Solved

How do I stop DHCP giving out IP addresses to anything plugged into the network?

Posted on 2014-09-24
16
534 Views
Last Modified: 2014-09-29
As a technology company which I am fairly new to, we seem to have a free for all attitude to plugging things into the network.  I don't mind the hubs so much but three things I need to get on top of are virtual machines, mobile phones and self-purchased laptops.  The latter is probably the one I need to resolve quickly.  My problem is that anything plugged into our network will get an IP address and get access to certain resources - they have not been configured by me with anti-virus and computer accounts in AD, so my server screams at me with security failures which makes monitoring a nightmare.  I think what I need to do is stop IP addresses being given to the devices above, but I am not sure how to do this.
Please advise.

Thanks
0
Comment
Question by:fuzzyfreak
  • 6
  • 4
  • 2
  • +3
16 Comments
 
LVL 13

Expert Comment

by:Mark Galvin
Comment Utility
Hi

How big is the network? What is currently giving out DHCP addresses?

Thanks
Mark/
0
 
LVL 19

Expert Comment

by:Kash
Comment Utility
simple answer would be the disable DHCP and use static IP addresses that way no new device will get an IP address.
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
Comment Utility
Or Cisco ISE
0
 
LVL 4

Author Comment

by:fuzzyfreak
Comment Utility
Network is small, we have about forty users but approximately 200 IP addresses for various devices (desktops, laptops, wireless devices, hubs, switches, VMs, Servers)
It is Windows domain DHCP giving them out.
No way am I going to give out static IP addresses!
I would prefer to simply reconfigure what we already have.
0
 
LVL 19

Accepted Solution

by:
Kash earned 500 total points
Comment Utility
we use Kerio Control, its not free but its good.

You other option would be to use mac address filtering with strict bind.
0
 
LVL 4

Author Comment

by:fuzzyfreak
Comment Utility
How do I use MAC address filtering?  Where is this option?
Any idea how much Kerio is?
0
 
LVL 19

Expert Comment

by:Kash
Comment Utility
http://www.kerio.com/products/kerio-control

I will get you info on MAF later on.
0
 
LVL 13

Expert Comment

by:Mark Galvin
Comment Utility
MAC Address Filtering - http://technet.microsoft.com/en-us/magazine/ff521761.aspx

Dont use Static. Will cause chaos including IP conflicts. It will also allow an user that has the know how to set their IP statically and then they have access.

You could also look at your network switches. If you set the access there (sorry - not a network engineer so cant advise) then only the devices you have given access to will gbe able to access the network.
0
The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

 
LVL 3

Expert Comment

by:TropicalBound
Comment Utility
When you find an unauthorized device on your network, create a DHCP reservation with the device's MAC address.  Under 'Configure Options', enter bogus DNS and router info.  They'll still be on your network, but they won't have name resolution or Internet access.

This is a band-aid at best.  Even if you resolve the DHCP issue, you still have to contend with the user's who put a static IP on their device.  Ultimately, you'll need senior management to back you, and institute a corporate policy prohibiting users from connecting personal devices to the corporate network.  Then give the corporate policy teeth.  You'll only have to make an example out of one person before people take the policy seriously.
0
 
LVL 4

Author Comment

by:fuzzyfreak
Comment Utility
0
 
LVL 19

Expert Comment

by:Kash
Comment Utility
follow this article >>> http://social.technet.microsoft.com/Forums/en-US/6a4479cd-5567-4a48-b936-251149ae034f/mac-address-filtering-with-windows-server-2008-r2?forum=winserverNAP


the reason being you listed windows 2008 as the server so I presume it is doing the DHCP.
Let me know if otherwise and let us know the name of the router and I will dig the detailed instructions for that.
0
 
LVL 16

Expert Comment

by:vivigatt
Comment Utility
A simple solution:
Use a DHCP server and allow only reservations, no dynamic IP assignment.
Each new device would need to have its MAC address registered in the reservation pool before it can get an IP address from DHCP.
No need to purchase anything new, simple management...
0
 
LVL 4

Author Comment

by:fuzzyfreak
Comment Utility
Thank you all for your suggestions, I think simple MAC address filtering is the way to go here for my known devices. But what I need to do is set up a scope that allows those plug and play devices to continue to get out to the Internet (not to the network).  Any ideas here?  Do I set up a new scope?
0
 
LVL 16

Expert Comment

by:vivigatt
Comment Utility
You need a "guest network". If on WiFi, that's easier, provided that your WiFi router/Access point has the "guest network" feature...
0
 
LVL 4

Author Comment

by:fuzzyfreak
Comment Utility
I already have a guest network on wi-fi.  No, this is for physical Ethernet connections.
0
 
LVL 4

Author Closing Comment

by:fuzzyfreak
Comment Utility
I think MAC address filtering is the answer here.  I will raise a new question regarding a "guest" DHCP scope.
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now