Re: Securing DHCP Server

From: Steven L Umbach (sumbach_at_N0spam.ameritech.net)
Date: 05/18/04 

Date: Tue, 18 May 2004 12:58:08 -0500

The KB link below refers to the behaviour you are seeing for a setup similar
to yours and suggests that a service pack may help.

http://support.microsoft.com/default.aspx?scid=kb;en-us;284145

While using reservations as you do may help it will of course not stop
someone from configuring their computers with static tcp/ip info to access
the network. If you are in a domain with all W2K/XP Pro computers you could
consider using ipsec that uses kerberos machine authentication within the
forest to restrict access to domain machines other than domain controllers
which will not work with a secure server/require ipsec policy.

Another thing to consider is a layer 2 switch than can control access to
ports based on mac address and/or use 802.1X authentication that requires
certificate authentication to a radius/IAS server before allowed access to
the port and network. --- Steve

http://www.dlink.com/products/?pid=87 -- an under $450 secure 24 port
managed switch.

"Rob Devereux" <rob.devereux@linacre.ox.ac.uk> wrote in message
news:c8d989$noo$1@news.ox.ac.uk...
> Forgive the X posting but I wanted to cover as many bases as possible with
> this.
>
> I have a DHCP Server set up on a Windows 2000 Server.
>
> In order to have the best of both worlds (ie have the security and
auditing
> of Static addresses in cases of virus infection or abuse but the
convenience
> of setup and ability to recoup address from leaving clients), I have set
it
> up to have no "pool" of addresses and 100% either blocked or reserved by
MAC
> address(the clients have to send me the MAC address which I register
against
> an IP address).
>
> What I have found is that if a rogue machine is put on the network(for
> example if someone forgets to register their MAC address or just ignores
the
> need), particularly a 2000/XP one, the DHCP Server will assign it an
address
> even though there are supposedly none to be assigned. What I have found
> happening is that it assigns one of the reserved addresses that is
currently
> inactive(because the pc is temporariliy off the network), and of course as
> soon as that client goes back on the network and tries to use the address,
> they get an IP conflict at best and more likely just a lock on usage.
>
> Has anyone seen this or got a fix for it?
>
> Rob
>
> --
> Rob Devereux
> IT Officer
> Linacre College
> St Cross Road
> Oxford
> OX1 3JA
> (01865) 271659
> rob.devereux@linacre.ox.ac.uk
>
>

Quantcast