Solved

How do I stop DHCP giving out IP addresses to anything plugged into the network?

Posted on 2014-09-24
16
555 Views
Last Modified: 2014-09-29
As a technology company which I am fairly new to, we seem to have a free for all attitude to plugging things into the network.  I don't mind the hubs so much but three things I need to get on top of are virtual machines, mobile phones and self-purchased laptops.  The latter is probably the one I need to resolve quickly.  My problem is that anything plugged into our network will get an IP address and get access to certain resources - they have not been configured by me with anti-virus and computer accounts in AD, so my server screams at me with security failures which makes monitoring a nightmare.  I think what I need to do is stop IP addresses being given to the devices above, but I am not sure how to do this.
Please advise.

Thanks
0
Comment
Question by:fuzzyfreak
  • 6
  • 4
  • 2
  • +3
16 Comments
 
LVL 13

Expert Comment

by:Mark Galvin
ID: 40341360
Hi

How big is the network? What is currently giving out DHCP addresses?

Thanks
Mark/
0
 
LVL 19

Expert Comment

by:Kash
ID: 40341366
simple answer would be the disable DHCP and use static IP addresses that way no new device will get an IP address.
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40341370
Or Cisco ISE
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 40341400
Network is small, we have about forty users but approximately 200 IP addresses for various devices (desktops, laptops, wireless devices, hubs, switches, VMs, Servers)
It is Windows domain DHCP giving them out.
No way am I going to give out static IP addresses!
I would prefer to simply reconfigure what we already have.
0
 
LVL 19

Accepted Solution

by:
Kash earned 500 total points
ID: 40341418
we use Kerio Control, its not free but its good.

You other option would be to use mac address filtering with strict bind.
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 40341424
How do I use MAC address filtering?  Where is this option?
Any idea how much Kerio is?
0
 
LVL 19

Expert Comment

by:Kash
ID: 40341447
http://www.kerio.com/products/kerio-control

I will get you info on MAF later on.
0
 
LVL 13

Expert Comment

by:Mark Galvin
ID: 40341448
MAC Address Filtering - http://technet.microsoft.com/en-us/magazine/ff521761.aspx

Dont use Static. Will cause chaos including IP conflicts. It will also allow an user that has the know how to set their IP statically and then they have access.

You could also look at your network switches. If you set the access there (sorry - not a network engineer so cant advise) then only the devices you have given access to will gbe able to access the network.
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 
LVL 3

Expert Comment

by:TropicalBound
ID: 40341451
When you find an unauthorized device on your network, create a DHCP reservation with the device's MAC address.  Under 'Configure Options', enter bogus DNS and router info.  They'll still be on your network, but they won't have name resolution or Internet access.

This is a band-aid at best.  Even if you resolve the DHCP issue, you still have to contend with the user's who put a static IP on their device.  Ultimately, you'll need senior management to back you, and institute a corporate policy prohibiting users from connecting personal devices to the corporate network.  Then give the corporate policy teeth.  You'll only have to make an example out of one person before people take the policy seriously.
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 40341454
0
 
LVL 19

Expert Comment

by:Kash
ID: 40341679
follow this article >>> http://social.technet.microsoft.com/Forums/en-US/6a4479cd-5567-4a48-b936-251149ae034f/mac-address-filtering-with-windows-server-2008-r2?forum=winserverNAP


the reason being you listed windows 2008 as the server so I presume it is doing the DHCP.
Let me know if otherwise and let us know the name of the router and I will dig the detailed instructions for that.
0
 
LVL 16

Expert Comment

by:vivigatt
ID: 40343712
A simple solution:
Use a DHCP server and allow only reservations, no dynamic IP assignment.
Each new device would need to have its MAC address registered in the reservation pool before it can get an IP address from DHCP.
No need to purchase anything new, simple management...
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 40344065
Thank you all for your suggestions, I think simple MAC address filtering is the way to go here for my known devices. But what I need to do is set up a scope that allows those plug and play devices to continue to get out to the Internet (not to the network).  Any ideas here?  Do I set up a new scope?
0
 
LVL 16

Expert Comment

by:vivigatt
ID: 40344339
You need a "guest network". If on WiFi, that's easier, provided that your WiFi router/Access point has the "guest network" feature...
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 40344441
I already have a guest network on wi-fi.  No, this is for physical Ethernet connections.
0
 
LVL 4

Author Closing Comment

by:fuzzyfreak
ID: 40349476
I think MAC address filtering is the answer here.  I will raise a new question regarding a "guest" DHCP scope.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now