How do I stop DHCP giving out IP addresses to anything plugged into the network?

As a technology company which I am fairly new to, we seem to have a free for all attitude to plugging things into the network.  I don't mind the hubs so much but three things I need to get on top of are virtual machines, mobile phones and self-purchased laptops.  The latter is probably the one I need to resolve quickly.  My problem is that anything plugged into our network will get an IP address and get access to certain resources - they have not been configured by me with anti-virus and computer accounts in AD, so my server screams at me with security failures which makes monitoring a nightmare.  I think what I need to do is stop IP addresses being given to the devices above, but I am not sure how to do this.
Please advise.

Thanks
LVL 4
fuzzyfreakAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mark GalvinManaging Director / Principal ConsultantCommented:
Hi

How big is the network? What is currently giving out DHCP addresses?

Thanks
Mark/
0
Kash2nd Line EngineerCommented:
simple answer would be the disable DHCP and use static IP addresses that way no new device will get an IP address.
0
Gabriel CliftonNet AdminCommented:
Or Cisco ISE
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

fuzzyfreakAuthor Commented:
Network is small, we have about forty users but approximately 200 IP addresses for various devices (desktops, laptops, wireless devices, hubs, switches, VMs, Servers)
It is Windows domain DHCP giving them out.
No way am I going to give out static IP addresses!
I would prefer to simply reconfigure what we already have.
0
Kash2nd Line EngineerCommented:
we use Kerio Control, its not free but its good.

You other option would be to use mac address filtering with strict bind.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fuzzyfreakAuthor Commented:
How do I use MAC address filtering?  Where is this option?
Any idea how much Kerio is?
0
Kash2nd Line EngineerCommented:
http://www.kerio.com/products/kerio-control

I will get you info on MAF later on.
0
Mark GalvinManaging Director / Principal ConsultantCommented:
MAC Address Filtering - http://technet.microsoft.com/en-us/magazine/ff521761.aspx

Dont use Static. Will cause chaos including IP conflicts. It will also allow an user that has the know how to set their IP statically and then they have access.

You could also look at your network switches. If you set the access there (sorry - not a network engineer so cant advise) then only the devices you have given access to will gbe able to access the network.
0
TropicalBoundCommented:
When you find an unauthorized device on your network, create a DHCP reservation with the device's MAC address.  Under 'Configure Options', enter bogus DNS and router info.  They'll still be on your network, but they won't have name resolution or Internet access.

This is a band-aid at best.  Even if you resolve the DHCP issue, you still have to contend with the user's who put a static IP on their device.  Ultimately, you'll need senior management to back you, and institute a corporate policy prohibiting users from connecting personal devices to the corporate network.  Then give the corporate policy teeth.  You'll only have to make an example out of one person before people take the policy seriously.
0
fuzzyfreakAuthor Commented:
0
Kash2nd Line EngineerCommented:
follow this article >>> http://social.technet.microsoft.com/Forums/en-US/6a4479cd-5567-4a48-b936-251149ae034f/mac-address-filtering-with-windows-server-2008-r2?forum=winserverNAP


the reason being you listed windows 2008 as the server so I presume it is doing the DHCP.
Let me know if otherwise and let us know the name of the router and I will dig the detailed instructions for that.
0
vivigattCommented:
A simple solution:
Use a DHCP server and allow only reservations, no dynamic IP assignment.
Each new device would need to have its MAC address registered in the reservation pool before it can get an IP address from DHCP.
No need to purchase anything new, simple management...
0
fuzzyfreakAuthor Commented:
Thank you all for your suggestions, I think simple MAC address filtering is the way to go here for my known devices. But what I need to do is set up a scope that allows those plug and play devices to continue to get out to the Internet (not to the network).  Any ideas here?  Do I set up a new scope?
0
vivigattCommented:
You need a "guest network". If on WiFi, that's easier, provided that your WiFi router/Access point has the "guest network" feature...
0
fuzzyfreakAuthor Commented:
I already have a guest network on wi-fi.  No, this is for physical Ethernet connections.
0
fuzzyfreakAuthor Commented:
I think MAC address filtering is the answer here.  I will raise a new question regarding a "guest" DHCP scope.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.