ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP)

    Scheduled Pinned Locked Moved IT Discussion
    214 Posts 11 Posters 32.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dave247D
      dave247 @scottalanmiller
      last edited by dave247

      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

      @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

      @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

      @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

      @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

      Suggested does not mean that in any way.

      You keep skipping the "requirement" portion coming from his own company. So suggested sure does mean that.

      Show where that was stated.

      It's the entire purpose of the thread.... to satisfy this one part of the audit. The thread itself is that this is required.

      Nope. Was never stated as a requirement. Only that the auditor suggested it and his boss just went along with what they said. He came here to get information on what to do.

      I've not heard anything about the boss going along with anything. The boss wants it, I've not noticed anything about the boss wanting it because of the audit, not do I see how that matters. The auditor wants it, the boss wants it, the goal is to pass audit... what more do you need?

      The boss obviously didn't care before the audit or it would have been that way. Then the audit happened. Now the boss is going along with the auditors suggestion.

      This isn't good logic. We can't make that assumption, especially given that it WAS that way in the past.

      I'm working from what is stated. You are working from loads of assumptions as to the source of the audit, the order of events, the legal requirements, etc. None of those are things that we know or can assume.

      I really like you Scott, but I think this is part of the problem with how you post. Making loads of assumptions is just as bad as dishing out paragraphs and paragraphs based ONLY on what was stated, when it's clear that there are still plenty of unknown blanks that need to be filled in first. You should probably be asking for more information first before giving out so much firm advice. Otherwise, you get people like me, who look up to people like you online for guidance, running with what you've told me, only to hit a wall shortly down the road.

      There have been many times where I am taking someone's advice where they've given what seems to be extremely good advice to go by, only to realize, wait a second, I didn't tell them about this factor, so maybe they would change what they said if they knew this. Part of my problem is that I may ask too many questions and go off of what I was told without thinking too much into it. I DO still try to carefully weigh the advice of my online peers as best I can.

      That being said, I still strongly value your input, as well as many of the others on this forum.

      I'm just trying to figure stuff out man.

      scottalanmillerS 1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @dave247
        last edited by scottalanmiller

        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        I really like you Scott, but I think this is part of the problem with how you post. Making loads of assumptions is just as bad as dishing out paragraphs and paragraphs based ONLY on what was stated, when it's clear that there are still plenty of unknown blanks that need to be filled in first.

        Yes, but, you specifically stated that you wanted advice based on what was stated and not to dig into more. We had to, but were trying to limit that as much as possible.

        I don't agree that it's just as bad. It's not even comparable. Someone reading the answers, including you as the OP, know what was stated and know that the answers are for the question asked. If there is information help back, you know that the answer is to the question asked, not the one that could have been asked. But adding in implications that are never stated means answering a question that is neither asked and no reason to be assumed. One is correct, one is not. One is not misleading, one is. Totally different things.

        If there is more, you should always provide it from the beginning or we must assume that there isn't more. Or else simply ignore you until we are confident that no more information might exist. That doesn't really work.

        The one thing we can't do, is give advice based on something that isn't stated. We have to assume that what is stated is all that is relevant once there is nothing that is obviously needed additionally.

        If you have more info, you should provide it in the OP or you set us up to have to work from what is stated. It's giving you the benefit of the doubt that you didn't hold something back and what we have is what you have.

        It's fine to realize that there is more to provide as you go along. Just be aware that responses before that point are based on the question and info up to that point rather than clarifications given afterwards.

        1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller
          last edited by

          All that said... if there is anything additional that we've not been provided with, what are we missing? If we aren't supposed to have been answering yet, what were you expecting us to do all this time? You asked a question and stated you just wanted an answer, not digging in further. Now you are stating that you only wanted digging into, not an answer.

          Do you see why this is a no win situation for the people posting? If we provide an answer without digging, we are wrong for answering without all the info. If we dig in, we are wrong for refusing to help and just trying to push to show where something is wrong or whatever.

