Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP)
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.
So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.
but it's been buried under the fluff of doing business and passing audits
Any my point was you can pass the audit without setting everything statically. It's not a requirement.
Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?
It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.
You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."
The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.
And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.
I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.Way to many unknowns.
Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.
That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.
My understanding that the verbiage that we got was the one for the checkbox.
He says right here that he doesn't know the actual question asked.
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalAh good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.
This is why I've been pounding on the actual verbiage of the question.
It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?That's true, but why the boss is making his decision doesn't stop it being his decision.
Well, he is open to suggestions. I just have to do a good job at explaining why static addresses are bad and sell my alternative solution. I suck at communicating sometime but also my boss likes to jump in and give direction at any moment where I might be having trouble making my point... so I have to nail it the first time usually.
Well that's encouraging. Definitely make an attempt. To do that, though, I would recommend getting the boss to tell you the goal to meet. Make him articulate it. If you have that, then you have a discrete "problem to solve" that you can argue your solution does better than solution "X". If you don't, then you will have a high chance of facing a moving goalpost where you solve the assumed problem, but are then presented with something else you didn't address.
I usually communicate better in text so I wrote a nice email explaining how neither DHCP or static addresses have anything to do with network security.
Cool. Maybe propose a security solution, but point out that none was needed for the audit. Look at it (present it as) going "above and beyond".
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.
So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.
but it's been buried under the fluff of doing business and passing audits
Any my point was you can pass the audit without setting everything statically. It's not a requirement.
Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?
It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.
You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."
The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.
And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.
I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.Way to many unknowns.
Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.
That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.
My understanding that the verbiage that we got was the one for the checkbox.
He says right here that he doesn't know the actual question asked.
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalAh good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.
This is why I've been pounding on the actual verbiage of the question.
It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?That's true, but why the boss is making his decision doesn't stop it being his decision.
Well, he is open to suggestions. I just have to do a good job at explaining why static addresses are bad and sell my alternative solution. I suck at communicating sometime but also my boss likes to jump in and give direction at any moment where I might be having trouble making my point... so I have to nail it the first time usually.
Well that's encouraging. Definitely make an attempt. To do that, though, I would recommend getting the boss to tell you the goal to meet. Make him articulate it. If you have that, then you have a discrete "problem to solve" that you can argue your solution does better than solution "X". If you don't, then you will have a high chance of facing a moving goalpost where you solve the assumed problem, but are then presented with something else you didn't address.
Great suggestion. Get the boss to define the goal. Love it.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.
So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.
but it's been buried under the fluff of doing business and passing audits
Any my point was you can pass the audit without setting everything statically. It's not a requirement.
Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?
It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.
You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."
The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.
And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.
I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.Way to many unknowns.
Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.
That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.
My understanding that the verbiage that we got was the one for the checkbox.
He says right here that he doesn't know the actual question asked.
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalAh good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.
This is why I've been pounding on the actual verbiage of the question.
It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?That's true, but why the boss is making his decision doesn't stop it being his decision.
Of course that's true... But has he made a decision? Of course he's talking to the OP, but it seems like perhaps the OP has some leway, assuming he can convince the boss of the OP's opinions.
It's really kinda sad that the boss is involved in anything more than - I demand that we pass the audit, don't care how as long as we pass...
Again, we know a checkbox is currently marked against them, but we don't know why (the real why) nor do we know if that makes them fail the audit.
Yes, no decision has been made yet. Boss doesn't know much about IT and so if I can't convince him of a better solution, then I have to implement static addresses.
squeezes lemon juice in own eyes
We need a training video on why DHCP is for management. The whole purpose of DHCP was to make things easier than doing static, which is what we always used to have to do.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.
So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.
but it's been buried under the fluff of doing business and passing audits
Any my point was you can pass the audit without setting everything statically. It's not a requirement.
Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?
It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.
You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."
The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.
And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.
I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.Way to many unknowns.
Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.
That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.
My understanding that the verbiage that we got was the one for the checkbox.
He says right here that he doesn't know the actual question asked.
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalAh good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.
This is why I've been pounding on the actual verbiage of the question.
It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?That's true, but why the boss is making his decision doesn't stop it being his decision.
Well, he is open to suggestions. I just have to do a good job at explaining why static addresses are bad and sell my alternative solution. I suck at communicating sometime but also my boss likes to jump in and give direction at any moment where I might be having trouble making my point... so I have to nail it the first time usually.
Well that's encouraging. Definitely make an attempt. To do that, though, I would recommend getting the boss to tell you the goal to meet. Make him articulate it. If you have that, then you have a discrete "problem to solve" that you can argue your solution does better than solution "X". If you don't, then you will have a high chance of facing a moving goalpost where you solve the assumed problem, but are then presented with something else you didn't address.
