Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP)
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.
This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.
So you don't believe in outside audits at all? People can make mistakes you know, and it not be on purpose.
-
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
This might be one instance where you say "Nope, this is a stupid requirement and does nothing for us, obviously this auditor is stupid and has no idea what they're talking about."
Problem is, it matches what his boss claims, I think he said.
It matches exactly what his boss claims.
So back to my "it's all about politics" problem. Can't point out security problems because of politics.
Sure, but this doesn't imply that the boss is complicit, much more likely... they failed the audit in the past, they were told that static IPs allow the checkbox to be checked and nothing else. So the boss just continues to run with that info - it's no different than people building RAID5 systems 20 years ago because they were told that's what you do (not understanding the why), and they just kept on doing that.
The boss separately stated this, though.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
To get to a fully static setup, you could begin with DHCP reservations, and simply start saving entries. Once everything has a static assignment, disable DHCP handouts and go from there.
In any case, you'll be touching every device.
Yeah I'm thinking of that too.. probably the best way to do it and it's still basically static mapping..
Where "basically" means "not". No reason to mess around with this, it only creates extra work and puts you at risk.
Why tho? Instead of manually mapping it at the end point, I can do it from the DHCP server.
Yes, but static means not being able to do that. Static means one thing and only one thing. DHCP or Static, there is no DHCP and static. If you use DHCP, you aren't static no matter how you look at it. The D in DHCP is Dynamic, meaning "not static."
yeah but it's static in that DHCP hands out the same IP to only that system based on mac address and it won't hand an address out to some ding-dong plugging his shitbook into the wall anus
DHCP will still hand out addresses to any device that connects to the "wall anus". Unless you had filtering in place where only MAC addresses that were white listed could pull an IP address.
But in how the question is worded, they don't care about what the client has, they are asking you "Is your network statically assigned, if not you fail?"
-
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.
This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.
So you don't believe in outside audits at all? People can make mistakes you know, and it not be on purpose.
Yes, but only in extreme cases and only when you really, REALLY know why you are doing it and REALLY know the firm that is doing it and REALLY ensure that you have proper alignment.
-
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.
This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.
So you don't believe in outside audits at all? People can make mistakes you know, and it not be on purpose.
Which is why you have teams of people working on IT infrastructure. One person isn't a viable department.
-
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.
This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.
So you don't believe in outside audits at all? People can make mistakes you know, and it not be on purpose.
Which is why you have teams of people working on IT infrastructure. One person isn't a viable department.
Yes yes yep mmhmm
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.
This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.
So you don't believe in outside audits at all? People can make mistakes you know, and it not be on purpose.
Which is why you have teams of people working on IT infrastructure. One person isn't a viable department.
Yes yes yep mmhmm
I was a one man shop not too long ago. Not worth the time and aggravation.
-
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
To get to a fully static setup, you could begin with DHCP reservations, and simply start saving entries. Once everything has a static assignment, disable DHCP handouts and go from there.
In any case, you'll be touching every device.
Yeah I'm thinking of that too.. probably the best way to do it and it's still basically static mapping..
Where "basically" means "not". No reason to mess around with this, it only creates extra work and puts you at risk.
Why tho? Instead of manually mapping it at the end point, I can do it from the DHCP server.
Yes, but static means not being able to do that. Static means one thing and only one thing. DHCP or Static, there is no DHCP and static. If you use DHCP, you aren't static no matter how you look at it. The D in DHCP is Dynamic, meaning "not static."
yeah but it's static in that DHCP hands out the same IP to only that system based on mac address and it won't hand an address out to some ding-dong plugging his shitbook into the wall anus
DHCP will still hand out addresses to any device that connects to the "wall anus". Unless you had filtering in place where only MAC addresses that were white listed could pull an IP address.
But in how the question is worded, they don't care about what the client has, they are asking you "Is your network statically assigned, if not you fail?"
Not if there is no pool set. If you just do reservations nothing outside of those will get an address
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
To get to a fully static setup, you could begin with DHCP reservations, and simply start saving entries. Once everything has a static assignment, disable DHCP handouts and go from there.
In any case, you'll be touching every device.
Yeah I'm thinking of that too.. probably the best way to do it and it's still basically static mapping..
Where "basically" means "not". No reason to mess around with this, it only creates extra work and puts you at risk.
Why tho? Instead of manually mapping it at the end point, I can do it from the DHCP server.
Yes, but static means not being able to do that. Static means one thing and only one thing. DHCP or Static, there is no DHCP and static. If you use DHCP, you aren't static no matter how you look at it. The D in DHCP is Dynamic, meaning "not static."
yeah but it's static in that DHCP hands out the same IP to only that system based on mac address and it won't hand an address out to some ding-dong plugging his shitbook into the wall anus
That's not what static means in IT in any way. You can state that all that you want, but to the end device it is dynamic, not statically set. You'd fail any audit and if you got caught, this would be easily a reason to fire you for intentional insubordination. You cannot make the claim that anything using DHCP is "static". DHCP is the replacement for static, not another static option.
