Re: DHCP restriction via MAC...
From: Karl Levinson, mvp (levinson_k_at_despammed.com)
Date: 05/18/05
- Next message: Karl Levinson, mvp: "Re: Netbeui and security"
- Previous message: Roger Abell: "Re: IE vulnerabilities..."
- In reply to: Steven L Umbach: "Re: DHCP restriction via MAC..."
- Next in thread: Faisal [MSFT]: "Re: DHCP restriction via MAC..."
- Reply: Faisal [MSFT]: "Re: DHCP restriction via MAC..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 17 May 2005 22:28:37 -0400
Agreed. While DHCP reservations per MAC are generally considered a pain,
especially during initial setup, they aren't that much more of a pain than
enabling port security to do mac address filtering on your switches. This
is something else you could consider. I think it's somewhat more commonly
done than DHCP mac address filtering, since it's more secure. It prevents
people from selecting their own IP address, from collecting data by
eavesdropping / sniffing, prevents use of other protocols besides TCP/IP,
and prevents people from using man in the middle / session hijacking, etc.
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uWDGpz0WFHA.4036@TK2MSFTNGP10.phx.gbl...
> You could try to create a DHCP scope that has nothing but reservations
which
> map a mac address to an IP address in the scope. That can be very time
> consuming on all but the smallest networks and I have read of users saying
> that DHCP still would dish out a reserved IP address to a computer if no
> other IP addresses were available and there were reserved IP addresses not
> in use.
>
> DHCP reservations can be very useful but they are a poor security
safeguard
> as a user could simply assign static IP info to his computer that would
> allow access and even potentially deny a legitimate computer from
receiving
> an IP address if the user assigns an IP that is in the DHCP scope already.
> Switches that can filter traffic by mac addresses, use 802.1X
> authentication, or using ipsec in the domain are other ways to increase
> security to prevent access from unauthorized computers. Mac filtering can
be
> easily spoofed by malicious users, 801.1X takes a lot of planning and
> compatible hardware/operating systems, and ipsec can be very effective in
a
> domain if all the computers are ipsec capable. Ipsec can not however
prevent
> a computer from using DHCP server since DHCP is broadcast based but it can
> prevent a non domain computer from accessing a domain computer with an
ipsec
> "require" policy with default kerberos computer authentication. ---
Steve
>
>
>
> "Steven Sinclair" <StevenSinclair@discussions.microsoft.com> wrote in
> message news:098C4021-7036-4DBD-8171-8F33AA6ED0B9@microsoft.com...
> > Windows 2003 Server Enterprise Edition
> > Windows Built-In DHCP Service
> >
> > Is there any way to restrict whether or not a client on a local LAN
> > receives
> > a DHCP address from my server based on MAC address?
> >
> > Let's say I have a visiting vendor. I do not want that notebook computer
> > to
> > automatically pick up an IP address from my server as soon as he plugs
the
> > machine into my network. Instead, knowing his MAC address, I'd want the
> > server not to assign him one.
> >
> > Thanx.
>
>
- Next message: Karl Levinson, mvp: "Re: Netbeui and security"
- Previous message: Roger Abell: "Re: IE vulnerabilities..."
- In reply to: Steven L Umbach: "Re: DHCP restriction via MAC..."
- Next in thread: Faisal [MSFT]: "Re: DHCP restriction via MAC..."
- Reply: Faisal [MSFT]: "Re: DHCP restriction via MAC..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