          And in the end, we can never know if everything relevant has been provided. At some point we just have to answer and hope for the best.

          1 Reply Last reply Reply Quote 0
          • DashrenderD
            Dashrender @scottalanmiller
            last edited by

            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            ...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

            Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.

            So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.

            but it's been buried under the fluff of doing business and passing audits

            Any my point was you can pass the audit without setting everything statically. It's not a requirement.

            Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?

            It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.

            You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."

            The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.

            And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.

            I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
            This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
            We also don't know if this being checked actually causes a failure.

            Way to many unknowns.

            Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.

            That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.

            My understanding that the verbiage that we got was the one for the checkbox.

            He says right here that he doesn't know the actual question asked.

            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

            Static IP Address Assignment
            Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
            Standards Mapping:
            Control Type: (Project)
            NIST Cybersecurity Framework: PR.AC-4
            NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
            Control Class: Technical

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @Dashrender
              last edited by

              @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

              @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

              @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

              @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

              @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

              @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

              @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

              @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

              @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

              @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

              @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

              ...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

              Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.

              So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.

              but it's been buried under the fluff of doing business and passing audits

              Any my point was you can pass the audit without setting everything statically. It's not a requirement.

              Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?

              It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.

              You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."

              The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.

              And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.

              I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
              This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
              We also don't know if this being checked actually causes a failure.

              Way to many unknowns.

              Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.

              That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.

              My understanding that the verbiage that we got was the one for the checkbox.

              He says right here that he doesn't know the actual question asked.

              @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

              I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

              Static IP Address Assignment
              Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
              Standards Mapping:
              Control Type: (Project)
              NIST Cybersecurity Framework: PR.AC-4
              NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
              Control Class: Technical

              Ah good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.

              DashrenderD dave247D 2 Replies Last reply Reply Quote 0
              • DashrenderD
                Dashrender @scottalanmiller
                last edited by

                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                ...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

                Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.

                So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.

                but it's been buried under the fluff of doing business and passing audits

                Any my point was you can pass the audit without setting everything statically. It's not a requirement.

                Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?

                It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.

                You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."

                The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.

                And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.

                I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
                This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
                We also don't know if this being checked actually causes a failure.

                Way to many unknowns.

                Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.

                That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.

                My understanding that the verbiage that we got was the one for the checkbox.

                He says right here that he doesn't know the actual question asked.

                @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

                Static IP Address Assignment
                Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
                Standards Mapping:
                Control Type: (Project)
                NIST Cybersecurity Framework: PR.AC-4
                NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
                Control Class: Technical

                Ah good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.

                This is why I've been pounding on the actual verbiage of the question.
                It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
                It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?

                scottalanmillerS 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller
                  last edited by

                  Now, though, we have to ask.... if we don't know what is required but only know what the auditor suggests and the boss wants, that might tell us more than anything. Static IPs are the only known viable solution in this case, there is no way to know what else may or may not pass the audit.

                  1 Reply Last reply Reply Quote 0
                  • dave247D
                    dave247 @scottalanmiller
                    last edited by

                    @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    ...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

                    Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.

                    So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.

                    but it's been buried under the fluff of doing business and passing audits

                    Any my point was you can pass the audit without setting everything statically. It's not a requirement.

                    Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?

                    It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.

                    You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."

                    The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.

                    And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.

                    I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
                    This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
                    We also don't know if this being checked actually causes a failure.

                    Way to many unknowns.

                    Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.

                    That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.

                    My understanding that the verbiage that we got was the one for the checkbox.

                    He says right here that he doesn't know the actual question asked.

                    @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

                    Static IP Address Assignment
                    Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
                    Standards Mapping:
                    Control Type: (Project)
                    NIST Cybersecurity Framework: PR.AC-4
                    NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
                    Control Class: Technical

                    Ah good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.

                    Yeah, it's basically the solution they point to for us in case we don't have a solution. It's still shit though.

                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Dashrender
                      last edited by

                      @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      ...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

                      Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.

