Securing DHCP Traffic as much as possible

Hello Everyone.

I would like to find a way or a tool that will secure the DHCP Traffic by any mean except by logging all the Mac-addresses.

The case is as follows:

Windows based network all servers running win 2k3 and all clients running win xp, it's a world wide forest with one parent domain and child domain for each region.

No internal users uses DHCP for getting IPs, however some of them install virtual machines for "testing" and with no domain membership just let it run and it's simple as they get an IP from the DHCP.

Is there is a way to limit the users / computers from just running a computer and getting an IP directly?

The main problem with MAC address thing that we are also getting visitors from other region they are still members of the domain but I can't get the MAC addresses from all regions I mean it will be a bit over load specially for maintaining.

What about using IPSec?

Any comments or Ideas are more than welcome.
LVL 6
msghalebAsked:
Who is Participating?
 
JimboEfxConnect With a Mentor Commented:
This has been discussed before:

http://www.experts-exchange.com/Security/Misc/Q_21254612.html

Normally I don't comment on a deletion request, however just because you do not like the answer does not make it any less right.

Specifically you did not say you have seen the article before (again despite being correct) - so someone like me spends their free time and gives you an answer on the information you have presented.

I refer you to the grading guidelines.

http://www.experts-exchange.com/help.jsp#hi97
0
 
JimboEfxCommented:
It's a broadcast protocol with the limitations thereof, discussed here:

http://www.windowsecurity.com/articles/DHCP-Security-Part1.html
0
 
msghalebAuthor Commented:
Hi Yes I've been throw this article before, but seams that there is no solution for my problem.
0
Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

 
msghalebAuthor Commented:
No worries :-)
0
 
JimboEfxCommented:
It was a long day, caffine had run out and that was my last comment of the night. I knew it was time to give up the ghost then...

Thanks, anyhow.
0
 
JimboEfxCommented:
Just in case you did not see this story, there is a mechanism to only hand ips out to known MAC addresses in server 2003/8

http://www.petri.co.il/filter-mac-address-windows-server-2008-dhcp-server-callout-dll.htm
0
All Courses

From novice to tech pro — start learning today.