ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP)

    Scheduled Pinned Locked Moved IT Discussion
    214 Posts 11 Posters 32.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Obsolesce
      last edited by

      @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

      @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

      @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

      Wtf how are there 132 posts? Just noticed. I can't read all those...

      Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.

      But we figured out that that was not your goal. You keep going back and forth between three different things....

      1. How do you secure your network (never asked, but you stated was your goal.)
      2. How do restrict DHCP in the way stated here and in the OP.
      3. How to meet the requirements of the audit.

      There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.

      I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.

      Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do.

      ObsolesceO stacksofplatesS 2 Replies Last reply Reply Quote 0
      • ObsolesceO
        Obsolesce @scottalanmiller
        last edited by

        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        Wtf how are there 132 posts? Just noticed. I can't read all those...

        Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.

        But we figured out that that was not your goal. You keep going back and forth between three different things....

        1. How do you secure your network (never asked, but you stated was your goal.)
        2. How do restrict DHCP in the way stated here and in the OP.
        3. How to meet the requirements of the audit.

        There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.

        I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.

        Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do.

        That makes sense.

        I don't see why static IPs would be a requirement for anything. That accomplishes nothing except a weird audit request.

        scottalanmillerS DustinB3403D 2 Replies Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @Obsolesce
          last edited by

          @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          Wtf how are there 132 posts? Just noticed. I can't read all those...

          Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.

          But we figured out that that was not your goal. You keep going back and forth between three different things....

          1. How do you secure your network (never asked, but you stated was your goal.)
          2. How do restrict DHCP in the way stated here and in the OP.
          3. How to meet the requirements of the audit.

          There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.

          I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.

          Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do.

          That makes sense.

          I don't see why static IPs would be a requirement for anything. That accomplishes nothing except a weird audit request.

          There's no logical reason. Boss and auditor just decided that they want them. That's all that there is to it. There is no business or technological reason. This is just about politics.

          1 Reply Last reply Reply Quote 0
          • DustinB3403D
            DustinB3403 @Obsolesce
            last edited by

            @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            Wtf how are there 132 posts? Just noticed. I can't read all those...

            Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.

            But we figured out that that was not your goal. You keep going back and forth between three different things....

            1. How do you secure your network (never asked, but you stated was your goal.)
            2. How do restrict DHCP in the way stated here and in the OP.
            3. How to meet the requirements of the audit.

            There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.

            I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.

            Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do.

            That makes sense.

            I don't see why static IPs would be a requirement for anything. That accomplishes nothing except a weird audit request.

            And that is what the basis of this topic is.

            The audit question reads along the lines of "If I connect my laptop to a ethernet port, will I get an IP address? If Yes, fail, If No, Pass. "

            ObsolesceO scottalanmillerS 2 Replies Last reply Reply Quote 0
            • ObsolesceO
              Obsolesce @DustinB3403
              last edited by

              @dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

              @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

              @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

              @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

              @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

              @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

              @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

              Wtf how are there 132 posts? Just noticed. I can't read all those...

              Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.

              But we figured out that that was not your goal. You keep going back and forth between three different things....

              1. How do you secure your network (never asked, but you stated was your goal.)
              2. How do restrict DHCP in the way stated here and in the OP.
              3. How to meet the requirements of the audit.

              There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.

              I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.

              Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do.

              That makes sense.

              I don't see why static IPs would be a requirement for anything. That accomplishes nothing except a weird audit request.

              And that is what the basis of this topic is.

              The audit question reads along the lines of "If I connect my laptop to a ethernet port, will I get an IP address? If Yes, fail, If No, Pass. "

              Lol.

              That's like saying... "Can I stick my hand in the cookie jar and take a cookie? If yes, fail (lid is off)... If no, pass (lid is on)."

              scottalanmillerS DustinB3403D 2 Replies Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @DustinB3403
                last edited by

                @dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                Wtf how are there 132 posts? Just noticed. I can't read all those...

                Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.

                But we figured out that that was not your goal. You keep going back and forth between three different things....