                      So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.

                      but it's been buried under the fluff of doing business and passing audits

                      Any my point was you can pass the audit without setting everything statically. It's not a requirement.

                      Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?

                      It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.

                      You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."

                      The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.

                      And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.

                      I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
                      This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
                      We also don't know if this being checked actually causes a failure.

                      Way to many unknowns.

                      Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.

                      That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.

                      My understanding that the verbiage that we got was the one for the checkbox.

                      He says right here that he doesn't know the actual question asked.

                      @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

                      Static IP Address Assignment
                      Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
                      Standards Mapping:
                      Control Type: (Project)
                      NIST Cybersecurity Framework: PR.AC-4
                      NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
                      Control Class: Technical

                      Ah good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.

                      This is why I've been pounding on the actual verbiage of the question.
                      It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
                      It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?

                      That's true, but why the boss is making his decision doesn't stop it being his decision.

                      dave247D DashrenderD 2 Replies Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @dave247
                        last edited by

                        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        ...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

                        Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.

                        So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.

                        but it's been buried under the fluff of doing business and passing audits

                        Any my point was you can pass the audit without setting everything statically. It's not a requirement.

                        Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?

                        It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.

                        You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."

                        The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.

                        And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.

                        I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
                        This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
                        We also don't know if this being checked actually causes a failure.

                        Way to many unknowns.

                        Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.

                        That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.

                        My understanding that the verbiage that we got was the one for the checkbox.

                        He says right here that he doesn't know the actual question asked.

                        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

                        Static IP Address Assignment
                        Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
                        Standards Mapping:
                        Control Type: (Project)
                        NIST Cybersecurity Framework: PR.AC-4
                        NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
                        Control Class: Technical

                        Ah good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.

                        Yeah, it's basically the solution they point to for us in case we don't have a solution. It's still shit though.

                        Yeah, it's garbage. No question there. Without knowing more, there is really nothing you can do but go by this because you don't know what they are testing and what is required by either the auditor or internally.

                        It's up to you how much you want to fight the good fight, or just do what makes people happy. At the end of the day, the boss is the boss and there is very little for you personally in doing a great job in IT terms versus just placating him. Going static won't really hurt anything. Silly, no doubt. But of all places to make a stand, this probably isn't it.

                        1 Reply Last reply Reply Quote 0
                        • dave247D
                          dave247 @scottalanmiller
                          last edited by dave247

                          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          ...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

                          Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.

                          So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.

                          but it's been buried under the fluff of doing business and passing audits

                          Any my point was you can pass the audit without setting everything statically. It's not a requirement.

                          Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?

                          It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.

                          You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."

                          The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.

                          And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.

                          I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
                          This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
                          We also don't know if this being checked actually causes a failure.

                          Way to many unknowns.

                          Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.

                          That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.

                          My understanding that the verbiage that we got was the one for the checkbox.

                          He says right here that he doesn't know the actual question asked.

                          @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

                          Static IP Address Assignment
                          Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
                          Standards Mapping:
                          Control Type: (Project)
                          NIST Cybersecurity Framework: PR.AC-4
                          NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
                          Control Class: Technical

                          Ah good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.

                          This is why I've been pounding on the actual verbiage of the question.
                          It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
                          It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?

                          That's true, but why the boss is making his decision doesn't stop it being his decision.

                          Well, he is open to suggestions. I just have to do a good job at explaining why static addresses are bad and sell my alternative solution. I suck at communicating sometime but also my boss likes to jump in and give direction at any moment where I might be having trouble making my point... so I have to nail it the first time usually.

                          scottalanmillerS 1 Reply Last reply Reply Quote 1
                          • DashrenderD
                            Dashrender @scottalanmiller
                            last edited by

                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                            @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                            @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                            @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                            @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                            @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                            @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                            ...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

                            Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.

                            So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.

                            but it's been buried under the fluff of doing business and passing audits

                            Any my point was you can pass the audit without setting everything statically. It's not a requirement.

                            Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?

                            It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.