I understand why you want to present it this way, but it IT this isn't an option. You cannot call it that. You are misunderstanding the use of the term static here.
In networking...
"Static IPs" means permanent IPs set on the client device that cannot be modified externally through protocols like BOOTP or DHCP.
If BOOTP or DHCP is involved, it's not static, it's that simple.
-
Okay sure, go ahead. I get it. Don't even consider my solution. I see how it is. Thanks,
-
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
To get to a fully static setup, you could begin with DHCP reservations, and simply start saving entries. Once everything has a static assignment, disable DHCP handouts and go from there.
In any case, you'll be touching every device.
Yeah I'm thinking of that too.. probably the best way to do it and it's still basically static mapping..
Where "basically" means "not". No reason to mess around with this, it only creates extra work and puts you at risk.
Why tho? Instead of manually mapping it at the end point, I can do it from the DHCP server.
Yes, but static means not being able to do that. Static means one thing and only one thing. DHCP or Static, there is no DHCP and static. If you use DHCP, you aren't static no matter how you look at it. The D in DHCP is Dynamic, meaning "not static."
yeah but it's static in that DHCP hands out the same IP to only that system based on mac address and it won't hand an address out to some ding-dong plugging his shitbook into the wall anus
DHCP will still hand out addresses to any device that connects to the "wall anus". Unless you had filtering in place where only MAC addresses that were white listed could pull an IP address.
But in how the question is worded, they don't care about what the client has, they are asking you "Is your network statically assigned, if not you fail?"
LOL - yeah, you would only not get an IP if all IPs in the pool are already assigned either dynamically or statically(via MAC) to a device.
-
How do you build more than 10-20 systems without PXE? I think Iād just have to walk away.
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.
This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.
So you don't believe in outside audits at all? People can make mistakes you know, and it not be on purpose.
Yes, but only in extreme cases and only when you really, REALLY know why you are doing it and REALLY know the firm that is doing it and REALLY ensure that you have proper alignment.
Well of course.
-
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.
This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.
So you don't believe in outside audits at all? People can make mistakes you know, and it not be on purpose.
Which is why you have teams of people working on IT infrastructure. One person isn't a viable department.
http://www.smbitjournal.com/2013/02/the-smallest-it-department/
-
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.
This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.
So you don't believe in outside audits at all? People can make mistakes you know, and it not be on purpose.
Yes, but only in extreme cases and only when you really, REALLY know why you are doing it and REALLY know the firm that is doing it and REALLY ensure that you have proper alignment.
Well of course.
Which is basically the same as never doing it
-
@nerdydad said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Okay sure, go ahead. I get it. Don't even consider my solution. I see how it is. Thanks,
It's not that your solution wouldn't work it's that it wouldn't meet the requirements of the audit.
-
@nerdydad said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Okay sure, go ahead. I get it. Don't even consider my solution. I see how it is. Thanks,
If it wasn't to use static, it doesn't meet his requirements. You suggested another DHCP option, which would violate what he's been required to do (which is to remove DHCP.)
-
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@nerdydad said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Okay sure, go ahead. I get it. Don't even consider my solution. I see how it is. Thanks,
It's not that your solution wouldn't work it's that it wouldn't meet the requirements of the audit.
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@nerdydad said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Okay sure, go ahead. I get it. Don't even consider my solution. I see how it is. Thanks,
If it wasn't to use static, it doesn't meet his requirements. You suggested another DHCP option, which would violate what he's been required to do (which is to remove DHCP.)
I was being fececious, but thanks for the consideration. I really do appreciate it.
-
@nerdydad said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@nerdydad said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Okay sure, go ahead. I get it. Don't even consider my solution. I see how it is. Thanks,
It's not that your solution wouldn't work it's that it wouldn't meet the requirements of the audit.
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@nerdydad said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Okay sure, go ahead. I get it. Don't even consider my solution. I see how it is. Thanks,
If it wasn't to use static, it doesn't meet his requirements. You suggested another DHCP option, which would violate what he's been required to do (which is to remove DHCP.)
I was being fececious, but thanks for the consideration. I really do appreciate it.
We DID take the time to look at it
-
I had a friend who worked at a publicly traded company. Because of Sarbanes Oxley they had to do their own audits and submit them to the board or whoever they submit to so the shareholders could know the company was "doing thing right."
They hired two companies to do audits, they hired Deloitte to do the first audit, and both sides would work on the audit until it was a place they both mutually agreed was good for the company/the shareholders, etc. Then they would hire some smaller audit company (Acme) to do the official audit. If Acme provided any failure points, my friend's company and Deloitte would consider it and push back if needed - my friend's company used the power of Deloitte to keep the official audit in line.
I'm not saying this is a great situation - but it's basically about finding a defender for your side to make sure the auditor isn't trying to screw you.