Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP)
- 
 @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): Wtf how are there 132 posts? Just noticed. I can't read all those... Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address. But we figured out that that was not your goal. You keep going back and forth between three different things.... - How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
 There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is. I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start. Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do. That makes sense. I don't see why static IPs would be a requirement for anything. That accomplishes nothing except a weird audit request. And that is what the basis of this topic is. The audit question reads along the lines of "If I connect my laptop to a ethernet port, will I get an IP address? If Yes, fail, If No, Pass. " Lol. That's like saying... "Can I stick my hand in the cookie jar and take a cookie? If yes, fail (lid is off)... If no, pass (lid is on)." It's actually worse than that. 
- 
 When determining the goals and what direction to go here, I think that this recent video is highly relevant. 
- 
 @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): Wtf how are there 132 posts? Just noticed. I can't read all those... Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address. But we figured out that that was not your goal. You keep going back and forth between three different things.... - How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
 There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is. I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start. Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do. That makes sense. I don't see why static IPs would be a requirement for anything. That accomplishes nothing except a weird audit request. And that is what the basis of this topic is. The audit question reads along the lines of "If I connect my laptop to a ethernet port, will I get an IP address? If Yes, fail, If No, Pass. " Lol. That's like saying... "Can I stick my hand in the cookie jar and take a cookie? If yes, fail (lid is off)... If no, pass (lid is on)." But that is exactly what is taking place here. There is no specification (at least with this question on the audit) about security. Just simply "are you using dhcp, if yes, fail. If no, pass" 
- 
 @dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): Wtf how are there 132 posts? Just noticed. I can't read all those... Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address. But we figured out that that was not your goal. You keep going back and forth between three different things.... - How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
 There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is. I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start. Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do. That makes sense. I don't see why static IPs would be a requirement for anything. That accomplishes nothing except a weird audit request. And that is what the basis of this topic is. The audit question reads along the lines of "If I connect my laptop to a ethernet port, will I get an IP address? If Yes, fail, If No, Pass. " Lol. That's like saying... "Can I stick my hand in the cookie jar and take a cookie? If yes, fail (lid is off)... If no, pass (lid is on)." But that is exactly what is taking place here. There is no specification (at least with this question on the audit) about security. Just simply "are you using dhcp, if yes, fail. If no, pass" Exactly. Nothing about security or anything. Just a requirement to be static for its own reasons. 
- 
 @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): When determining the goals and what direction to go here, I think that this recent video is highly relevant. That's a good one, I listened to it a few days ago. 
- 
 So did AJ  
- 
 If you have fortinet router, or can do this from network device level or firewall, you can give specific IPs the DNS service /port 53 and keep the DHCP this way you can only give the IPs you want DNS But the above is all speculation and big waste of time, better try to convince your boss or get another job. Why i needed this, we have special network rule on the firewall called emergency mode, and basically it only gives HTTPS port to one specific internal site and removes DNS. this is so all users can access one important site to complete the work if encase we got hit with very bad virus that can interact with the machines if they have internet. 
- 
 @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): Wtf how are there 132 posts? Just noticed. I can't read all those... Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address. But we figured out that that was not your goal. You keep going back and forth between three different things.... - How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
 There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is. I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start. Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do. Not really. This is what was stated: I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company: Static IP Address Assignment 
 Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
 Standards Mapping:
 Control Type: (Project)
 NIST Cybersecurity Framework: PR.AC-4
 NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
 Control Class: TechnicalSuggested practices are not directives. @dave247 are you able to release who this company is? AC-02 is account management and really has nothing to do with this. AC-03 is more related but more just about ACLs. IA-02 is again related to accounts and not that applicable. They do not reference IA-03 which is really the most applicable control for this. IA-03 is "Device Identification and Authentication". Here's the supplemental guidance for IA-03: Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on local and/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability. IA-04 is possibly related but again more for accounts: Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. None of these controls mention static addressing. The only time the word static is even present is "static accounts" which is referring to pre-registered user accounts. Sincerely, 
 Someone who fights daily with compliance morons.