                1. How do you secure your network (never asked, but you stated was your goal.)
                2. How do restrict DHCP in the way stated here and in the OP.
                3. How to meet the requirements of the audit.

                There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.

                I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.

                Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do.

                That makes sense.

                I don't see why static IPs would be a requirement for anything. That accomplishes nothing except a weird audit request.

                And that is what the basis of this topic is.

                The audit question reads along the lines of "If I connect my laptop to a ethernet port, will I get an IP address? If Yes, fail, If No, Pass. "

                But their stated goal is more than that. Only reading what you put will lead us to bad ideas, like the original question stated. Once the actual quote from the auditor was provided, it was MUCH more clear... static was the only option.

                1 Reply Last reply Reply Quote 1
                • scottalanmillerS
                  scottalanmiller @Obsolesce
                  last edited by

                  @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                  @dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                  @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                  @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                  @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                  @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                  @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                  @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                  Wtf how are there 132 posts? Just noticed. I can't read all those...

                  Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.

                  But we figured out that that was not your goal. You keep going back and forth between three different things....

                  1. How do you secure your network (never asked, but you stated was your goal.)
                  2. How do restrict DHCP in the way stated here and in the OP.
                  3. How to meet the requirements of the audit.

                  There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.

                  I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.

                  Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do.

                  That makes sense.

                  I don't see why static IPs would be a requirement for anything. That accomplishes nothing except a weird audit request.

                  And that is what the basis of this topic is.

                  The audit question reads along the lines of "If I connect my laptop to a ethernet port, will I get an IP address? If Yes, fail, If No, Pass. "

                  Lol.

                  That's like saying... "Can I stick my hand in the cookie jar and take a cookie? If yes, fail (lid is off)... If no, pass (lid is on)."

                  It's actually worse than that.

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller
                    last edited by

                    When determining the goals and what direction to go here, I think that this recent video is highly relevant.

                    Youtube Video

                    ObsolesceO 1 Reply Last reply Reply Quote 0
                    • DustinB3403D
                      DustinB3403 @Obsolesce
                      last edited by

                      @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      Wtf how are there 132 posts? Just noticed. I can't read all those...

                      Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.

                      But we figured out that that was not your goal. You keep going back and forth between three different things....

                      1. How do you secure your network (never asked, but you stated was your goal.)
                      2. How do restrict DHCP in the way stated here and in the OP.
                      3. How to meet the requirements of the audit.

                      There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.

                      I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.

                      Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do.

                      That makes sense.

                      I don't see why static IPs would be a requirement for anything. That accomplishes nothing except a weird audit request.

                      And that is what the basis of this topic is.

                      The audit question reads along the lines of "If I connect my laptop to a ethernet port, will I get an IP address? If Yes, fail, If No, Pass. "

                      Lol.

                      That's like saying... "Can I stick my hand in the cookie jar and take a cookie? If yes, fail (lid is off)... If no, pass (lid is on)."

                      But that is exactly what is taking place here. There is no specification (at least with this question on the audit) about security.

                      Just simply "are you using dhcp, if yes, fail. If no, pass"

                      scottalanmillerS 1 Reply Last reply Reply Quote 1
                      • scottalanmillerS
                        scottalanmiller @DustinB3403
                        last edited by

                        @dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        Wtf how are there 132 posts? Just noticed. I can't read all those...

                        Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.

                        But we figured out that that was not your goal. You keep going back and forth between three different things....

                        1. How do you secure your network (never asked, but you stated was your goal.)
                        2. How do restrict DHCP in the way stated here and in the OP.
                        3. How to meet the requirements of the audit.

                        There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.

                        I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.

                        Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do.

                        That makes sense.

                        I don't see why static IPs would be a requirement for anything. That accomplishes nothing except a weird audit request.

                        And that is what the basis of this topic is.

                        The audit question reads along the lines of "If I connect my laptop to a ethernet port, will I get an IP address? If Yes, fail, If No, Pass. "

                        Lol.

