Re: DHCP Security

From: Karl Levinson [x y] mvp (levinson_k@despammed.com)
Date: 02/16/03


From: "Karl Levinson [x y] mvp" <levinson_k@despammed.com>
Date: Sun, 16 Feb 2003 08:21:32 -0500


"SiuLung" <siulung@rogers.com> wrote in message
news:L%Z2a.680312$F2h1.157293@news01.bloor.is.net.cable.rogers.com...

> there is 2 things i would like to add in which is i want all the
> workstation have to login to the domain inorder to get a IP and/or to have
> access at the RRAS server ( which means they have to logoin to the domain
to
> get on internet) , i have set the DHCP to provide IP and RRAS to act as an
> internet gateway.

I don't think it's possible or desirable to block machines from getting an
IP address in this way, and it's probably not a good idea if it was
possible. If this was possible, you'd need to communicate with the server
using IPX or non-routable NetBEUI since you wouldn't have an IP address yet.
This is probably not a great idea. At any rate, this would not prevent
someone from entering in a static IP address to get to the internet.

What you want is a firewall or proxy server that can do user authentication.
Most of them can. www.netscreen.com 5XP runs about $500 US and is one of
the cheaper solutions for this. Or, Squid is a free proxy that will
probably do this.

I don't think the level of security you're looking for is built into DHCP,
certainly not Windows DHCP. If you still want to use DHCP to block
unauthorized computers from getting IP addresses, you could try setting up a
DHCP reservation on the DHCP servers for every computer out there. You'd
have to know the MAC address for every NIC card out there and any new NIC
card or machine would not get an IP address. This is per-computer security,
so it would not block unauthorized users on an authorized machine, and would
not prevent someone on Windows 9x/ME or someone with administrative access
to the machine from entering in a static IP address to get on the network.
Also, note that spoofing MAC addresses is trivial. To get the MAC address
of a computer on the network, ping the computer and then run the ARP -a
command.

PS I hope you have at least a second DHCP server service set up somewhere,
as if your DHCP server goes down or crashes, you only have a day or a few
days to notice and fix the problem before your computers stop being able to
use the internet. DHCP services shouldn't take up too much resources on the
server, so you should be able to set them up on just about any server there
[though if you're using Active Directory-integrated DNS for the security
features there, there's a certain caveat about not installing DHCP on your
DNS server or domain controller, can't fully remember].

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.449 / Virus Database: 251 - Release Date: 1/27/2003


Relevant Pages

  • Re: Urgent! New router and big disaster
    ... OK, yes, I've struck a router which would only allow DHCP clients access to ... no internet connection from the server. ...
    (microsoft.public.windows.server.sbs)
  • Re: Urgent! New router and big disaster
    ... Set the 'external' interface of SBS to get it's IP via DHCP from the router ... If the ws does not get an IP from DHCP check the event log on the server, ... They can go one day with out internet, ...
    (microsoft.public.windows.server.sbs)
  • Re: Single 2003 Server with DHCP, DNS and ISA 2006
    ... As soon as I created my own DHCP ... I can ping the server by IP address and name from the workstation. ... Not too surprising with the above subnet problems. ... To the Internet. ...
    (microsoft.public.windows.server.general)
  • Re: Problem With Joining XP Computer to Windows 2003 Domain
    ... One, if the DC is connected directly to the Internet, DISCONNECT IT by ... I have assigned the server to Domain Controller ... > seem to be pointing to DHCP scope possibly on the server's configuration ...
    (microsoft.public.windowsxp.network_web)
  • Re: dhcp not working
    ... And then re-run CEICW and of course DHCP needs to be installed ... You do have the internal nic of the server and the workstations plugged ... Internal Clients Cannot Obtain a DHCP Address from ISA Server Running ... nics, 1 direct to the internet into a cable modem, static ip ...
    (microsoft.public.windows.server.sbs)