Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP)
-
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.
So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.
but it's been buried under the fluff of doing business and passing audits
Any my point was you can pass the audit without setting everything statically. It's not a requirement.
Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?
It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.
You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."
The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.
And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.
I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.Way to many unknowns.
Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.
That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.
My understanding that the verbiage that we got was the one for the checkbox.
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Suggested does not mean that in any way.
You keep skipping the "requirement" portion coming from his own company. So suggested sure does mean that.
Show where that was stated.
It's the entire purpose of the thread.... to satisfy this one part of the audit. The thread itself is that this is required.
Nope. Was never stated as a requirement. Only that the auditor suggested it and his boss just went along with what they said. He came here to get information on what to do.
I've not heard anything about the boss going along with anything. The boss wants it, I've not noticed anything about the boss wanting it because of the audit, not do I see how that matters. The auditor wants it, the boss wants it, the goal is to pass audit... what more do you need?
The boss obviously didn't care before the audit or it would have been that way. Then the audit happened. Now the boss is going along with the auditors suggestion.
This isn't good logic. We can't make that assumption, especially given that it WAS that way in the past.
I'm working from what is stated. You are working from loads of assumptions as to the source of the audit, the order of events, the legal requirements, etc. None of those are things that we know or can assume.
I really like you Scott, but I think this is part of the problem with how you post. Making loads of assumptions is just as bad as dishing out paragraphs and paragraphs based ONLY on what was stated, when it's clear that there are still plenty of unknown blanks that need to be filled in first. You should probably be asking for more information first before giving out so much firm advice. Otherwise, you get people like me, who look up to people like you online for guidance, running with what you've told me, only to hit a wall shortly down the road.
There have been many times where I am taking someone's advice where they've given what seems to be extremely good advice to go by, only to realize, wait a second, I didn't tell them about this factor, so maybe they would change what they said if they knew this. Part of my problem is that I may ask too many questions and go off of what I was told without thinking too much into it. I DO still try to carefully weigh the advice of my online peers as best I can.
That being said, I still strongly value your input, as well as many of the others on this forum.
I'm just trying to figure stuff out man.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I really like you Scott, but I think this is part of the problem with how you post. Making loads of assumptions is just as bad as dishing out paragraphs and paragraphs based ONLY on what was stated, when it's clear that there are still plenty of unknown blanks that need to be filled in first.
Yes, but, you specifically stated that you wanted advice based on what was stated and not to dig into more. We had to, but were trying to limit that as much as possible.
I don't agree that it's just as bad. It's not even comparable. Someone reading the answers, including you as the OP, know what was stated and know that the answers are for the question asked. If there is information help back, you know that the answer is to the question asked, not the one that could have been asked. But adding in implications that are never stated means answering a question that is neither asked and no reason to be assumed. One is correct, one is not. One is not misleading, one is. Totally different things.
If there is more, you should always provide it from the beginning or we must assume that there isn't more. Or else simply ignore you until we are confident that no more information might exist. That doesn't really work.
The one thing we can't do, is give advice based on something that isn't stated. We have to assume that what is stated is all that is relevant once there is nothing that is obviously needed additionally.
If you have more info, you should provide it in the OP or you set us up to have to work from what is stated. It's giving you the benefit of the doubt that you didn't hold something back and what we have is what you have.
It's fine to realize that there is more to provide as you go along. Just be aware that responses before that point are based on the question and info up to that point rather than clarifications given afterwards.
-
All that said... if there is anything additional that we've not been provided with, what are we missing? If we aren't supposed to have been answering yet, what were you expecting us to do all this time? You asked a question and stated you just wanted an answer, not digging in further. Now you are stating that you only wanted digging into, not an answer.
Do you see why this is a no win situation for the people posting? If we provide an answer without digging, we are wrong for answering without all the info. If we dig in, we are wrong for refusing to help and just trying to push to show where something is wrong or whatever.
And in the end, we can never know if everything relevant has been provided. At some point we just have to answer and hope for the best.
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.
So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.
but it's been buried under the fluff of doing business and passing audits
Any my point was you can pass the audit without setting everything statically. It's not a requirement.
Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?
It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.
You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."
The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.
And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.
I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.Way to many unknowns.
Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.
That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.
My understanding that the verbiage that we got was the one for the checkbox.
