ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP)

    Scheduled Pinned Locked Moved IT Discussion
    214 Posts 11 Posters 32.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller
      last edited by

      Best solution is not to worry about this. Getting an IP is not a security concern. You want to block unwanted devices from the network entirely. There is no reason to want to block handing out IP addresses as they can just assign a static one to work around that.

      DustinB3403D 1 Reply Last reply Reply Quote 1
      • DustinB3403D
        DustinB3403 @scottalanmiller
        last edited by

        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        Best solution is not to worry about this. Getting an IP is not a security concern. You want to block unwanted devices from the network entirely. There is no reason to want to block handing out IP addresses as they can just assign a static one to work around that.

        This is true, but it assumes that the know what the scope is, and what available IP addresses are there that can be used without being noticed.

        But still true.

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @dave247
          last edited by

          @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          Please, let's keep this on topic as much as possible as I am really just trying to nail down the best solution.

          What is teh goal here? The question is about a task with no obvious purpose. Presumably, there is a goal that you want to achieve, what is that? That goal will define what is on or off topic. My guess is that the question itself is off topic to the goal.

          My guess is that the goal is security to keep random devices from getting on the network. If so, the question is already off topic.

          1 Reply Last reply Reply Quote 1
          • scottalanmillerS
            scottalanmiller @DustinB3403
            last edited by

            @dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            Best solution is not to worry about this. Getting an IP is not a security concern. You want to block unwanted devices from the network entirely. There is no reason to want to block handing out IP addresses as they can just assign a static one to work around that.

            This is true, but it assumes that the know what the scope is, and what available IP addresses are there that can be used without being noticed.

            But still true.

            No, does not assume that.

            DustinB3403D 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @dave247
              last edited by

              @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

              Any input is welcome, but please don't get side-tracked with this as I don't want to go down a rabbit-hole of explaining the why of everything.

              Defining the goal is never a side track or a rabbit hole.

              1 Reply Last reply Reply Quote 0
              • DustinB3403D
                DustinB3403 @scottalanmiller
                last edited by

                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                Best solution is not to worry about this. Getting an IP is not a security concern. You want to block unwanted devices from the network entirely. There is no reason to want to block handing out IP addresses as they can just assign a static one to work around that.

                This is true, but it assumes that the know what the scope is, and what available IP addresses are there that can be used without being noticed.

                But still true.

                No, does not assume that.

                Okay. . . it assumes whoever is wanting on the LAN either knows or can figure out the scope trivially.

                scottalanmillerS 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @DustinB3403
                  last edited by

                  @dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                  @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                  @dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                  @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                  Best solution is not to worry about this. Getting an IP is not a security concern. You want to block unwanted devices from the network entirely. There is no reason to want to block handing out IP addresses as they can just assign a static one to work around that.

                  This is true, but it assumes that the know what the scope is, and what available IP addresses are there that can be used without being noticed.

                  But still true.

                  No, does not assume that.

                  Okay. . . it assumes whoever is wanting on the LAN either knows or can figure out the scope trivially.

                  As that is a completely trivial task, it's a safe assumption.

                  1 Reply Last reply Reply Quote 1
                  • scottalanmillerS
                    scottalanmiller
                    last edited by

                    DHCP has no mechanisms for what is designed here because it'sa useless thing to do. It is what it is.

                    1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller
                      last edited by

                      The only answer that I can think of is....

                      use whitelisting and have no open DHCP and just pre-assign every DHCP lease. But logically, I think going to static would almost make more sense here.

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller
                        last edited by

                        Purpose of DHCP: To allow unknown devices to connect to the network and get network data.
                        Question: How to make DHCP do the opposite of its purpose.

                        That's why this won't work well. It's trying to make DHCP do exactly the opposite of its intended purpose.

                        1 Reply Last reply Reply Quote 1
                        • travisdh1T
                          travisdh1 @dave247
                          last edited by

                          @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          Please, let's keep this on topic as much as possible as I am really just trying to nail down the best solution.

                          When I came into my job as IT admin, all our servers and workstations and thin clients were statically mapped, like manually, the hard way (no DHCP reservation). It's taken me a while but I rolled out DHCP for all our thin clients and desktops and everything is a lot easier to manage.

