Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP)
-
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.
This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.
So you don't believe in outside audits at all? People can make mistakes you know, and it not be on purpose.
Yes, but only in extreme cases and only when you really, REALLY know why you are doing it and REALLY know the firm that is doing it and REALLY ensure that you have proper alignment.
Well of course.
Which is basically the same as never doing it
-
@nerdydad said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Okay sure, go ahead. I get it. Don't even consider my solution. I see how it is. Thanks,
It's not that your solution wouldn't work it's that it wouldn't meet the requirements of the audit.
-
@nerdydad said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Okay sure, go ahead. I get it. Don't even consider my solution. I see how it is. Thanks,
If it wasn't to use static, it doesn't meet his requirements. You suggested another DHCP option, which would violate what he's been required to do (which is to remove DHCP.)
-
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@nerdydad said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Okay sure, go ahead. I get it. Don't even consider my solution. I see how it is. Thanks,
It's not that your solution wouldn't work it's that it wouldn't meet the requirements of the audit.
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@nerdydad said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Okay sure, go ahead. I get it. Don't even consider my solution. I see how it is. Thanks,
If it wasn't to use static, it doesn't meet his requirements. You suggested another DHCP option, which would violate what he's been required to do (which is to remove DHCP.)
I was being fececious, but thanks for the consideration. I really do appreciate it.
-
@nerdydad said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@nerdydad said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Okay sure, go ahead. I get it. Don't even consider my solution. I see how it is. Thanks,
It's not that your solution wouldn't work it's that it wouldn't meet the requirements of the audit.
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@nerdydad said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Okay sure, go ahead. I get it. Don't even consider my solution. I see how it is. Thanks,
If it wasn't to use static, it doesn't meet his requirements. You suggested another DHCP option, which would violate what he's been required to do (which is to remove DHCP.)
I was being fececious, but thanks for the consideration. I really do appreciate it.
We DID take the time to look at it
-
I had a friend who worked at a publicly traded company. Because of Sarbanes Oxley they had to do their own audits and submit them to the board or whoever they submit to so the shareholders could know the company was "doing thing right."
They hired two companies to do audits, they hired Deloitte to do the first audit, and both sides would work on the audit until it was a place they both mutually agreed was good for the company/the shareholders, etc. Then they would hire some smaller audit company (Acme) to do the official audit. If Acme provided any failure points, my friend's company and Deloitte would consider it and push back if needed - my friend's company used the power of Deloitte to keep the official audit in line.
I'm not saying this is a great situation - but it's basically about finding a defender for your side to make sure the auditor isn't trying to screw you.
-
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I had a friend who worked at a publicly traded company. Because of Sarbanes Oxley they had to do their own audits and submit them to the board or whoever they submit to so the shareholders could know the company was "doing thing right."
They hired two companies to do audits, they hired Deloitte to do the first audit, and both sides would work on the audit until it was a place they both mutually agreed was good for the company/the shareholders, etc. Then they would hire some smaller audit company (Acme) to do the official audit. If Acme provided any failure points, my friend's company and Deloitte would consider it and push back if needed - my friend's company used the power of Deloitte to keep the official audit in line.
I'm not saying this is a great situation - but it's basically about finding a defender for your side to make sure the auditor isn't trying to screw you.
If your internal IT isn't that push back, you shouldn't have an auditor.
Having an auditor to check on your IT is one thing, but needing to audit your auditor means you have a bigger problem.
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I had a friend who worked at a publicly traded company. Because of Sarbanes Oxley they had to do their own audits and submit them to the board or whoever they submit to so the shareholders could know the company was "doing thing right."
They hired two companies to do audits, they hired Deloitte to do the first audit, and both sides would work on the audit until it was a place they both mutually agreed was good for the company/the shareholders, etc. Then they would hire some smaller audit company (Acme) to do the official audit. If Acme provided any failure points, my friend's company and Deloitte would consider it and push back if needed - my friend's company used the power of Deloitte to keep the official audit in line.
I'm not saying this is a great situation - but it's basically about finding a defender for your side to make sure the auditor isn't trying to screw you.
If your internal IT isn't that push back, you shouldn't have an auditor.
Having an auditor to check on your IT is one thing, but needing to audit your auditor means you have a bigger problem.
In that case - they would likely claim that they didn't have IT then.. and that the first auditor is their IT.
Their big projects were always handled by ITSPs, not internal resources.. so in this case, they just had another ITSP like (the first auditor) acting as IT. -
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I had a friend who worked at a publicly traded company. Because of Sarbanes Oxley they had to do their own audits and submit them to the board or whoever they submit to so the shareholders could know the company was "doing thing right."
They hired two companies to do audits, they hired Deloitte to do the first audit, and both sides would work on the audit until it was a place they both mutually agreed was good for the company/the shareholders, etc. Then they would hire some smaller audit company (Acme) to do the official audit. If Acme provided any failure points, my friend's company and Deloitte would consider it and push back if needed - my friend's company used the power of Deloitte to keep the official audit in line.
I'm not saying this is a great situation - but it's basically about finding a defender for your side to make sure the auditor isn't trying to screw you.
If your internal IT isn't that push back, you shouldn't have an auditor.
Having an auditor to check on your IT is one thing, but needing to audit your auditor means you have a bigger problem.
In that case - they would likely claim that they didn't have IT then.. and that the first auditor is their IT.
Their big projects were always handled by ITSPs, not internal resources.. so in this case, they just had another ITSP like (the first auditor) acting as IT.Could be.
-
-
Wtf how are there 132 posts? Just noticed. I can't read all those...
-
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
It's been a busy morning here.
-
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Because the thread had to change from a request on how to do NAC using MS products into - why do you want NAC? oh you're being audited? The Audit wants what? it wants a NIST requirement/suggestion that you have Static IPs only - well then NAC doesn't solve your audit issue, and oh yeah... your Audit isn't about security, it's about check boxes.
I think that about sums it up.
-
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
-
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Because the thread had to change from a request on how to do NAC using MS products into - why do you want NAC? oh you're being audited? The Audit wants what? it wants a NIST requirement/suggestion that you have Static IPs only - well then NAC doesn't solve your audit issue, and oh yeah... your Audit isn't about security, it's about check boxes.
I think that about sums it up.
Yes, good job.
snorts ghost pepper
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
If that's all you need to worry about, you can either use IPAM with DHCP filtering, or you can use IPSEC.
-
Becuase, if you get into that stuff without IPAM, it becomes harder to manage and to see what's what. Not sure of your network size, but assuming it's not 10 computers.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
You can't. DHCP just doesn't work that way.
For security while using DHCP, NAC is solution ( as you already found the settings in DHCP and the use of Network Access Protection).
Of course, this will still fail the - I plugged my laptop in and got an IP address test that the auditor is using for that checkbox (that's the wrong test to use for that checkbox by the way). -
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
But we figured out that that was not your goal. You keep going back and forth between three different things....
- How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.
-
Of the three options. One should be ruled out immediately because it meets neither your personal goals (security) or the company's political goals (satisfying the audit)... and that's the one in the OP.... locking down DHCP meets no goals at all. It won't secure the environment nor will it satisfy the audit. That is the one that makes no logical sense for you to be considering at all. It serves no purpose.
The other two options.... actually securing the environment and telling the auditor (and your boss) to screw off; or just going static and doing what the auditor and your boss have demanded that you do, both have their own merits.