Securing DHCP Traffic as much as possible

Hello Everyone.

I would like to find a way or a tool that will secure the DHCP Traffic by any mean except by logging all the Mac-addresses.

The case is as follows:

Windows based network all servers running win 2k3 and all clients running win xp, it's a world wide forest with one parent domain and child domain for each region.

No internal users uses DHCP for getting IPs, however some of them install virtual machines for "testing" and with no domain membership just let it run and it's simple as they get an IP from the DHCP.

Is there is a way to limit the users / computers from just running a computer and getting an IP directly?

The main problem with MAC address thing that we are also getting visitors from other region they are still members of the domain but I can't get the MAC addresses from all regions I mean it will be a bit over load specially for maintaining.

What about using IPSec?

Any comments or Ideas are more than welcome.
LVL 6
msghalebAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

James MontgomeryCommented:
It's a broadcast protocol with the limitations thereof, discussed here:

http://www.windowsecurity.com/articles/DHCP-Security-Part1.html
0
msghalebAuthor Commented:
Hi Yes I've been throw this article before, but seams that there is no solution for my problem.
0
James MontgomeryCommented:
This has been discussed before:

http://www.experts-exchange.com/Security/Misc/Q_21254612.html

Normally I don't comment on a deletion request, however just because you do not like the answer does not make it any less right.

Specifically you did not say you have seen the article before (again despite being correct) - so someone like me spends their free time and gives you an answer on the information you have presented.

I refer you to the grading guidelines.

http://www.experts-exchange.com/help.jsp#hi97
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

msghalebAuthor Commented:
No worries :-)
0
James MontgomeryCommented:
It was a long day, caffine had run out and that was my last comment of the night. I knew it was time to give up the ghost then...

Thanks, anyhow.
0
James MontgomeryCommented:
Just in case you did not see this story, there is a mechanism to only hand ips out to known MAC addresses in server 2003/8

http://www.petri.co.il/filter-mac-address-windows-server-2008-dhcp-server-callout-dll.htm
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.