- 
 @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): Wtf how are there 132 posts? Just noticed. I can't read all those... Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address. But we figured out that that was not your goal. You keep going back and forth between three different things.... - How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
 There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is. I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start. Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do. Not really. This is what was stated: I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company: Static IP Address Assignment 
 Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
 Standards Mapping:
 Control Type: (Project)
 NIST Cybersecurity Framework: PR.AC-4
 NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
 Control Class: TechnicalSuggested practices are not directives. They are when they ding you on an audit for it and you are required to pass the audit. That makes it a requirement regardless of how it is written. 
- 
 @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): Wtf how are there 132 posts? Just noticed. I can't read all those... Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address. But we figured out that that was not your goal. You keep going back and forth between three different things.... - How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
 There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is. I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start. Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do. Not really. This is what was stated: I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company: Static IP Address Assignment 
 Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
 Standards Mapping:
 Control Type: (Project)
 NIST Cybersecurity Framework: PR.AC-4
 NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
 Control Class: TechnicalSuggested practices are not directives. They are when they ding you on an audit for it and you are required to pass the audit. That makes it a requirement regardless of how it is written. Because this was the concern: One of the security concerns that was brought up to me now was that anyone can plug their laptop into an open network jack and get an IP address and my boss is trying to get me to assign everything static again. The concern was not that everything wasn't static. That was suggested and the boss (most likely out of fear from the auditors) just went along with it. The requirement is not static and they could not legally fail because everything isn't static. 
- 
 @stacksofplates based on the quoted question, anytime a random person can plug into an open jack and connect to the network, it's an immediate failure. 
- 
 @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): could not legally fail because everything isn't static Let me rephrase, since anything can happen. They would have a huge ground to stand on since that is not a requirement mentioned anywhere from NIST. 
- 
 @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): could not legally fail because everything isn't static Let me rephrase, since anything can happen. They would have a huge ground to stand on since that is not a requirement mentioned anywhere from NIST. How does NIST actually play into this, though? Sure they were mentioned, but doing things to NIST standards was not stated (to us) as any kind of requirement. 
- 
 @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): Wtf how are there 132 posts? Just noticed. I can't read all those... Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address. But we figured out that that was not your goal. You keep going back and forth between three different things.... - How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
 There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is. I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start. Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do. Not really. This is what was stated: I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company: Static IP Address Assignment 
 Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
 Standards Mapping:
 Control Type: (Project)
 NIST Cybersecurity Framework: PR.AC-4
 NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
 Control Class: TechnicalSuggested practices are not directives. They are when they ding you on an audit for it and you are required to pass the audit. That makes it a requirement regardless of how it is written. Because this was the concern: One of the security concerns that was brought up to me now was that anyone can plug their laptop into an open network jack and get an IP address and my boss is trying to get me to assign everything static again. The concern was not that everything wasn't static. That was suggested and the boss (most likely out of fear from the auditors) just went along with it. The requirement is not static and they could not legally fail because everything isn't static. What does "legally fail" mean here? The boss and the auditor stated that their goals were static. Dave is free to argue that that's crazy, but he has to do so. As it stands, both parties to which he has to answer currently have stated clearly that they want static addresses not some result that results from that. 
- 
 @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): Wtf how are there 132 posts? Just noticed. I can't read all those... Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address. But we figured out that that was not your goal. You keep going back and forth between three different things.... - How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
 There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is. I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start. Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do. Not really. This is what was stated: I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company: Static IP Address Assignment 
 Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
 Standards Mapping:
 Control Type: (Project)
 NIST Cybersecurity Framework: PR.AC-4
 NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
 Control Class: TechnicalSuggested practices are not directives. They are when they ding you on an audit for it and you are required to pass the audit. That makes it a requirement regardless of how it is written. Because this was the concern: One of the security concerns that was brought up to me now was that anyone can plug their laptop into an open network jack and get an IP address and my boss is trying to get me to assign everything static again. The concern was not that everything wasn't static. That was suggested and the boss (most likely out of fear from the auditors) just went along with it. The requirement is not static and they could not legally fail because everything isn't static. What does "legally fail" mean here? The boss and the auditor stated that their goals were static. Dave is free to argue that that's crazy, but he has to do so. As it stands, both parties to which he has to answer currently have stated clearly that they want static addresses not some result that results from that. They are legally required to do these audits. Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark. We have the same type of audits and are legally required to do so. The auditors did not state that. It was a suggested practice. That in no way means that's what the auditors are requiring. 