                        That's like saying... "Can I stick my hand in the cookie jar and take a cookie? If yes, fail (lid is off)... If no, pass (lid is on)."

                        But that is exactly what is taking place here. There is no specification (at least with this question on the audit) about security.

                        Just simply "are you using dhcp, if yes, fail. If no, pass"

                        Exactly. Nothing about security or anything. Just a requirement to be static for its own reasons.

                        1 Reply Last reply Reply Quote 0
                        • ObsolesceO
                          Obsolesce @scottalanmiller
                          last edited by

                          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          When determining the goals and what direction to go here, I think that this recent video is highly relevant.

                          Youtube Video

                          That's a good one, I listened to it a few days ago.

                          1 Reply Last reply Reply Quote 1
                          • scottalanmillerS
                            scottalanmiller
                            last edited by

                            So did AJ 🙂

                            1 Reply Last reply Reply Quote 1
                            • Emad RE
                              Emad R
                              last edited by Emad R

                              If you have fortinet router, or can do this from network device level or firewall, you can give specific IPs the DNS service /port 53 and keep the DHCP this way you can only give the IPs you want DNS

                              But the above is all speculation and big waste of time, better try to convince your boss or get another job.

                              Why i needed this, we have special network rule on the firewall called emergency mode, and basically it only gives HTTPS port to one specific internal site and removes DNS. this is so all users can access one important site to complete the work if encase we got hit with very bad virus that can interact with the machines if they have internet.

                              1 Reply Last reply Reply Quote 0
                              • stacksofplatesS
                                stacksofplates @scottalanmiller
                                last edited by stacksofplates

                                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                Wtf how are there 132 posts? Just noticed. I can't read all those...

                                Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.

                                But we figured out that that was not your goal. You keep going back and forth between three different things....

                                1. How do you secure your network (never asked, but you stated was your goal.)
                                2. How do restrict DHCP in the way stated here and in the OP.
                                3. How to meet the requirements of the audit.

                                There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.

                                I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.

                                Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do.

                                Not really. This is what was stated:

                                I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

                                Static IP Address Assignment
                                Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
                                Standards Mapping:
                                Control Type: (Project)
                                NIST Cybersecurity Framework: PR.AC-4
                                NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
                                Control Class: Technical

                                Suggested practices are not directives.

                                @dave247 are you able to release who this company is? AC-02 is account management and really has nothing to do with this. AC-03 is more related but more just about ACLs. IA-02 is again related to accounts and not that applicable. They do not reference IA-03 which is really the most applicable control for this. IA-03 is "Device Identification and Authentication". Here's the supplemental guidance for IA-03:

                                Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on local and/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability.

                                IA-04 is possibly related but again more for accounts:

                                Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.

                                None of these controls mention static addressing. The only time the word static is even present is "static accounts" which is referring to pre-registered user accounts.

                                Sincerely,
                                Someone who fights daily with compliance morons.

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @stacksofplates
                                  last edited by

                                  @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  Wtf how are there 132 posts? Just noticed. I can't read all those...

                                  Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.

                                  But we figured out that that was not your goal. You keep going back and forth between three different things....

                                  1. How do you secure your network (never asked, but you stated was your goal.)
                                  2. How do restrict DHCP in the way stated here and in the OP.
                                  3. How to meet the requirements of the audit.

                                  There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.

                                  I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.

                                  Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do.

                                  Not really. This is what was stated:

                                  I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

                                  Static IP Address Assignment
                                  Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
                                  Standards Mapping:
                                  Control Type: (Project)
                                  NIST Cybersecurity Framework: PR.AC-4
                                  NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
                                  Control Class: Technical

                                  Suggested practices are not directives.

                                  They are when they ding you on an audit for it and you are required to pass the audit. That makes it a requirement regardless of how it is written.

                                  stacksofplatesS 1 Reply Last reply Reply Quote 0
                                  • stacksofplatesS
                                    stacksofplates @scottalanmiller
                                    last edited by

                                    @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    Wtf how are there 132 posts? Just noticed. I can't read all those...