He says right here that he doesn't know the actual question asked.
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: Technical -
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.
So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.
but it's been buried under the fluff of doing business and passing audits
Any my point was you can pass the audit without setting everything statically. It's not a requirement.
Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?
It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.
You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."
The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.
And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.
I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.Way to many unknowns.
Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.
That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.
My understanding that the verbiage that we got was the one for the checkbox.
He says right here that he doesn't know the actual question asked.
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalAh good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.
So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.
but it's been buried under the fluff of doing business and passing audits
Any my point was you can pass the audit without setting everything statically. It's not a requirement.
Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?
It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.
You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."
The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.
And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.
I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.Way to many unknowns.
Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.
That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.
My understanding that the verbiage that we got was the one for the checkbox.
He says right here that he doesn't know the actual question asked.
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalAh good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.
This is why I've been pounding on the actual verbiage of the question.
It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee? -
Now, though, we have to ask.... if we don't know what is required but only know what the auditor suggests and the boss wants, that might tell us more than anything. Static IPs are the only known viable solution in this case, there is no way to know what else may or may not pass the audit.
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.
So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.
but it's been buried under the fluff of doing business and passing audits
Any my point was you can pass the audit without setting everything statically. It's not a requirement.
Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?
It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.
You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."
The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.
And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.
I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.Way to many unknowns.
Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.
That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.
My understanding that the verbiage that we got was the one for the checkbox.
He says right here that he doesn't know the actual question asked.
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalAh good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.
Yeah, it's basically the solution they point to for us in case we don't have a solution. It's still shit though.
-
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.
So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.
but it's been buried under the fluff of doing business and passing audits
Any my point was you can pass the audit without setting everything statically. It's not a requirement.
Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?
It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.
You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."
The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.
And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.
I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.Way to many unknowns.
Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.
That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.
My understanding that the verbiage that we got was the one for the checkbox.
He says right here that he doesn't know the actual question asked.
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalAh good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.
This is why I've been pounding on the actual verbiage of the question.
It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?That's true, but why the boss is making his decision doesn't stop it being his decision.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.
So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.
but it's been buried under the fluff of doing business and passing audits
Any my point was you can pass the audit without setting everything statically. It's not a requirement.
Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?
It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.
You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."
The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.
And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.
I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.Way to many unknowns.
Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.
That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.
My understanding that the verbiage that we got was the one for the checkbox.
He says right here that he doesn't know the actual question asked.
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalAh good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.
Yeah, it's basically the solution they point to for us in case we don't have a solution. It's still shit though.
Yeah, it's garbage. No question there. Without knowing more, there is really nothing you can do but go by this because you don't know what they are testing and what is required by either the auditor or internally.
It's up to you how much you want to fight the good fight, or just do what makes people happy. At the end of the day, the boss is the boss and there is very little for you personally in doing a great job in IT terms versus just placating him. Going static won't really hurt anything. Silly, no doubt. But of all places to make a stand, this probably isn't it.
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.
So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.
but it's been buried under the fluff of doing business and passing audits
Any my point was you can pass the audit without setting everything statically. It's not a requirement.
Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?
It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.
You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."
The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.
And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.
I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.Way to many unknowns.
Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.
That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.
My understanding that the verbiage that we got was the one for the checkbox.
He says right here that he doesn't know the actual question asked.
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalAh good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.
This is why I've been pounding on the actual verbiage of the question.
It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?That's true, but why the boss is making his decision doesn't stop it being his decision.
Well, he is open to suggestions. I just have to do a good job at explaining why static addresses are bad and sell my alternative solution. I suck at communicating sometime but also my boss likes to jump in and give direction at any moment where I might be having trouble making my point... so I have to nail it the first time usually.
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.
So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.
but it's been buried under the fluff of doing business and passing audits
Any my point was you can pass the audit without setting everything statically. It's not a requirement.
Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?
It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.
You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."
The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.
And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.
I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.Way to many unknowns.
Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.
That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.
My understanding that the verbiage that we got was the one for the checkbox.
He says right here that he doesn't know the actual question asked.
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalAh good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.
This is why I've been pounding on the actual verbiage of the question.
It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?That's true, but why the boss is making his decision doesn't stop it being his decision.
Of course that's true... But has he made a decision? Of course he's talking to the OP, but it seems like perhaps the OP has some leway, assuming he can convince the boss of the OP's opinions.