                            You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."

                            The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.

                            And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.

                            I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
                            This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
                            We also don't know if this being checked actually causes a failure.

                            Way to many unknowns.

                            Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.

                            That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.

                            My understanding that the verbiage that we got was the one for the checkbox.

                            He says right here that he doesn't know the actual question asked.

                            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                            I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

                            Static IP Address Assignment
                            Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
                            Standards Mapping:
                            Control Type: (Project)
                            NIST Cybersecurity Framework: PR.AC-4
                            NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
                            Control Class: Technical

                            Ah good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.

                            This is why I've been pounding on the actual verbiage of the question.
                            It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
                            It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?

                            That's true, but why the boss is making his decision doesn't stop it being his decision.

                            Of course that's true... But has he made a decision? Of course he's talking to the OP, but it seems like perhaps the OP has some leway, assuming he can convince the boss of the OP's opinions.

                            It's really kinda sad that the boss is involved in anything more than - I demand that we pass the audit, don't care how as long as we pass...

                            Again, we know a checkbox is currently marked against them, but we don't know why (the real why) nor do we know if that makes them fail the audit.

                            dave247D 1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @dave247
                              last edited by

                              @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              ...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

                              Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.

                              So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.

                              but it's been buried under the fluff of doing business and passing audits

                              Any my point was you can pass the audit without setting everything statically. It's not a requirement.

                              Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?

                              It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.

                              You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."

                              The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.

                              And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.

                              I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
                              This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
                              We also don't know if this being checked actually causes a failure.

                              Way to many unknowns.

                              Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.

                              That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.

                              My understanding that the verbiage that we got was the one for the checkbox.

                              He says right here that he doesn't know the actual question asked.

                              @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

                              Static IP Address Assignment
                              Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
                              Standards Mapping:
                              Control Type: (Project)
                              NIST Cybersecurity Framework: PR.AC-4
                              NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
                              Control Class: Technical

                              Ah good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.

                              This is why I've been pounding on the actual verbiage of the question.
                              It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
                              It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?

                              That's true, but why the boss is making his decision doesn't stop it being his decision.

                              Well, he is open to suggestions. I just have to do a good job at explaining why static addresses are bad and sell my alternative solution. I suck at communicating sometime but also my boss likes to jump in and give direction at any moment where I might be having trouble making my point... so I have to nail it the first time usually.

                              Well that's encouraging. Definitely make an attempt. To do that, though, I would recommend getting the boss to tell you the goal to meet. Make him articulate it. If you have that, then you have a discrete "problem to solve" that you can argue your solution does better than solution "X". If you don't, then you will have a high chance of facing a moving goalpost where you solve the assumed problem, but are then presented with something else you didn't address.

                              dave247D DashrenderD 2 Replies Last reply Reply Quote 1
                              • dave247D
                                dave247 @Dashrender
                                last edited by

                                @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                ...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

                                Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.

                                So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.

                                but it's been buried under the fluff of doing business and passing audits

                                Any my point was you can pass the audit without setting everything statically. It's not a requirement.

                                Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?

                                It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.

                                You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."

                                The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.

                                And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.

                                I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
                                This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
                                We also don't know if this being checked actually causes a failure.

                                Way to many unknowns.

                                Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.

                                That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.

                                My understanding that the verbiage that we got was the one for the checkbox.

                                He says right here that he doesn't know the actual question asked.

                                @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

                                Static IP Address Assignment
                                Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
                                Standards Mapping:
                                Control Type: (Project)
                                NIST Cybersecurity Framework: PR.AC-4
                                NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
                                Control Class: Technical

                                Ah good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.

                                This is why I've been pounding on the actual verbiage of the question.
                                It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
                                It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?

                                That's true, but why the boss is making his decision doesn't stop it being his decision.

                                Of course that's true... But has he made a decision? Of course he's talking to the OP, but it seems like perhaps the OP has some leway, assuming he can convince the boss of the OP's opinions.