                          One of the security concerns that was brought up to me now was that anyone can plug their laptop into an open network jack and get an IP address and my boss is trying to get me to assign everything static again.

                          BEFORE YOU SAY IT: Yes, I know that either way is not actually secure and I've tried explaining that someone with Wireshark could still sniff our traffic or use other tools to get onto our network, etc.

                          I have mentioned that I specifically don't patch in network jacks unless they are needed by someone and that there are no open jacks just hanging out on random walls where customers have easy access.

                          So now, I am trying to find out the best way to set up DHCP and have it so that only the people I want on our network can get on.

                          First and foremost, we run a 2008 R2 domain controller and that is also our DHCP server. I noticed in the DHCP settings that there is a "Network Access Protection" tab, which would work with Network Policy Server. I would assume this is the go-to method for this in a Windows domain, but I have never heard about it until now.

                          Any input is welcome, but please don't get side-tracked with this as I don't want to go down a rabbit-hole of explaining the why of everything.

                          Sounds like you just need to pay for an hour of @scottalanmiller's time to explain how computer networks work in small words to your company management.

                          1 Reply Last reply Reply Quote 3
                          • scottalanmillerS
                            scottalanmiller
                            last edited by

                            If security was teh goal, NAC is what is needed.

                            coliverC dave247D 2 Replies Last reply Reply Quote 2
                            • coliverC
                              coliver @scottalanmiller
                              last edited by

                              @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              If security was teh goal, NAC is what is needed.

                              There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/

                              But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?

                              dave247D 1 Reply Last reply Reply Quote 2
                              • dave247D
                                dave247 @DustinB3403
                                last edited by

                                @dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                MAC address filtering would be one way, albeit I think it would be a lot of work to setup.

                                https://technet.microsoft.com/en-us/library/dd759190(v=ws.11).aspx

                                But what about Network Access Protection policies for DHCP?

                                1 Reply Last reply Reply Quote 0
                                • dave247D
                                  dave247 @scottalanmiller
                                  last edited by

                                  @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  If security was teh goal, NAC is what is needed.

                                  As in, on the switches or what? Sorry, please elaborate.

                                  DustinB3403D scottalanmillerS 2 Replies Last reply Reply Quote 0
                                  • DustinB3403D
                                    DustinB3403 @dave247
                                    last edited by

                                    @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    If security was teh goal, NAC is what is needed.

                                    As in, on the switches or what? Sorry, please elaborate.

                                    NAC Network Access Control.

                                    1 Reply Last reply Reply Quote 0
                                    • JaredBuschJ
                                      JaredBusch
                                      last edited by

                                      Disabling wall jacks is helpful. But what do you do when someone plugs into a live one. Or unplugs a live one to plug in their device.

                                      When you start down this route, these are the issues you will encounter.

                                      NAC sounds like what you actually want.

                                      Disable DHCP totally get a NAC solution.

                                      dave247D 1 Reply Last reply Reply Quote 3
                                      • coliverC
                                        coliver
                                        last edited by coliver

                                        I'm surprised that @scottalanmiller hasn't posted his LAN-Less video yet.

                                        1 Reply Last reply Reply Quote 1
                                        • dave247D
                                          dave247 @coliver
                                          last edited by

                                          @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          If security was teh goal, NAC is what is needed.

                                          There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/

                                          But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?

                                          Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.

                                          And yes, I know that it should be about real security, not about satisfying one of the items on a checklist. I am trying to take care of both here.

                                          coliverC JaredBuschJ scottalanmillerS 3 Replies Last reply Reply Quote 0
                                          • dave247D
                                            dave247 @JaredBusch
                                            last edited by

                                            @jaredbusch said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            Disabling wall jacks is helpful. But what do you do when someone plugs into a live one. Or unplugs a live one to plug in their device.

                                            When you start down this route, these are the issues you will encounter.

                                            NAC sounds like what you actually want.

                                            Disable DHCP totally get a NAC solution.

                                            A NAC solution? As in a separate product? Doesn't Windows have one, like the Network Access Protection via the Network Policy Server?

                                            coliverC 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 10
                                            • 11
                                            • 1 / 11
                                            • First post
                                              Last post