[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Active Directory restricting DHCP client address distribution

Posted on 2006-04-19
14
Medium Priority
?
411 Views
Last Modified: 2008-05-30
I have a windows 2003 server active directory network. My domain controller is also my dns and dhcp server. I would like to prevent users from just plugging in and getting an IP address. Can this be done with active directory?
0
Comment
Question by:gnosticgnowledge
  • 3
  • 2
  • 2
  • +4
11 Comments
 
LVL 16

Expert Comment

by:Joe
ID: 16490919
*I would like to prevent users from just plugging in and getting an IP address - Do you mean giving themselves a static IP or receiving DHCP address?

Joe
0
 

Author Comment

by:gnosticgnowledge
ID: 16490954
Ok wasn't specific enough. Receiving a DHCP address from my DNS/DHCP/Domain Controller. Specifically, I need to know if I can use Active Directory to prevent someone from getting an address.
0
 
LVL 3

Expert Comment

by:m1crochip
ID: 16491079
To prevent a domain computer from getting an address or a non-domain computer?  What are you trying to accomplish?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:gnosticgnowledge
ID: 16491173
To prevent a windows workstation configured as a dhcp client plugging into the network and getting an address. Come to think of it, I would like to stop someone from being able to give themselves a static address also.  To prevent a non-domain computer from getting an address. Domain Users can't add a machine to the domain.
0
 
LVL 16

Accepted Solution

by:
Joe earned 128 total points
ID: 16491317
0
 
LVL 10

Assisted Solution

by:victornegri
victornegri earned 124 total points
ID: 16493470
You can set up IP reservations in the DHCP MMC. That is about the extent of DHCP security on Windows 2k3. If you want to go a step further, you can set up a 802.1x switch with a list of your approved computer's MAC addresses (somewhat difficult). This will prevent machines from even hitting the DHCP server if they're unauthorized.
0
 
LVL 1

Assisted Solution

by:Paawan
Paawan earned 124 total points
ID: 16497645


Hi,
    The security settings for Win 3k server applies after connecting to the server. But a client has to be issued an IP address prior to connecting to the server and applying the security policies. Hence I dont believe it would work with the DHCP setting on the server. You would need a network device for that and as stated above (Victornegri) you will have to use MAC addresses for restrictions.

But again you can masquerade the MAC address as well and get the connectivity to the network.

Any particular reason you would like to do this?
0
 
LVL 1

Expert Comment

by:Paawan
ID: 16497660


You might check with an ISP how they control the IP address issuing as for them each IP address actually costs. When we do a dial-up the server asks for username and passord and only after that is an IP address issued.
0
 

Expert Comment

by:savi0627
ID: 16499083
Are you tryng to prevent access to local resources or to the internet?
0
 
LVL 1

Assisted Solution

by:nickhills
nickhills earned 124 total points
ID: 16499332
Sometimes the simple solutions are the best ones...

disable unused ports on the network, if your switches are managed, simply configure the unused ports to be offline, then if someone plugs in they cant access your local resources.

of course that dosent stop someone unplugging a currently connected device, and plugging there laptop in instead, to protect against that you will need an snmp script that will monitor MAC address usage, and disable ports if MAC addresses are seen to change.

if you don't have managed switches, there is always the low-tec answer - pull the spare cables out

regards,
Nick
0
 
LVL 1

Expert Comment

by:Paawan
ID: 16499778
Hi,
    Have a look at this. I should tell you everything:

http://www.windowsecurity.com/articles/DHCP-Security-Part1.html
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question