I usually communicate better in text so I wrote a nice email explaining how neither DHCP or static addresses have anything to do with network security.
Really, for this specific situation - you really need to find out the text of this checkmark you're currently failing so you can target your information against it specifically.
-
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.
So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.
but it's been buried under the fluff of doing business and passing audits
Any my point was you can pass the audit without setting everything statically. It's not a requirement.
Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?
It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.
You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."
The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.
And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.
I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.Way to many unknowns.
Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.
That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.
My understanding that the verbiage that we got was the one for the checkbox.
He says right here that he doesn't know the actual question asked.
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalAh good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.
This is why I've been pounding on the actual verbiage of the question.
It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?That's true, but why the boss is making his decision doesn't stop it being his decision.
Well, he is open to suggestions. I just have to do a good job at explaining why static addresses are bad and sell my alternative solution. I suck at communicating sometime but also my boss likes to jump in and give direction at any moment where I might be having trouble making my point... so I have to nail it the first time usually.
Well that's encouraging. Definitely make an attempt. To do that, though, I would recommend getting the boss to tell you the goal to meet. Make him articulate it. If you have that, then you have a discrete "problem to solve" that you can argue your solution does better than solution "X". If you don't, then you will have a high chance of facing a moving goalpost where you solve the assumed problem, but are then presented with something else you didn't address.
I usually communicate better in text so I wrote a nice email explaining how neither DHCP or static addresses have anything to do with network security.
Really, for this specific situation - you really need to find out the text of this checkmark you're currently failing so you can target your information against it specifically.
Good bloody point. I will have to pry it out of the ether asap. THanks.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.
So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.
but it's been buried under the fluff of doing business and passing audits
Any my point was you can pass the audit without setting everything statically. It's not a requirement.
Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?
It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.
You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."
The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.
And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.
I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.Way to many unknowns.
Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.
That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.
My understanding that the verbiage that we got was the one for the checkbox.
He says right here that he doesn't know the actual question asked.
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalAh good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.
This is why I've been pounding on the actual verbiage of the question.
It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?That's true, but why the boss is making his decision doesn't stop it being his decision.
Well, he is open to suggestions. I just have to do a good job at explaining why static addresses are bad and sell my alternative solution. I suck at communicating sometime but also my boss likes to jump in and give direction at any moment where I might be having trouble making my point... so I have to nail it the first time usually.
Well that's encouraging. Definitely make an attempt. To do that, though, I would recommend getting the boss to tell you the goal to meet. Make him articulate it. If you have that, then you have a discrete "problem to solve" that you can argue your solution does better than solution "X". If you don't, then you will have a high chance of facing a moving goalpost where you solve the assumed problem, but are then presented with something else you didn't address.
I usually communicate better in text so I wrote a nice email explaining how neither DHCP or static addresses have anything to do with network security.
Really, for this specific situation - you really need to find out the text of this checkmark you're currently failing so you can target your information against it specifically.
Good bloody point. I will have to pry it out of the ether asap. THanks.
Yeah, two things really "needed". The "what will fulfill the checkbox" and the "what does the boss want". The answer might be the same thing, or different.
-
Can we get a photo of the checklist with ur info scratched out?
That way we have what you have to go off of, and no more assumptions need to be made.
We need the complete context to give accurate recommendations.
-
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Can we get a photo of the checklist with ur info scratched out?
That way we have what you have to go off of, and no more assumptions need to be made.
We need the complete context to give accurate recommendations.
I will have to get it from my boss. My boss only verbally told me about this and then sent me a snippet of the suggested solution which I transcribed and posted here.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Can we get a photo of the checklist with ur info scratched out?
That way we have what you have to go off of, and no more assumptions need to be made.
We need the complete context to give accurate recommendations.
I will have to get it from my boss. My boss only verbally told me about this and then sent me a snippet of the suggested solution which I transcribed and posted here.
I see.
But we can't really use that.
We need to see the actual requirement, and for all we know that is just one of many possible recommendations for complying with some unknown requirements.
-
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Can we get a photo of the checklist with ur info scratched out?
That way we have what you have to go off of, and no more assumptions need to be made.
We need the complete context to give accurate recommendations.
I will have to get it from my boss. My boss only verbally told me about this and then sent me a snippet of the suggested solution which I transcribed and posted here.
I see.
But we can't really use that.
We need to see the actual requirement, and for all we know that is just one of many possible recommendations for complying with some unknown requirements.
Right. I just provided that because that's what my boss provided me as it related to the auditors in that it is one of the solutions they provide on the matter -- a solution which I had completely un-done when I had enough of dealing with static IPs and rolled out DHCP again.