                                It's really kinda sad that the boss is involved in anything more than - I demand that we pass the audit, don't care how as long as we pass...

                                Again, we know a checkbox is currently marked against them, but we don't know why (the real why) nor do we know if that makes them fail the audit.

                                Yes, no decision has been made yet. Boss doesn't know much about IT and so if I can't convince him of a better solution, then I have to implement static addresses.

                                squeezes lemon juice in own eyes

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • dave247D
                                  dave247 @scottalanmiller
                                  last edited by

                                  @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  ...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

                                  Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.

                                  So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.

                                  but it's been buried under the fluff of doing business and passing audits

                                  Any my point was you can pass the audit without setting everything statically. It's not a requirement.

                                  Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?

                                  It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.

                                  You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."

                                  The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.

                                  And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.

                                  I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
                                  This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
                                  We also don't know if this being checked actually causes a failure.

                                  Way to many unknowns.

                                  Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.

                                  That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.

                                  My understanding that the verbiage that we got was the one for the checkbox.

                                  He says right here that he doesn't know the actual question asked.

                                  @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

                                  Static IP Address Assignment
                                  Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
                                  Standards Mapping:
                                  Control Type: (Project)
                                  NIST Cybersecurity Framework: PR.AC-4
                                  NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
                                  Control Class: Technical

                                  Ah good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.

                                  This is why I've been pounding on the actual verbiage of the question.
                                  It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
                                  It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?

                                  That's true, but why the boss is making his decision doesn't stop it being his decision.

                                  Well, he is open to suggestions. I just have to do a good job at explaining why static addresses are bad and sell my alternative solution. I suck at communicating sometime but also my boss likes to jump in and give direction at any moment where I might be having trouble making my point... so I have to nail it the first time usually.

                                  Well that's encouraging. Definitely make an attempt. To do that, though, I would recommend getting the boss to tell you the goal to meet. Make him articulate it. If you have that, then you have a discrete "problem to solve" that you can argue your solution does better than solution "X". If you don't, then you will have a high chance of facing a moving goalpost where you solve the assumed problem, but are then presented with something else you didn't address.

                                  I usually communicate better in text so I wrote a nice email explaining how neither DHCP or static addresses have anything to do with network security.

                                  scottalanmillerS DashrenderD 2 Replies Last reply Reply Quote 1
                                  • scottalanmillerS
                                    scottalanmiller @dave247
                                    last edited by

                                    @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    ...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

                                    Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.

                                    So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.

                                    but it's been buried under the fluff of doing business and passing audits

                                    Any my point was you can pass the audit without setting everything statically. It's not a requirement.

                                    Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?

                                    It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.

                                    You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."

                                    The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.

                                    And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.

                                    I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
                                    This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
                                    We also don't know if this being checked actually causes a failure.

                                    Way to many unknowns.

                                    Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.

                                    That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.

                                    My understanding that the verbiage that we got was the one for the checkbox.

                                    He says right here that he doesn't know the actual question asked.

                                    @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

                                    Static IP Address Assignment
                                    Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
                                    Standards Mapping:
                                    Control Type: (Project)
                                    NIST Cybersecurity Framework: PR.AC-4
                                    NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
                                    Control Class: Technical

                                    Ah good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.

                                    This is why I've been pounding on the actual verbiage of the question.
                                    It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
                                    It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?

                                    That's true, but why the boss is making his decision doesn't stop it being his decision.

                                    Well, he is open to suggestions. I just have to do a good job at explaining why static addresses are bad and sell my alternative solution. I suck at communicating sometime but also my boss likes to jump in and give direction at any moment where I might be having trouble making my point... so I have to nail it the first time usually.

                                    Well that's encouraging. Definitely make an attempt. To do that, though, I would recommend getting the boss to tell you the goal to meet. Make him articulate it. If you have that, then you have a discrete "problem to solve" that you can argue your solution does better than solution "X". If you don't, then you will have a high chance of facing a moving goalpost where you solve the assumed problem, but are then presented with something else you didn't address.