It's really kinda sad that the boss is involved in anything more than - I demand that we pass the audit, don't care how as long as we pass...
Again, we know a checkbox is currently marked against them, but we don't know why (the real why) nor do we know if that makes them fail the audit.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.
So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.
but it's been buried under the fluff of doing business and passing audits
Any my point was you can pass the audit without setting everything statically. It's not a requirement.
Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?
It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.
You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."
The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.
And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.
I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.Way to many unknowns.
Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.
That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.
My understanding that the verbiage that we got was the one for the checkbox.
He says right here that he doesn't know the actual question asked.
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalAh good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.
This is why I've been pounding on the actual verbiage of the question.
It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?That's true, but why the boss is making his decision doesn't stop it being his decision.
Well, he is open to suggestions. I just have to do a good job at explaining why static addresses are bad and sell my alternative solution. I suck at communicating sometime but also my boss likes to jump in and give direction at any moment where I might be having trouble making my point... so I have to nail it the first time usually.
Well that's encouraging. Definitely make an attempt. To do that, though, I would recommend getting the boss to tell you the goal to meet. Make him articulate it. If you have that, then you have a discrete "problem to solve" that you can argue your solution does better than solution "X". If you don't, then you will have a high chance of facing a moving goalpost where you solve the assumed problem, but are then presented with something else you didn't address.
-
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.
So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.
but it's been buried under the fluff of doing business and passing audits
Any my point was you can pass the audit without setting everything statically. It's not a requirement.
Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?
It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.
You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."
The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.
And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.
I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.Way to many unknowns.
Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.
That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.
My understanding that the verbiage that we got was the one for the checkbox.
He says right here that he doesn't know the actual question asked.
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalAh good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.
This is why I've been pounding on the actual verbiage of the question.
It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?That's true, but why the boss is making his decision doesn't stop it being his decision.
Of course that's true... But has he made a decision? Of course he's talking to the OP, but it seems like perhaps the OP has some leway, assuming he can convince the boss of the OP's opinions.
It's really kinda sad that the boss is involved in anything more than - I demand that we pass the audit, don't care how as long as we pass...
Again, we know a checkbox is currently marked against them, but we don't know why (the real why) nor do we know if that makes them fail the audit.
Yes, no decision has been made yet. Boss doesn't know much about IT and so if I can't convince him of a better solution, then I have to implement static addresses.
squeezes lemon juice in own eyes
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.
So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.
but it's been buried under the fluff of doing business and passing audits
Any my point was you can pass the audit without setting everything statically. It's not a requirement.
Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?
It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.
You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."
The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.
And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.
I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.Way to many unknowns.
Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.
That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.
My understanding that the verbiage that we got was the one for the checkbox.
He says right here that he doesn't know the actual question asked.
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalAh good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.
This is why I've been pounding on the actual verbiage of the question.
It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?That's true, but why the boss is making his decision doesn't stop it being his decision.
Well, he is open to suggestions. I just have to do a good job at explaining why static addresses are bad and sell my alternative solution. I suck at communicating sometime but also my boss likes to jump in and give direction at any moment where I might be having trouble making my point... so I have to nail it the first time usually.
Well that's encouraging. Definitely make an attempt. To do that, though, I would recommend getting the boss to tell you the goal to meet. Make him articulate it. If you have that, then you have a discrete "problem to solve" that you can argue your solution does better than solution "X". If you don't, then you will have a high chance of facing a moving goalpost where you solve the assumed problem, but are then presented with something else you didn't address.
I usually communicate better in text so I wrote a nice email explaining how neither DHCP or static addresses have anything to do with network security.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.
So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.
but it's been buried under the fluff of doing business and passing audits
Any my point was you can pass the audit without setting everything statically. It's not a requirement.
Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?
It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.
You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."
The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.
And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.
I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.Way to many unknowns.
Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.
That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.
My understanding that the verbiage that we got was the one for the checkbox.
He says right here that he doesn't know the actual question asked.
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalAh good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.
This is why I've been pounding on the actual verbiage of the question.
It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?That's true, but why the boss is making his decision doesn't stop it being his decision.
Well, he is open to suggestions. I just have to do a good job at explaining why static addresses are bad and sell my alternative solution. I suck at communicating sometime but also my boss likes to jump in and give direction at any moment where I might be having trouble making my point... so I have to nail it the first time usually.
