Re: security dhcp server

From: Stephen Oeffinger (Oeffinger_at_discussions.microsoft.com)
Date: 04/11/05 

Date: Mon, 11 Apr 2005 12:49:03 -0700

Thanks for the info. It is greatly appreciate.

"Steven L Umbach" wrote:

> What you could try is to configure your scope to only have reservations. A
> reservation is an IP address within the scope that is reserved for a
> specific mac address. However others have reported that DCHP has issued IP
> addresses to computers that did not have a reservation if all the
> reservations are not being used. This may have been fixed in a service pack.
> I don't know as I have never tried it. DHCP is not a very effective security
> measure. Keep in mind that it is not hard for a user to configure his
> computer with a static IP address to access your network. Better security
> measures are switches that can do mac filtering and/or 801.1X port
> authentication or using ipsec to prevent unauthorized computers from
> accessing a computer with an ipsec require policy. Ipsec configuration
> however is not a trivial matter and should be fully tested before
> implementing, particularly in regards to domain controller traffic. Only
> Windows 2000/XP Pro/2003 are ipsec capable.
>
> Many switches can do mac filtering. It is not hard to spoof a mac address
> but it does raise the bar for entrance to all but the determined malicious
> user. These type managed switches often have a mac address memorizing
> feature to mac implementing mac filtering relatively painless. 802.1X is
> more secure, though not foolproof but requires much more planning and
> infrastructure such as capable switches, compatible operating systems, a
> certificate server, and an IAS server. Windows 2000/2003 Server can do CA
> and IAS. The link below explains more as an example if you are
> nterested. --- Steve
>
> http://www.hp.com/rnd/pdf_html/guest_vlan_paper.htm
>
> "Stephen Oeffinger" <Stephen Oeffinger@discussions.microsoft.com> wrote in
> message news:F32C0ECA-8DC5-4740-94AF-D3FC92C12769@microsoft.com...
> > Hi, I'm looking to secure my dhcp server so it will only ssign ip
> > addresses
> > to machines with specific mac addresses. I'm running the dhcp
> > application
> > available within windows 2003 server standard. Any one have any ideas?
> >
> >
>
>
>

Relevant Pages

  • Re: Need Help from Advanced IP Routing Tech
    ... strange MAC address, you need to remove the IP# from the server and "stop" ... the Site associated with it,...then with the server "out of the way" try to ... be able to examine the ARP Table in the switches and see if that rogue MAC ... I entered into the NIC card one of the ...
    (microsoft.public.windows.server.networking)
  • Re: DHCP And Security
    ... DHCP can not be used as a effective security mechanism. ... can manage access based on mac addresses can help and many have an auto ... something like using 802.1X authentication for switches would be much more ... Certificate Server and an IAS server on the network - all of which Windows ...
    (microsoft.public.win2000.networking)
  • Re: Static IP address but dynamic DNS settings
    ... I don't follow how a MAC address reservation is the same ... If a server goes down, and the DHCP server happens to be ... >>Also, our servers have their NICs teamed, and there is ...
    (microsoft.public.windows.server.networking)
  • RE: wireless access
    ... HI Jerry, many thanks for that, i have set up reservations and thats working ... What i cannot do is to set up the filters. ... > users to access the network and internet according to the client MAC ... > new reservation, then you can assign an IP address for a particular MAC ...
    (microsoft.public.windows.server.sbs)
  • Re: DHCP server giving Static addresses
    ... You can use dhcp reservations within a dhcp scope to reserve an IP address for a ... particular mac address. ... However you can not edit a reservation. ... > address we could make the change in the database and ...
    (microsoft.public.win2000.networking)