0AF@microsoft.com...

> > What happens if somebody with malware or a virus plugs into the network?

> > That

> > computer won't need to authenticate to exploit vulnerabilities on your

> > network. What happens if somebody plugs a WAP into the network? Will you

> > know?

> >

> > You'll want to keep them off your network with port security, endpoint

> > security, vlans, etc. We use port security because it's cheap but

> > effective.

> > We're then alerted in realtime when the port goes disabled because an

> > unauthorized device was plugged in.

> >

> > Best practice is to use multiple layers of security to protect your

> > network.

> >

> > Good luck

> > Roger

> >

> >

> >

> > "The_Nite_Owl" wrote:

> >

> >> My company does not restrict IP address assignment but all the network

> >> resources require domain authentication to access them. Any device that

> >> has

> >> not been added to the domain and logged into with a domain account cannot

> >> access domain resources. They still get internet access and can get to

> >> any

> >> non-domain restricted locations like drives shared off other individuals

> >> PCs

> >> but for the most part that is locked down as well.

> >

>

>

>

Guest Roger

Guest Roger

Posted
Posted

RE: Restricting DHCP to specific users

 

Hi Neil,

 

The problem with a setup such as this is that the end user can just

statically assign an IP address and you'd be stuck with the same risk (and

possibly some conflicting IPs). You're better off not letting them on the

network at all using some of the methods I mentioned to Nite_Owl.

 

Port security is a good option, but the end user can spoof the MAC address

of the machine they're unplugging if they know what they're up against. A

combination of technologies is your best bet.

 

Good luck

Roger

 

"Neil" wrote:

> We often have users at branch offices bringing their laptops from

> home. As always these systems pose a security risk.

>

> How can I have my DHCP server NOT assign IP address to these untrusted

> users.

>

> OR

>

> Is there a way so that these users get a diff IP address and I can

> move them to a different vlan

>

> Thank you for your help.

>

Guest Evan

Guest Evan

Posted
Posted

Re: Restricting DHCP to specific users

 

What if he were to use 802.1x

authentication using an EAP-TLS machine certificate?

 

 

"Roger" <Roger@discussions.microsoft.com> wrote in message

news:8C62485A-D4C0-4D8A-9319-D4C9506F1047@microsoft.com...

> Hi Neil,

>

> The problem with a setup such as this is that the end user can just

> statically assign an IP address and you'd be stuck with the same risk (and

> possibly some conflicting IPs). You're better off not letting them on the

> network at all using some of the methods I mentioned to Nite_Owl.

>

> Port security is a good option, but the end user can spoof the MAC address

> of the machine they're unplugging if they know what they're up against. A

> combination of technologies is your best bet.

>

> Good luck

> Roger

>

> "Neil" wrote:

>

>> We often have users at branch offices bringing their laptops from

>> home. As always these systems pose a security risk.

>>

>> How can I have my DHCP server NOT assign IP address to these untrusted

>> users.

>>

>> OR

>>

>> Is there a way so that these users get a diff IP address and I can

>> move them to a different vlan

>>

>> Thank you for your help.

>>

Guest Roger

Guest Roger

Posted
Posted

Re: Restricting DHCP to specific users

 

I dont' know much about that, but I'd say if machine certificates are used

and only domain machines with the certs are allowed on the network then it

sounds like a good setup. You just want to make sure you're not just allowing

them on your network simply because they authenticate. You want them to be

allowed only if they're on approved devices, which what I assume the machine

cert is for.

 

Like I said, I'm not that familiar with it, but I'd imagine some other type

of security would still need to be in place for

OSes/printers/devices/terminals that don't support those certs.

 

Good luck,

Roger

 

"Evan" wrote:

> What if he were to use 802.1x

> authentication using an EAP-TLS machine certificate?

>

>

> "Roger" <Roger@discussions.microsoft.com> wrote in message

> news:8C62485A-D4C0-4D8A-9319-D4C9506F1047@microsoft.com...

> > Hi Neil,

> >

> > The problem with a setup such as this is that the end user can just

> > statically assign an IP address and you'd be stuck with the same risk (and

> > possibly some conflicting IPs). You're better off not letting them on the

> > network at all using some of the methods I mentioned to Nite_Owl.

> >

> > Port security is a good option, but the end user can spoof the MAC address

> > of the machine they're unplugging if they know what they're up against. A

> > combination of technologies is your best bet.

> >

> > Good luck

> > Roger

> >

> > "Neil" wrote:

> >

> >> We often have users at branch offices bringing their laptops from

> >> home. As always these systems pose a security risk.

> >>

> >> How can I have my DHCP server NOT assign IP address to these untrusted

> >> users.

> >>

> >> OR

> >>

> >> Is there a way so that these users get a diff IP address and I can

> >> move them to a different vlan

> >>

> >> Thank you for your help.

> >>

>

>

>

Guest Evan

Guest Evan

Posted
Posted

Re: Restricting DHCP to specific users

 

That's a good point (printers and devices)

I've been considering an 802.1x EAP

certificate solution. I haven't seen much but theory

on it.

I guess implementing it with devices that don't

support certificates would depend on the switches capabilities

of being able to exempt a port that has a device that doesn't

support certificates.

However this wouldn't help if a rogue user plugged into

the exempt port.

Perhaps the non 802.1x supported devices could be placed in a DMZ

that doesn't have access to the internal network,

but the internal network would have access to the DMZ

and those devices.

Yeah that's the ticket

 

 

"Roger" <Roger@discussions.microsoft.com> wrote in message

news:80DB2FC3-6EED-423A-9931-E293BA1684F0@microsoft.com...

>I dont' know much about that, but I'd say if machine certificates are used

> and only domain machines with the certs are allowed on the network then it

> sounds like a good setup. You just want to make sure you're not just

> allowing

> them on your network simply because they authenticate. You want them to be

> allowed only if they're on approved devices, which what I assume the

> machine

> cert is for.

>

> Like I said, I'm not that familiar with it, but I'd imagine some other

> type

> of security would still need to be in place for

> OSes/printers/devices/terminals that don't support those certs.

>

> Good luck,

> Roger

>

> "Evan" wrote:

>

>> What if he were to use 802.1x

>> authentication using an EAP-TLS machine certificate?

>>

>>

>> "Roger" <Roger@discussions.microsoft.com> wrote in message

>> news:8C62485A-D4C0-4D8A-9319-D4C9506F1047@microsoft.com...

>> > Hi Neil,

>> >

>> > The problem with a setup such as this is that the end user can just

>> > statically assign an IP address and you'd be stuck with the same risk

>> > (and

>> > possibly some conflicting IPs). You're better off not letting them on

>> > the

>> > network at all using some of the methods I mentioned to Nite_Owl.

>> >

>> > Port security is a good option, but the end user can spoof the MAC

>> > address

>> > of the machine they're unplugging if they know what they're up against.

>> > A

>> > combination of technologies is your best bet.

>> >

>> > Good luck

>> > Roger

>> >

>> > "Neil" wrote:

>> >

>> >> We often have users at branch offices bringing their laptops from

>> >> home. As always these systems pose a security risk.

>> >>

>> >> How can I have my DHCP server NOT assign IP address to these untrusted

>> >> users.

>> >>

>> >> OR

>> >>

>> >> Is there a way so that these users get a diff IP address and I can

>> >> move them to a different vlan

>> >>

>> >> Thank you for your help.

>> >>

>>

>>

>>

 Share
Go to topic listing
×
×
  • Create New...