                                    I usually communicate better in text so I wrote a nice email explaining how neither DHCP or static addresses have anything to do with network security.

                                    Cool. Maybe propose a security solution, but point out that none was needed for the audit. Look at it (present it as) going "above and beyond".

                                    1 Reply Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender @scottalanmiller
                                      last edited by

                                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      ...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

                                      Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.

                                      So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.

                                      but it's been buried under the fluff of doing business and passing audits

                                      Any my point was you can pass the audit without setting everything statically. It's not a requirement.

                                      Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?

                                      It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.

                                      You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."

                                      The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.

                                      And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.

                                      I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
                                      This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
                                      We also don't know if this being checked actually causes a failure.

                                      Way to many unknowns.

                                      Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.

                                      That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.

                                      My understanding that the verbiage that we got was the one for the checkbox.

                                      He says right here that he doesn't know the actual question asked.

                                      @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

                                      Static IP Address Assignment
                                      Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
                                      Standards Mapping:
                                      Control Type: (Project)
                                      NIST Cybersecurity Framework: PR.AC-4
                                      NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
                                      Control Class: Technical

                                      Ah good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.

                                      This is why I've been pounding on the actual verbiage of the question.
                                      It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
                                      It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?

                                      That's true, but why the boss is making his decision doesn't stop it being his decision.

                                      Well, he is open to suggestions. I just have to do a good job at explaining why static addresses are bad and sell my alternative solution. I suck at communicating sometime but also my boss likes to jump in and give direction at any moment where I might be having trouble making my point... so I have to nail it the first time usually.

                                      Well that's encouraging. Definitely make an attempt. To do that, though, I would recommend getting the boss to tell you the goal to meet. Make him articulate it. If you have that, then you have a discrete "problem to solve" that you can argue your solution does better than solution "X". If you don't, then you will have a high chance of facing a moving goalpost where you solve the assumed problem, but are then presented with something else you didn't address.

                                      Great suggestion. Get the boss to define the goal. Love it.

                                      1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @dave247
                                        last edited by

                                        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        ...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

                                        Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.

                                        So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.

                                        but it's been buried under the fluff of doing business and passing audits

                                        Any my point was you can pass the audit without setting everything statically. It's not a requirement.

                                        Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?

                                        It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.

                                        You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."

                                        The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.

                                        And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.

                                        I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
                                        This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
                                        We also don't know if this being checked actually causes a failure.

                                        Way to many unknowns.

                                        Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.

                                        That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.

                                        My understanding that the verbiage that we got was the one for the checkbox.

                                        He says right here that he doesn't know the actual question asked.

                                        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

                                        Static IP Address Assignment
                                        Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
                                        Standards Mapping:
                                        Control Type: (Project)
                                        NIST Cybersecurity Framework: PR.AC-4
                                        NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
                                        Control Class: Technical

                                        Ah good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.

                                        This is why I've been pounding on the actual verbiage of the question.
                                        It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
                                        It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?

                                        That's true, but why the boss is making his decision doesn't stop it being his decision.

                                        Of course that's true... But has he made a decision? Of course he's talking to the OP, but it seems like perhaps the OP has some leway, assuming he can convince the boss of the OP's opinions.

                                        It's really kinda sad that the boss is involved in anything more than - I demand that we pass the audit, don't care how as long as we pass...

                                        Again, we know a checkbox is currently marked against them, but we don't know why (the real why) nor do we know if that makes them fail the audit.

                                        Yes, no decision has been made yet. Boss doesn't know much about IT and so if I can't convince him of a better solution, then I have to implement static addresses.

                                        squeezes lemon juice in own eyes

                                        We need a training video on why DHCP is for management. The whole purpose of DHCP was to make things easier than doing static, which is what we always used to have to do.

                                        1 Reply Last reply Reply Quote 0
                                        • DashrenderD
                                          Dashrender @dave247
                                          last edited by

                                          @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          ...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

                                          Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.

                                          So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.

