RE: Filtering DHCP Assignments by MAC Address

From: Levinson, Karl (LevinsonK_at_STARS-SMI.com)
Date: 06/20/03

  • Next message: Floyd Russell: "RE: Windows Event Logs" 
    To: 'Jake Frost' <jakefr0st@hotmail.com>, FOCUS-MS@securityfocus.com
Date: Fri, 20 Jun 2003 11:34:51 -0400

    You can set up static DHCP reservations for every known MAC address on your
    network, but likely involves a large amount of administrative overhead
    [especially in large environments] and some user discomfort as MAC addresses
    change. And, anything you do to control DHCP does nothing to prevent
    someone from plugging a computer in and choosing their own static IP address
    to get onto the network.

    [If controlling computers via MAC address is a possiblity in your
    environment, note that you could have more success doing this with "port
    security" at the switch instead of the DHCP server, as this might also help
    prevent unauthorized use of static IP addresses as well as DHCP.]

    This question is frequently asked, and the usual answer given is either to:

    1) use DHCP reservations on the server to bind a particular MAC address /
    NIC card to a particular IP address [which might be a lot of work for the
    administrator to do if the network was large],

    2) use a network IDS product to monitor MAC address to IP address mappings
    [which would possibly generate a lot of false alarms and extra work and
    would just be detective and not preventative], or

    3) use some form of per-user authentication at the switch [or proxy server
    or firewall, though these would typically just limit unauthorized access to
    the internet or network on the other side].

    You might search the microsoft.public.* newsgroups [or all newsgroups] for
    past answers on this by
    going to www.google.com/advanced_group_search

    -----Original Message-----
    From: Jake Frost [mailto:jakefr0st@hotmail.com]
    Sent: Thursday, June 19, 2003 5:51 PM
    To: FOCUS-MS@securityfocus.com
    Subject: [despammed] Filtering DHCP Assignments by MAC Address

    We have just converted to DHCP and would like to limit the ability of people

    to plug in to the network without authorization. In Win2K is it possible to

    limit DHCP assignments by MAC address or some other mechanism to keep rogue
    machines out? My server admins have been researching this but can't find a
    method to achieve what we want. Thanks.

    -----------------------------------------------------------------------------
    ------------------------------------------------------------------------------

  • Next message: Floyd Russell: "RE: Windows Event Logs"

    Relevant Pages

    • Re: Preventing DHCP from allocating IPs
      ... Each segment is physically separate with a Linux ... unknown MAC addresses firstly don't get a DHCP ... >> wants access to your network, they will have to come to you to obtain ...
      (Security-Basics)
    • RE: Problems with Permissions
      ... For the "Network Configuration Wizard" not accessible issue, ... The DHCP not working properly issue may due to DNS not correctly ... ipconfig /all on SBS server, ...
      (microsoft.public.windows.server.sbs)
    • Re: networking private and public hosts questions
      ... some systmes in storage to create a test network. ... a WS to the child and attempted to pull an IP from the DHCP server, ...
      (microsoft.public.win2000.networking)
    • Re: Multiple IP Schemes for Different Buildings
      ... The linksys on your first network stays as it is, ... DHCP broadcast is on the local subnet only, ... router to forward internet traffic to your firewall. ... If each server has it's own DHCP server then I don't need to worry ...
      (microsoft.public.windows.server.general)
    • Re: Slow Network Speed from 2008 Server
      ... Network Adaptor properties which are a bit scary. ... I'm running AD on it as well as SQL Server 2005. ... that the DHCP didn't work. ...
      (microsoft.public.windows.server.networking)