[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How to purposefully assign "bad DHCP addresses" to rogue clients

Posted on 2009-04-16
8
Medium Priority
?
366 Views
Last Modified: 2012-05-06
I have a remote site on which a number of anauthorised machines are being used.  These users have been asked not to connect their PCs but a few continue to do so.

Is there a way of reserving "unrouteable" addresses to these machines through Windows 2003 DHCP server?  I have setup a new dummy scope and set the reservations for the "bad machines" to addresses from this scope, but they are still getting addresses from the main "good" scope.

Am I going about this the wrong way or is there an accepted method of acheiving my objectives?

Steve
0
Comment
Question by:SteveZX
  • 4
  • 3
8 Comments
 
LVL 15

Expert Comment

by:zelron22
ID: 24158922
How many valid machines do you have?  You could assign reservations for the good machines and then limit the scope so that there are no other available addresses.

0
 
LVL 15

Expert Comment

by:zelron22
ID: 24159118
Of course, it won't stop someone from statically assigning an IP.  Cisco's URT (and I'm sure other products) can authenticate users before letting them on the network (or something like that).
0
 
LVL 15

Expert Comment

by:zelron22
ID: 24159147
Another thing you can do (which won't prevent them from unplugging their machine and plugging theirs in) is to disable all ports on your switch that are not in use.  Assuming that you have a managed switch and you have mapped the ports.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:SteveZX
ID: 24159409
Thanks for the prompt replies!

Total number of "good machines" is over 100 so don't want to reserve for these!

The current "bad" scope has exactly the number of addresses to match the number of rogue machines (they are all reserved therefore).  There are 12 rogue machine in total.

I am trying to implement a remote solution.  Physical access to the switch ports etc.. will require a special site visit (which I'm trying to avoid if possible!)

LOL - I thought this would be a quick and dirty solution until I could get to site next!  Any more suggestions gratefully received!

Cheers

Steve
0
 
LVL 15

Accepted Solution

by:
zelron22 earned 750 total points
ID: 24159596
Well, you could require IPSEC and apply it to the workstations via group policy.  Then the rogue machines at least wouldn't be able to see anything although they would be able to access printers and the internet.

Another thing you can do is that as you identify rogue machines, create reservations for them.  Then, although they will get an IP in the scope, you can set the properties of the reservation and specify a bad gateway, bad DNS servers, etc. so that they won't be able to do much else, certainly not get to the internet or across the WAN.
0
 

Author Comment

by:SteveZX
ID: 24159831
IPSEC was a possiblilty but we have a number of laptops moving between sites so this may cause problems.  Also, the site server needs to be accessed from other remote sites.

I didn't realise that you could Configure Options against reservations - this will probably be the easiest solution to implement.  I'll get one of my guys to try this tomorrow and report back.

Many thanks

Steve
0
 
LVL 1

Expert Comment

by:WillMcDoanld
ID: 24159929
Use MAC addresses for machines you know should be on your network, and make two address pools for known machines and for unknown, then just make the "unknown" pool something random with bogus info for the gateway
0
 

Author Closing Comment

by:SteveZX
ID: 31571032
Assigning options to the reservations worked well - many thanks!
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Loops Section Overview

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question