                                          but it's been buried under the fluff of doing business and passing audits

                                          Any my point was you can pass the audit without setting everything statically. It's not a requirement.

                                          Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?

                                          It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.

                                          You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."

                                          The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.

                                          And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.

                                          I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
                                          This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
                                          We also don't know if this being checked actually causes a failure.

                                          Way to many unknowns.

                                          Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.

                                          That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.

                                          My understanding that the verbiage that we got was the one for the checkbox.

                                          He says right here that he doesn't know the actual question asked.

                                          @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

                                          Static IP Address Assignment
                                          Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
                                          Standards Mapping:
                                          Control Type: (Project)
                                          NIST Cybersecurity Framework: PR.AC-4
                                          NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
                                          Control Class: Technical

                                          Ah good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.

                                          This is why I've been pounding on the actual verbiage of the question.
                                          It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
                                          It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?

                                          That's true, but why the boss is making his decision doesn't stop it being his decision.

                                          Well, he is open to suggestions. I just have to do a good job at explaining why static addresses are bad and sell my alternative solution. I suck at communicating sometime but also my boss likes to jump in and give direction at any moment where I might be having trouble making my point... so I have to nail it the first time usually.

                                          Well that's encouraging. Definitely make an attempt. To do that, though, I would recommend getting the boss to tell you the goal to meet. Make him articulate it. If you have that, then you have a discrete "problem to solve" that you can argue your solution does better than solution "X". If you don't, then you will have a high chance of facing a moving goalpost where you solve the assumed problem, but are then presented with something else you didn't address.

                                          I usually communicate better in text so I wrote a nice email explaining how neither DHCP or static addresses have anything to do with network security.

                                          Really, for this specific situation - you really need to find out the text of this checkmark you're currently failing so you can target your information against it specifically.

                                          dave247D 1 Reply Last reply Reply Quote 0
                                          • dave247D
                                            dave247 @Dashrender
                                            last edited by

                                            @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            ...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

                                            Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.

                                            So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.

                                            but it's been buried under the fluff of doing business and passing audits

                                            Any my point was you can pass the audit without setting everything statically. It's not a requirement.

                                            Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?

                                            It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.

                                            You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."

                                            The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.

                                            And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.

                                            I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
                                            This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
                                            We also don't know if this being checked actually causes a failure.

                                            Way to many unknowns.

                                            Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.

                                            That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.

                                            My understanding that the verbiage that we got was the one for the checkbox.

                                            He says right here that he doesn't know the actual question asked.

                                            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

                                            Static IP Address Assignment
                                            Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
                                            Standards Mapping:
                                            Control Type: (Project)
                                            NIST Cybersecurity Framework: PR.AC-4
                                            NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
                                            Control Class: Technical

                                            Ah good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.

                                            This is why I've been pounding on the actual verbiage of the question.
                                            It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
                                            It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?

                                            That's true, but why the boss is making his decision doesn't stop it being his decision.

                                            Well, he is open to suggestions. I just have to do a good job at explaining why static addresses are bad and sell my alternative solution. I suck at communicating sometime but also my boss likes to jump in and give direction at any moment where I might be having trouble making my point... so I have to nail it the first time usually.

                                            Well that's encouraging. Definitely make an attempt. To do that, though, I would recommend getting the boss to tell you the goal to meet. Make him articulate it. If you have that, then you have a discrete "problem to solve" that you can argue your solution does better than solution "X". If you don't, then you will have a high chance of facing a moving goalpost where you solve the assumed problem, but are then presented with something else you didn't address.

                                            I usually communicate better in text so I wrote a nice email explaining how neither DHCP or static addresses have anything to do with network security.

                                            Really, for this specific situation - you really need to find out the text of this checkmark you're currently failing so you can target your information against it specifically.

                                            Good bloody point. I will have to pry it out of the ether asap. THanks.

                                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 7
                                            • 8
                                            • 9
                                            • 10
                                            • 11
                                            • 10 / 11
                                            • First post
                                              Last post