Well that's encouraging. Definitely make an attempt. To do that, though, I would recommend getting the boss to tell you the goal to meet. Make him articulate it. If you have that, then you have a discrete "problem to solve" that you can argue your solution does better than solution "X". If you don't, then you will have a high chance of facing a moving goalpost where you solve the assumed problem, but are then presented with something else you didn't address.
I usually communicate better in text so I wrote a nice email explaining how neither DHCP or static addresses have anything to do with network security.
Cool. Maybe propose a security solution, but point out that none was needed for the audit. Look at it (present it as) going "above and beyond".
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.
So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.
but it's been buried under the fluff of doing business and passing audits
Any my point was you can pass the audit without setting everything statically. It's not a requirement.
Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?
It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.
You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."
The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.
And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.
I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.Way to many unknowns.
Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.
That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.
My understanding that the verbiage that we got was the one for the checkbox.
He says right here that he doesn't know the actual question asked.
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalAh good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.
This is why I've been pounding on the actual verbiage of the question.
It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?That's true, but why the boss is making his decision doesn't stop it being his decision.
Well, he is open to suggestions. I just have to do a good job at explaining why static addresses are bad and sell my alternative solution. I suck at communicating sometime but also my boss likes to jump in and give direction at any moment where I might be having trouble making my point... so I have to nail it the first time usually.
Well that's encouraging. Definitely make an attempt. To do that, though, I would recommend getting the boss to tell you the goal to meet. Make him articulate it. If you have that, then you have a discrete "problem to solve" that you can argue your solution does better than solution "X". If you don't, then you will have a high chance of facing a moving goalpost where you solve the assumed problem, but are then presented with something else you didn't address.
Great suggestion. Get the boss to define the goal. Love it.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.
So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.
but it's been buried under the fluff of doing business and passing audits
Any my point was you can pass the audit without setting everything statically. It's not a requirement.
Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?
It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.
You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."
The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.
And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.
I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.Way to many unknowns.
Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.
That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.
My understanding that the verbiage that we got was the one for the checkbox.
He says right here that he doesn't know the actual question asked.
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalAh good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.
This is why I've been pounding on the actual verbiage of the question.
It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?That's true, but why the boss is making his decision doesn't stop it being his decision.
Of course that's true... But has he made a decision? Of course he's talking to the OP, but it seems like perhaps the OP has some leway, assuming he can convince the boss of the OP's opinions.
It's really kinda sad that the boss is involved in anything more than - I demand that we pass the audit, don't care how as long as we pass...
Again, we know a checkbox is currently marked against them, but we don't know why (the real why) nor do we know if that makes them fail the audit.
Yes, no decision has been made yet. Boss doesn't know much about IT and so if I can't convince him of a better solution, then I have to implement static addresses.
squeezes lemon juice in own eyes
We need a training video on why DHCP is for management. The whole purpose of DHCP was to make things easier than doing static, which is what we always used to have to do.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.
So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.
but it's been buried under the fluff of doing business and passing audits
Any my point was you can pass the audit without setting everything statically. It's not a requirement.
Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?
It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.
You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."
The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.
And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.
I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.Way to many unknowns.
Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.
That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.
My understanding that the verbiage that we got was the one for the checkbox.
He says right here that he doesn't know the actual question asked.
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalAh good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.
This is why I've been pounding on the actual verbiage of the question.
It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?That's true, but why the boss is making his decision doesn't stop it being his decision.
Well, he is open to suggestions. I just have to do a good job at explaining why static addresses are bad and sell my alternative solution. I suck at communicating sometime but also my boss likes to jump in and give direction at any moment where I might be having trouble making my point... so I have to nail it the first time usually.
Well that's encouraging. Definitely make an attempt. To do that, though, I would recommend getting the boss to tell you the goal to meet. Make him articulate it. If you have that, then you have a discrete "problem to solve" that you can argue your solution does better than solution "X". If you don't, then you will have a high chance of facing a moving goalpost where you solve the assumed problem, but are then presented with something else you didn't address.
I usually communicate better in text so I wrote a nice email explaining how neither DHCP or static addresses have anything to do with network security.
Really, for this specific situation - you really need to find out the text of this checkmark you're currently failing so you can target your information against it specifically.