                                    Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.

                                    But we figured out that that was not your goal. You keep going back and forth between three different things....

                                    1. How do you secure your network (never asked, but you stated was your goal.)
                                    2. How do restrict DHCP in the way stated here and in the OP.
                                    3. How to meet the requirements of the audit.

                                    There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.

                                    I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.

                                    Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do.

                                    Not really. This is what was stated:

                                    I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

                                    Static IP Address Assignment
                                    Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
                                    Standards Mapping:
                                    Control Type: (Project)
                                    NIST Cybersecurity Framework: PR.AC-4
                                    NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
                                    Control Class: Technical

                                    Suggested practices are not directives.

                                    They are when they ding you on an audit for it and you are required to pass the audit. That makes it a requirement regardless of how it is written.

                                    Because this was the concern:

                                    One of the security concerns that was brought up to me now was that anyone can plug their laptop into an open network jack and get an IP address and my boss is trying to get me to assign everything static again.

                                    The concern was not that everything wasn't static. That was suggested and the boss (most likely out of fear from the auditors) just went along with it. The requirement is not static and they could not legally fail because everything isn't static.

                                    DustinB3403D stacksofplatesS scottalanmillerS 3 Replies Last reply Reply Quote 0
                                    • DustinB3403D
                                      DustinB3403 @stacksofplates
                                      last edited by

                                      @stacksofplates based on the quoted question, anytime a random person can plug into an open jack and connect to the network, it's an immediate failure.

                                      1 Reply Last reply Reply Quote 0
                                      • stacksofplatesS
                                        stacksofplates @stacksofplates
                                        last edited by

                                        @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        could not legally fail because everything isn't static

                                        Let me rephrase, since anything can happen.

                                        They would have a huge ground to stand on since that is not a requirement mentioned anywhere from NIST.

                                        scottalanmillerS 1 Reply Last reply Reply Quote 1
                                        • scottalanmillerS
                                          scottalanmiller @stacksofplates
                                          last edited by

                                          @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          could not legally fail because everything isn't static

                                          Let me rephrase, since anything can happen.

                                          They would have a huge ground to stand on since that is not a requirement mentioned anywhere from NIST.

                                          How does NIST actually play into this, though? Sure they were mentioned, but doing things to NIST standards was not stated (to us) as any kind of requirement.

                                          1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @stacksofplates
                                            last edited by

                                            @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            Wtf how are there 132 posts? Just noticed. I can't read all those...

                                            Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.

                                            But we figured out that that was not your goal. You keep going back and forth between three different things....

                                            1. How do you secure your network (never asked, but you stated was your goal.)
                                            2. How do restrict DHCP in the way stated here and in the OP.
                                            3. How to meet the requirements of the audit.

                                            There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.

                                            I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.

                                            Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do.

                                            Not really. This is what was stated:

                                            I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

                                            Static IP Address Assignment
                                            Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
                                            Standards Mapping:
                                            Control Type: (Project)
                                            NIST Cybersecurity Framework: PR.AC-4
                                            NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
                                            Control Class: Technical

                                            Suggested practices are not directives.

                                            They are when they ding you on an audit for it and you are required to pass the audit. That makes it a requirement regardless of how it is written.

                                            Because this was the concern:

                                            One of the security concerns that was brought up to me now was that anyone can plug their laptop into an open network jack and get an IP address and my boss is trying to get me to assign everything static again.

                                            The concern was not that everything wasn't static. That was suggested and the boss (most likely out of fear from the auditors) just went along with it. The requirement is not static and they could not legally fail because everything isn't static.

                                            What does "legally fail" mean here? The boss and the auditor stated that their goals were static. Dave is free to argue that that's crazy, but he has to do so. As it stands, both parties to which he has to answer currently have stated clearly that they want static addresses not some result that results from that.

                                            stacksofplatesS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 10
                                            • 11
                                            • 1 / 11
                                            • First post
                                              Last post