Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP)
-
@nerdydad said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@nerdydad said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Okay sure, go ahead. I get it. Don't even consider my solution. I see how it is. Thanks,
It's not that your solution wouldn't work it's that it wouldn't meet the requirements of the audit.
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@nerdydad said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Okay sure, go ahead. I get it. Don't even consider my solution. I see how it is. Thanks,
If it wasn't to use static, it doesn't meet his requirements. You suggested another DHCP option, which would violate what he's been required to do (which is to remove DHCP.)
I was being fececious, but thanks for the consideration. I really do appreciate it.
We DID take the time to look at it
-
I had a friend who worked at a publicly traded company. Because of Sarbanes Oxley they had to do their own audits and submit them to the board or whoever they submit to so the shareholders could know the company was "doing thing right."
They hired two companies to do audits, they hired Deloitte to do the first audit, and both sides would work on the audit until it was a place they both mutually agreed was good for the company/the shareholders, etc. Then they would hire some smaller audit company (Acme) to do the official audit. If Acme provided any failure points, my friend's company and Deloitte would consider it and push back if needed - my friend's company used the power of Deloitte to keep the official audit in line.
I'm not saying this is a great situation - but it's basically about finding a defender for your side to make sure the auditor isn't trying to screw you.
-
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I had a friend who worked at a publicly traded company. Because of Sarbanes Oxley they had to do their own audits and submit them to the board or whoever they submit to so the shareholders could know the company was "doing thing right."
They hired two companies to do audits, they hired Deloitte to do the first audit, and both sides would work on the audit until it was a place they both mutually agreed was good for the company/the shareholders, etc. Then they would hire some smaller audit company (Acme) to do the official audit. If Acme provided any failure points, my friend's company and Deloitte would consider it and push back if needed - my friend's company used the power of Deloitte to keep the official audit in line.
I'm not saying this is a great situation - but it's basically about finding a defender for your side to make sure the auditor isn't trying to screw you.
If your internal IT isn't that push back, you shouldn't have an auditor.
Having an auditor to check on your IT is one thing, but needing to audit your auditor means you have a bigger problem.
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I had a friend who worked at a publicly traded company. Because of Sarbanes Oxley they had to do their own audits and submit them to the board or whoever they submit to so the shareholders could know the company was "doing thing right."
They hired two companies to do audits, they hired Deloitte to do the first audit, and both sides would work on the audit until it was a place they both mutually agreed was good for the company/the shareholders, etc. Then they would hire some smaller audit company (Acme) to do the official audit. If Acme provided any failure points, my friend's company and Deloitte would consider it and push back if needed - my friend's company used the power of Deloitte to keep the official audit in line.
I'm not saying this is a great situation - but it's basically about finding a defender for your side to make sure the auditor isn't trying to screw you.
If your internal IT isn't that push back, you shouldn't have an auditor.
Having an auditor to check on your IT is one thing, but needing to audit your auditor means you have a bigger problem.
In that case - they would likely claim that they didn't have IT then.. and that the first auditor is their IT.
Their big projects were always handled by ITSPs, not internal resources.. so in this case, they just had another ITSP like (the first auditor) acting as IT. -
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I had a friend who worked at a publicly traded company. Because of Sarbanes Oxley they had to do their own audits and submit them to the board or whoever they submit to so the shareholders could know the company was "doing thing right."
They hired two companies to do audits, they hired Deloitte to do the first audit, and both sides would work on the audit until it was a place they both mutually agreed was good for the company/the shareholders, etc. Then they would hire some smaller audit company (Acme) to do the official audit. If Acme provided any failure points, my friend's company and Deloitte would consider it and push back if needed - my friend's company used the power of Deloitte to keep the official audit in line.
I'm not saying this is a great situation - but it's basically about finding a defender for your side to make sure the auditor isn't trying to screw you.
If your internal IT isn't that push back, you shouldn't have an auditor.
Having an auditor to check on your IT is one thing, but needing to audit your auditor means you have a bigger problem.
In that case - they would likely claim that they didn't have IT then.. and that the first auditor is their IT.
Their big projects were always handled by ITSPs, not internal resources.. so in this case, they just had another ITSP like (the first auditor) acting as IT.Could be.
-
-
Wtf how are there 132 posts? Just noticed. I can't read all those...
-
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
It's been a busy morning here.
-
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Because the thread had to change from a request on how to do NAC using MS products into - why do you want NAC? oh you're being audited? The Audit wants what? it wants a NIST requirement/suggestion that you have Static IPs only - well then NAC doesn't solve your audit issue, and oh yeah... your Audit isn't about security, it's about check boxes.
I think that about sums it up.
-
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
-
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Because the thread had to change from a request on how to do NAC using MS products into - why do you want NAC? oh you're being audited? The Audit wants what? it wants a NIST requirement/suggestion that you have Static IPs only - well then NAC doesn't solve your audit issue, and oh yeah... your Audit isn't about security, it's about check boxes.
I think that about sums it up.
Yes, good job.
snorts ghost pepper
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
If that's all you need to worry about, you can either use IPAM with DHCP filtering, or you can use IPSEC.
-
Becuase, if you get into that stuff without IPAM, it becomes harder to manage and to see what's what. Not sure of your network size, but assuming it's not 10 computers.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
You can't. DHCP just doesn't work that way.
For security while using DHCP, NAC is solution ( as you already found the settings in DHCP and the use of Network Access Protection).
Of course, this will still fail the - I plugged my laptop in and got an IP address test that the auditor is using for that checkbox (that's the wrong test to use for that checkbox by the way). -
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
But we figured out that that was not your goal. You keep going back and forth between three different things....
- How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.
-
Of the three options. One should be ruled out immediately because it meets neither your personal goals (security) or the company's political goals (satisfying the audit)... and that's the one in the OP.... locking down DHCP meets no goals at all. It won't secure the environment nor will it satisfy the audit. That is the one that makes no logical sense for you to be considering at all. It serves no purpose.
The other two options.... actually securing the environment and telling the auditor (and your boss) to screw off; or just going static and doing what the auditor and your boss have demanded that you do, both have their own merits.
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
But we figured out that that was not your goal. You keep going back and forth between three different things....
- How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.
I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.
-
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
But we figured out that that was not your goal. You keep going back and forth between three different things....
- How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.
I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.
Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do.
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
But we figured out that that was not your goal. You keep going back and forth between three different things....
- How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.
I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.
Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do.
That makes sense.
I don't see why static IPs would be a requirement for anything. That accomplishes nothing except a weird audit request.
-
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
But we figured out that that was not your goal. You keep going back and forth between three different things....
- How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.
I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.
Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do.
That makes sense.
I don't see why static IPs would be a requirement for anything. That accomplishes nothing except a weird audit request.
There's no logical reason. Boss and auditor just decided that they want them. That's all that there is to it. There is no business or technological reason. This is just about politics.