Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

stop DHCP

0 views
Skip to first unread message

Louie

unread,
Feb 17, 2005, 6:49:02 PM2/17/05
to
Hi I will like to know if any one knows how I would stop ip's from being
given out..This is what I want to do if posilble if the PC or notrbook is not
part of the domain then they will not get an IP. I have a sbs 2003 that has a
DHCP server onit and that's the only DHCP in the domain this is the only way
the ip are given out. What can I do?

Les Connor [SBS Community Member - SBS MVP]

unread,
Feb 17, 2005, 7:25:53 PM2/17/05
to
Hi Louie,

How are the 'non domain' computers getting access to the SBS network, i.e.
wired, or wireless, VPN, or ?

--
Les Connor [SBS Community Member - SBS MVP]
-----------------------------------------------------------
SBS Rocks !


"Louie" <Lo...@discussions.microsoft.com> wrote in message
news:4209C64A-3866-41BE...@microsoft.com...

Henry Craven [SBS-MVP]

unread,
Feb 18, 2005, 3:25:47 AM2/18/05
to
As Les points out a lot depends upon your Network schema, but as a base
principal you'd ant to only assign as many IPs as machines, and tie
those to the MAC address of each machine ( reservation ). Although this
doesn't stop MAC Spoofing.

However, If your Security and Authentication Practices are tight, it
shouldn't matter.

What issue are you trying to address ?

--
Henry Craven {SBS-MVP}
CI Information Technology
----------------------------------------------------
Melbourne SBS Users Group
http://groups.yahoo.com/group/melb-SBSusers/


"Louie" <Lo...@discussions.microsoft.com> wrote in message
news:4209C64A-3866-41BE...@microsoft.com...

Louie

unread,
Feb 18, 2005, 11:35:14 AM2/18/05
to
Well they get their ip's from DHCP the lan and i.e. "wirded"

Les Connor [SBS Community Member - SBS MVP]

unread,
Feb 18, 2005, 11:40:34 AM2/18/05
to
So what are you saying, Louie? That people are bringing in non-domain
computers and connecting to your lan? I'd recommend some form of physical
security first ;-).

But as Henry mentioned, you could limit the DHCP scope to the exact number
of PC's you want to allow. There are probably other ways as well.

--
Les Connor [SBS Community Member - SBS MVP]
-----------------------------------------------------------
SBS Rocks !


"Louie" <Lo...@discussions.microsoft.com> wrote in message

news:A5CDAB16-3873-44FD...@microsoft.com...

Louie

unread,
Feb 18, 2005, 11:59:07 AM2/18/05
to
Well I have employsees that bring their notebooks from home and the get ip
for them and use them on the lan and it has gave us a Virus and I want to
provent them from getting on the lan.

Louie

unread,
Feb 18, 2005, 12:15:27 PM2/18/05
to
Yes I have pulled all cat is not bing used from the pach panle. But they used
the connection from their PC .. to connect their notebooks.

Les Connor [SBS Community Member - SBS MVP]

unread,
Feb 18, 2005, 12:16:12 PM2/18/05
to
Tell them that's not allowed, and what will happen if they do it (as in get
fired).
Send them an invoice for time spent to clean the virus.
(why did your Anti-Virus not pick it up? - but that's another issue).

If you're going to rely on technology to prevent this kind of behaviour, it
will never end. There will be other abuses, and you'll be continually trying
to find ways to prevent users from doing things that should simply be not
allowed by way of company policy.

--
Les Connor [SBS Community Member - SBS MVP]
-----------------------------------------------------------
SBS Rocks !

"Louie" <Lo...@discussions.microsoft.com> wrote in message

news:FF034385-2FAA-4176...@microsoft.com...

Henry Craven [SBS-MVP]

unread,
Feb 18, 2005, 3:57:39 PM2/18/05
to
As Les points out, you have a social engineering problem as much as an
IT one.

On the IT side, I'd limit the IP Scope to the exact number of PCs on the
LAN, and assign IP Reservations to those workstations via their MAC
address. If anyone then goes to the bother of spoofing a MAC address to
connect to the LAN they should be summarily dismissed.

I hope you security groups, Shares, permissions are properly configured
and the users aren't walking away the company data and software.... (
your potential scenario sounds more than a little frightening )

--
Henry Craven {SBS-MVP}
CI Information Technology
----------------------------------------------------
Melbourne SBS Users Group
http://groups.yahoo.com/group/melb-SBSusers/

"Louie" <Lo...@discussions.microsoft.com> wrote in message

news:FF034385-2FAA-4176...@microsoft.com...

Stuart Mackie [MCSE MCSA]

unread,
Feb 18, 2005, 6:40:10 PM2/18/05
to
Hi Louie. This type of problem arises quite often in the Win2k3 Newsgroups.
Unfortunately since computers need network details before they can
communicate on the network, it isn't possible to restrict DHCP to domain
only computers. Limiting the scope of DHCP and reserving IPs for MAC
addresses will provide some relief because these rogue systems won't
automatically be provided network details, but anyone could configure their
own IP address manually and again have access to the network.

There are a number of other solutions to consider:

1. One of the most effective solutions is to use IPSec AH (authentication
only so no Encryption overhead). Enabling IPSec on your Server and
Workstations will only allow domain computers to communicate with each
other. With this solution IPSec has to be configured to provide
unrestricted access for DHCP, DNS and any network equipment that doesn't
support IPSec. This means that any computer will be able to communicate
with DHCP and DNS and rogue computers will still be 'connected' to the
network, but they will be unable to communicate with any of your domain
computers or gain access to the internet. Microsoft calls this Domain
Isolation.
Documentation on configuring IPSec can be found at www.microsoft.com/ipsec/

2. You could use switches which support 802.1x authentication. In this
case the authentication has to take place before any access is provided to
the network. Unfortunately this isn't without problems. The 802.1x
authentication has a known flaw which is related to the authentication only
taking place once prior to connection, once connected packets aren't signed
etc. A rogue system could take over the IP and MAC address of an
authenticated system giving it access to the network.

3. Similar to reserving IP's for specific MAC addresses and using a DHCP
scope with the exact number of network computers you could make use of DHCP
Classes. DHCP Classes allows you to setup a class field on your DHCP scope.
Workstations are then configured with this class and when requesting network
details from your DHCP server they provide this class which then tells the
DHCP server which scope to use. If a rogue workstation connects to the
network without the correct class they will not be assigned any network
details. Again this is not a secure solution and is easily overcome.
Q240247 (http://support.microsoft.com/kb/240247/EN-US/) and Q235272
(http://support.microsoft.com/default.aspx?scid=kb;en-us;235272) have
instructions on configuring this on a Win2k DHCP server.


From a security point of view the main solution which requires only the time
to configure it is IPSec. One stage further would be to use IPSec with
802.1x switches in an attempt to keep the rogue systems off all together
with the peace of mind of the IPSec AH between authorised systems.

--
Hth,
Stuart Mackie
www.stu.uk.com
MCSA: & MCSE: Security


"Louie" <Lo...@discussions.microsoft.com> wrote in message

news:4209C64A-3866-41BE...@microsoft.com...

0 new messages