Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP)

scottalanmiller

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

To get to a fully static setup, you could begin with DHCP reservations, and simply start saving entries. Once everything has a static assignment, disable DHCP handouts and go from there.

In any case, you'll be touching every device.

Yeah I'm thinking of that too.. probably the best way to do it and it's still basically static mapping..

Where "basically" means "not". No reason to mess around with this, it only creates extra work and puts you at risk.

Why tho? Instead of manually mapping it at the end point, I can do it from the DHCP server.

Yes, but static means not being able to do that. Static means one thing and only one thing. DHCP or Static, there is no DHCP and static. If you use DHCP, you aren't static no matter how you look at it. The D in DHCP is Dynamic, meaning "not static."

yeah but it's static in that DHCP hands out the same IP to only that system based on mac address and it won't hand an address out to some ding-dong plugging his shitbook into the wall anus

That's not what static means in IT in any way. You can state that all that you want, but to the end device it is dynamic, not statically set. You'd fail any audit and if you got caught, this would be easily a reason to fire you for intentional insubordination. You cannot make the claim that anything using DHCP is "static". DHCP is the replacement for static, not another static option.

I understand why you want to present it this way, but it IT this isn't an option. You cannot call it that. You are misunderstanding the use of the term static here.

In networking...

"Static IPs" means permanent IPs set on the client device that cannot be modified externally through protocols like BOOTP or DHCP.

If BOOTP or DHCP is involved, it's not static, it's that simple.

NerdyDad

Okay sure, go ahead. I get it. Don't even consider my solution. I see how it is. Thanks,

Dashrender

@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

To get to a fully static setup, you could begin with DHCP reservations, and simply start saving entries. Once everything has a static assignment, disable DHCP handouts and go from there.

In any case, you'll be touching every device.

Yeah I'm thinking of that too.. probably the best way to do it and it's still basically static mapping..

Where "basically" means "not". No reason to mess around with this, it only creates extra work and puts you at risk.

Why tho? Instead of manually mapping it at the end point, I can do it from the DHCP server.

Yes, but static means not being able to do that. Static means one thing and only one thing. DHCP or Static, there is no DHCP and static. If you use DHCP, you aren't static no matter how you look at it. The D in DHCP is Dynamic, meaning "not static."

yeah but it's static in that DHCP hands out the same IP to only that system based on mac address and it won't hand an address out to some ding-dong plugging his shitbook into the wall anus

DHCP will still hand out addresses to any device that connects to the "wall anus". Unless you had filtering in place where only MAC addresses that were white listed could pull an IP address.

But in how the question is worded, they don't care about what the client has, they are asking you "Is your network statically assigned, if not you fail?"

LOL - yeah, you would only not get an IP if all IPs in the pool are already assigned either dynamically or statically(via MAC) to a device.

stacksofplates

How do you build more than 10-20 systems without PXE? I think I’d just have to walk away.

Dashrender

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.

This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.

So you don't believe in outside audits at all? People can make mistakes you know, and it not be on purpose.

Yes, but only in extreme cases and only when you really, REALLY know why you are doing it and REALLY know the firm that is doing it and REALLY ensure that you have proper alignment.

Well of course.

scottalanmiller

@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.

This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.

So you don't believe in outside audits at all? People can make mistakes you know, and it not be on purpose.

Which is why you have teams of people working on IT infrastructure. One person isn't a viable department.

http://www.smbitjournal.com/2013/02/the-smallest-it-department/

scottalanmiller

@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.

This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.

So you don't believe in outside audits at all? People can make mistakes you know, and it not be on purpose.

Yes, but only in extreme cases and only when you really, REALLY know why you are doing it and REALLY know the firm that is doing it and REALLY ensure that you have proper alignment.

Well of course.

Which is basically the same as never doing it

coliver

@nerdydad said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Okay sure, go ahead. I get it. Don't even consider my solution. I see how it is. Thanks,

It's not that your solution wouldn't work it's that it wouldn't meet the requirements of the audit.

scottalanmiller

@nerdydad said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Okay sure, go ahead. I get it. Don't even consider my solution. I see how it is. Thanks,

If it wasn't to use static, it doesn't meet his requirements. You suggested another DHCP option, which would violate what he's been required to do (which is to remove DHCP.)

NerdyDad

@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@nerdydad said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Okay sure, go ahead. I get it. Don't even consider my solution. I see how it is. Thanks,

It's not that your solution wouldn't work it's that it wouldn't meet the requirements of the audit.

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@nerdydad said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Okay sure, go ahead. I get it. Don't even consider my solution. I see how it is. Thanks,

If it wasn't to use static, it doesn't meet his requirements. You suggested another DHCP option, which would violate what he's been required to do (which is to remove DHCP.)

I was being fececious, but thanks for the consideration. I really do appreciate it.

scottalanmiller

@nerdydad said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@nerdydad said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Okay sure, go ahead. I get it. Don't even consider my solution. I see how it is. Thanks,

It's not that your solution wouldn't work it's that it wouldn't meet the requirements of the audit.