- 
 @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): Wtf how are there 132 posts? Just noticed. I can't read all those... Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address. But we figured out that that was not your goal. You keep going back and forth between three different things.... - How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
 There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is. I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start. Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do. Not really. This is what was stated: I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company: Static IP Address Assignment 
 Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
 Standards Mapping:
 Control Type: (Project)
 NIST Cybersecurity Framework: PR.AC-4
 NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
 Control Class: TechnicalSuggested practices are not directives. They are when they ding you on an audit for it and you are required to pass the audit. That makes it a requirement regardless of how it is written. Because this was the concern: One of the security concerns that was brought up to me now was that anyone can plug their laptop into an open network jack and get an IP address and my boss is trying to get me to assign everything static again. The concern was not that everything wasn't static. That was suggested and the boss (most likely out of fear from the auditors) just went along with it. The requirement is not static and they could not legally fail because everything isn't static. What does "legally fail" mean here? The boss and the auditor stated that their goals were static. Dave is free to argue that that's crazy, but he has to do so. As it stands, both parties to which he has to answer currently have stated clearly that they want static addresses not some result that results from that. They are legally required to do these audits. How did you arrive at that? 
- 
 @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): Wtf how are there 132 posts? Just noticed. I can't read all those... Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address. But we figured out that that was not your goal. You keep going back and forth between three different things.... - How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
 There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is. I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start. Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do. Not really. This is what was stated: I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company: Static IP Address Assignment 
 Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
 Standards Mapping:
 Control Type: (Project)
 NIST Cybersecurity Framework: PR.AC-4
 NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
 Control Class: TechnicalSuggested practices are not directives. They are when they ding you on an audit for it and you are required to pass the audit. That makes it a requirement regardless of how it is written. Because this was the concern: One of the security concerns that was brought up to me now was that anyone can plug their laptop into an open network jack and get an IP address and my boss is trying to get me to assign everything static again. The concern was not that everything wasn't static. That was suggested and the boss (most likely out of fear from the auditors) just went along with it. The requirement is not static and they could not legally fail because everything isn't static. What does "legally fail" mean here? The boss and the auditor stated that their goals were static. Dave is free to argue that that's crazy, but he has to do so. As it stands, both parties to which he has to answer currently have stated clearly that they want static addresses not some result that results from that. They are legally required to do these audits. Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark. We have the same type of audits and are legally required to do so. The auditors did not state that. It was a suggested practice. That in no way means that's what the auditors are requiring. You are working from information that the rest of us do not have. We only know that he was audited and that they agreed with his boss that static was what they wanted. Anything about legal requirements, legally needing to meet some standard, etc. is all information we are not privy to. If he is required to pass this part of the audit, then "suggested" means required, no matter how you look at it. To pass he has to meet the suggestion. 