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@nerdydad said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Okay sure, go ahead. I get it. Don't even consider my solution. I see how it is. Thanks,

If it wasn't to use static, it doesn't meet his requirements. You suggested another DHCP option, which would violate what he's been required to do (which is to remove DHCP.)

I was being fececious, but thanks for the consideration. I really do appreciate it.

We DID take the time to look at it

Dashrender

I had a friend who worked at a publicly traded company. Because of Sarbanes Oxley they had to do their own audits and submit them to the board or whoever they submit to so the shareholders could know the company was "doing thing right."

They hired two companies to do audits, they hired Deloitte to do the first audit, and both sides would work on the audit until it was a place they both mutually agreed was good for the company/the shareholders, etc. Then they would hire some smaller audit company (Acme) to do the official audit. If Acme provided any failure points, my friend's company and Deloitte would consider it and push back if needed - my friend's company used the power of Deloitte to keep the official audit in line.

I'm not saying this is a great situation - but it's basically about finding a defender for your side to make sure the auditor isn't trying to screw you.

scottalanmiller

@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

I had a friend who worked at a publicly traded company. Because of Sarbanes Oxley they had to do their own audits and submit them to the board or whoever they submit to so the shareholders could know the company was "doing thing right."

They hired two companies to do audits, they hired Deloitte to do the first audit, and both sides would work on the audit until it was a place they both mutually agreed was good for the company/the shareholders, etc. Then they would hire some smaller audit company (Acme) to do the official audit. If Acme provided any failure points, my friend's company and Deloitte would consider it and push back if needed - my friend's company used the power of Deloitte to keep the official audit in line.

I'm not saying this is a great situation - but it's basically about finding a defender for your side to make sure the auditor isn't trying to screw you.

If your internal IT isn't that push back, you shouldn't have an auditor.

Having an auditor to check on your IT is one thing, but needing to audit your auditor means you have a bigger problem.

Dashrender

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

I had a friend who worked at a publicly traded company. Because of Sarbanes Oxley they had to do their own audits and submit them to the board or whoever they submit to so the shareholders could know the company was "doing thing right."

They hired two companies to do audits, they hired Deloitte to do the first audit, and both sides would work on the audit until it was a place they both mutually agreed was good for the company/the shareholders, etc. Then they would hire some smaller audit company (Acme) to do the official audit. If Acme provided any failure points, my friend's company and Deloitte would consider it and push back if needed - my friend's company used the power of Deloitte to keep the official audit in line.

I'm not saying this is a great situation - but it's basically about finding a defender for your side to make sure the auditor isn't trying to screw you.

If your internal IT isn't that push back, you shouldn't have an auditor.

Having an auditor to check on your IT is one thing, but needing to audit your auditor means you have a bigger problem.

In that case - they would likely claim that they didn't have IT then.. and that the first auditor is their IT.
Their big projects were always handled by ITSPs, not internal resources.. so in this case, they just had another ITSP like (the first auditor) acting as IT.

scottalanmiller

@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

I had a friend who worked at a publicly traded company. Because of Sarbanes Oxley they had to do their own audits and submit them to the board or whoever they submit to so the shareholders could know the company was "doing thing right."

They hired two companies to do audits, they hired Deloitte to do the first audit, and both sides would work on the audit until it was a place they both mutually agreed was good for the company/the shareholders, etc. Then they would hire some smaller audit company (Acme) to do the official audit. If Acme provided any failure points, my friend's company and Deloitte would consider it and push back if needed - my friend's company used the power of Deloitte to keep the official audit in line.

I'm not saying this is a great situation - but it's basically about finding a defender for your side to make sure the auditor isn't trying to screw you.

If your internal IT isn't that push back, you shouldn't have an auditor.

Having an auditor to check on your IT is one thing, but needing to audit your auditor means you have a bigger problem.

In that case - they would likely claim that they didn't have IT then.. and that the first auditor is their IT.
Their big projects were always handled by ITSPs, not internal resources.. so in this case, they just had another ITSP like (the first auditor) acting as IT.

Could be.

Obsolesce

@dave247

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=14&cad=rja&uact=8&ved=0ahUKEwiDhoGsmJ7YAhWmxlQKHWFpC_kQFghoMA0&url=https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fhh831353(v%3Dws.11).aspx&usg=AOvVaw3rsKaJYlb3Bg-lBqlfWNPj

DHCP filtering lots of ways.

Obsolesce

Wtf how are there 132 posts? Just noticed. I can't read all those...

DustinB3403

@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Wtf how are there 132 posts? Just noticed. I can't read all those...

It's been a busy morning here.

Dashrender

@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Wtf how are there 132 posts? Just noticed. I can't read all those...

Because the thread had to change from a request on how to do NAC using MS products into - why do you want NAC? oh you're being audited? The Audit wants what? it wants a NIST requirement/suggestion that you have Static IPs only - well then NAC doesn't solve your audit issue, and oh yeah... your Audit isn't about security, it's about check boxes.

I think that about sums it up.

dave247

@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Wtf how are there 132 posts? Just noticed. I can't read all those...

Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.