- 
 @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): Wtf how are there 132 posts? Just noticed. I can't read all those... Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address. But we figured out that that was not your goal. You keep going back and forth between three different things.... - How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
 There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is. I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start. Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do. Not really. This is what was stated: I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company: Static IP Address Assignment 
 Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
 Standards Mapping:
 Control Type: (Project)
 NIST Cybersecurity Framework: PR.AC-4
 NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
 Control Class: TechnicalSuggested practices are not directives. They are when they ding you on an audit for it and you are required to pass the audit. That makes it a requirement regardless of how it is written. Because this was the concern: One of the security concerns that was brought up to me now was that anyone can plug their laptop into an open network jack and get an IP address and my boss is trying to get me to assign everything static again. The concern was not that everything wasn't static. That was suggested and the boss (most likely out of fear from the auditors) just went along with it. The requirement is not static and they could not legally fail because everything isn't static. What does "legally fail" mean here? The boss and the auditor stated that their goals were static. Dave is free to argue that that's crazy, but he has to do so. As it stands, both parties to which he has to answer currently have stated clearly that they want static addresses not some result that results from that. They are legally required to do these audits. Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark. We have the same type of audits and are legally required to do so. The auditors did not state that. It was a suggested practice. That in no way means that's what the auditors are requiring. You are working from information that the rest of us do not have. We only know that he was audited and that they agreed with his boss that static was what they wanted. Anything about legal requirements, legally needing to meet some standard, etc. is all information we are not privy to. If he is required to pass this part of the audit, then "suggested" means required, no matter how you look at it. To pass he has to meet the suggestion. Bah I had a whole thing written out and lost it somehow. They are at least required legally to have a SOX audit (even we are). Any outside auditors are going to be using NIST (which is why those controls were referenced). Suggested does not mean that in any way. Even in our DoD audits from DSS that's not true and those are directly from the government themselves. 
- 
 @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): @tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): Wtf how are there 132 posts? Just noticed. I can't read all those... Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address. But we figured out that that was not your goal. You keep going back and forth between three different things.... - How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
 There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is. I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start. Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do. Not really. This is what was stated: I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company: Static IP Address Assignment 
 Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
 Standards Mapping:
 Control Type: (Project)
 NIST Cybersecurity Framework: PR.AC-4
 NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
 Control Class: TechnicalSuggested practices are not directives. They are when they ding you on an audit for it and you are required to pass the audit. That makes it a requirement regardless of how it is written. Because this was the concern: One of the security concerns that was brought up to me now was that anyone can plug their laptop into an open network jack and get an IP address and my boss is trying to get me to assign everything static again. The concern was not that everything wasn't static. That was suggested and the boss (most likely out of fear from the auditors) just went along with it. The requirement is not static and they could not legally fail because everything isn't static. What does "legally fail" mean here? The boss and the auditor stated that their goals were static. Dave is free to argue that that's crazy, but he has to do so. As it stands, both parties to which he has to answer currently have stated clearly that they want static addresses not some result that results from that. They are legally required to do these audits. Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark. We have the same type of audits and are legally required to do so. The auditors did not state that. It was a suggested practice. That in no way means that's what the auditors are requiring. You are working from information that the rest of us do not have. We only know that he was audited and that they agreed with his boss that static was what they wanted. Anything about legal requirements, legally needing to meet some standard, etc. is all information we are not privy to. If he is required to pass this part of the audit, then "suggested" means required, no matter how you look at it. To pass he has to meet the suggestion. Bah I had a whole thing written out and lost it somehow. They are at least required legally to have a SOX audit (even we are). Any outside auditors are going to be using NIST (which is why those controls were referenced). Suggested does not mean that in any way. Even in our DoD audits from DSS that's not true and those are directly from the government themselves. I've worked in SOX environments (which we do not know that this is, and have no reason to believe that it is, it's extremely unlikely) and we didn't have to have this kind of audit. SOX does require audits, but not this kind. The issue here is that he's required to pass the audit, has nothing to do with SOX. You are adding outside information which is possible but neither likely nor stated, and changing the requirements because of that. The issue here is that he's supposed to follow this suggestion. That's it, over and done. What legal, SOX, or wording says isn't relevant. If you are required to do what I suggest, and I suggest you have toast for breakfast, that makes you required to have toast for breakfast even if I only suggested it. 
- 
 @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP): Suggested does not mean that in any way. You keep skipping the "requirement" portion coming from his own company. So suggested sure does mean that. 




