Best posts made by dave247

Turns out the thing I was looking for was LLDP protocol.

Sometimes, it's all in how you ask the question -_-

@jt1001001 said in Anyone know a place that sells booted Cat6 in feet: 5, 5.5, 6, 6.5, etc?:

We order custom cables from Provisions Modular hardware. Their website is horrible but if you call them and set up an account they will do custom length patch cables or really any other cable you may need. Their website only lists by the foot but we've ordered custom 12.5ft cables for some of our racks without issues.
https://www.provisionsmod.com/

yeah their website need's some work...

I ended up just saying eff it and ordered from C2G

I used to use Vonage and it was like $24 a month and then when I cancelled, they tried to lower me down to $10. Vonage was great and the only reason I cancelled was because we have cell phones.

Hi guys. There was a post a while back where someone asked for suggestions to improve their network security. I got into a nice discussion/argument with Scott about UTMs, SonicWall and router/firewall stuff. Long story short, I've been slowly considering replacing my company's SonicWall an re-designing the whole security setup.

First, we are a small company of under 100 users, but we are also a financial institution, so security is especially critical. The admins before me had previously installed a SonicWall NSA 2400, which was later upgraded/replaced by a NSA 3600. Actually, we have two of these SonicWalls connected together for high hvailability/failover, but they act as one unit.

Currently, we have three WAN connections that connect to the SonicWall and that feeds our LAN and WLAN with Internet. We also use the SonicWall for static routes to a couple of 3rd party VPN routers. There are a boat-load of firewall rules and NAT policies which I have been slowly auditing. Many of them have turned out to be stagnant and no longer needed. Documentation here has been pretty bad so I'm making sure I've got all that cleared up before I make any big changes.

So far, I do like the SonicWall because of the simplicity of having everything in one device, but at the same time, I kind of hate it. It has an external security log analyzer system (called GMS Analyzer) which spits out custom reports, but displays information in the worst possible way, such that it's barely useful. I feel like I am pretty blind to any real security issues so I absolutely need something better in this area.

What I am after now is I would like to start considering some new hardware products/configurations that could be better for diving up the roles shared by the SonicWall.

So, can I get some suggestions on how I should be setting up the router/firewall & threat management pieces?

For clarity, here is a list of things we use the SonicWall for:

• Routing/NAT/Firewall (X1 LAN interface is our LAN's default gateway)
• Incoming WAN connections
• Wireless access management - (using SonicPoint APs)
• Gateway AV
• IDS/IPS
• SSLVPN
• Content filter
• Botnet filter
• Anti-spyware
• Security event analyzing & reporting

Note: we do also have regular antivirus running in our environment, as well as 3rd party email spam filtering, and a SIEM, so we don't just rely on the SonicWall for security.

I haven't played with Ubiquiti too much, though I do have a cheap Edge Router ER-X sitting in my office drawer. When I set it up, I was super impressed by the UI and apparent tool set.

@scottalanmiller said in Suggestions on replacing UTM device (SonicWall) and rebuilding security systems?:

@dave247 said in Suggestions on replacing UTM device (SonicWall) and rebuilding security systems?:

Well, I looked at prices on ebay (which I know is not the best place to do a comparison) but people tend to price things relative to how expensive they were or currently are worth.

I don't know if that's true. Pricing on eBay are often insane. People asking $1,000 for a device worth $20 just because they hope that someone is confused.

hahahaha you're so right. I guess really, it was just a comparison starting point. Probably not a good idea, but it's the only way I could quickly get a $ figure.

My UTM device offers an analyzer appliance, downloadable as only an OVF. We have vSphere 6.5 running but support told me the appliance only works on ESXi 6. However, Hyper-V 2012 R2 is also supported, which I do have one of those I just set up. I'm pretty new to Hyper-V and I've gone down a rabbit hole and now I'm a little unclear on what to do.

I first tried to import an OVF into Hyper-V only to quickly realize you can't do that. So I found out about the Microsoft Virtual Machine Converter 3.0 and installed that. Now I'm running MVMC and I'm stuck on this screen:

I don't appear to have any shares on \hv-2012-01. I mean, I know how to create a share on a Windows system, but I don't really know the "right" way to go about setting up Hyper-V storage and/or shares in this situation.

I haven't configured anything else on my Hyper-V server beyond the basic install and remote management and network settings.

@networknerd said in Trouble converting an OVF to VMDK using MVMC...:

@dave247 said in Trouble converting an OVF to VMDK using MVMC...:

@scottalanmiller said in Trouble converting an OVF to VMDK using MVMC...:

@dave247 said in Trouble converting an OVF to VMDK using MVMC...:

@dustinb3403 said in Trouble converting an OVF to VMDK using MVMC...:

I'm confused why your UTM device would even know or care what hypervisor it may or may not be on.

Have you tried using it, on your ESXi 6.5 system?

The appliance is downloadable in OVF which is for VMware. It is not compatible on 6.5 and displays errors, which is why I called support and that's when they told me it only works on up to 6.

Oh, is this an older UTM that they aren't supporting any longer? Do they have a current version?

hahaha.. No. They (SonicWall) said 6.5 will eventually be supported.

That's insane. vSphere 6.5 has been out for over a year, and they can't support it yet? This kind of stuff bothers me about vendors.

I was talking with someone the other day who had moved a bunch of VMs from a vSphere 5.0 cluster host to a fresh vSphere 6.5U1 cluster. There were some Linux VMs that were not supported on 6.5 per the 3rd party vendor and would have required a tremendous effort to update the 3rd party software running in the Linux VMs. So they ended up being left on the 5.0 cluster for now. It's not exactly the same as your situation here, but it was equally frustrating to hear.

ok turns out I'm a fkn idiot and their most recent version of GMS Analyzer works on 6.5. I just got a strange error the first time I tried to deploy the OFV, researched the error, then found a work around that said to install the previous version first, which does not work with 6.5. Calling support, they told me that previous version wouldn't work on 6.5 but failed to tell me to try the newest version. The second time I called support, the tech I got told me that the newest version does work with 6.5 and I gave it a THIRD try and of course it worked find.

I have no idea how and why I never cease to be an idiot.

I'm new to Hyper-V Server 2016 and I'll try not to ask basic questions for every little thing.. but I'm kind of confused about this one..

I've set up a single Hyper-V Server 2016 and configured the basic settings and everything and I"m basically to the point where I can start setting up virtual machines. I just realized that I don't even see a way that I can look at the amount of memory or storage space on my Hyper-V server. I mean, I know how much I have because I configured the server's hardware, but beyond that, I can't see how to monitor how much is left, neither in sconfig or in the Hyper-V Manager in Windows 10.

What am I missing?

@dashrender said in question about Hyper-V resource management?:

@dave247 said in question about Hyper-V resource management?:

@dashrender said in question about Hyper-V resource management?:

@dave247 said in question about Hyper-V resource management?:

@dashrender said in question about Hyper-V resource management?:

@dave247 said in question about Hyper-V resource management?:

@dashrender said in question about Hyper-V resource management?:

@nerdydad said in question about Hyper-V resource management?:

Computer Management -> Action -> Connect to another computer... -> Your Hyper-V host

Exactly - what he's not telling you is that Computer Management is a completely different tool. It's the Windows tool.

If you came from ESXi or even XS, you're in for some surprises. Unlike ESXi and XS, there is no single pane of glass to see all of the things related to Hyper-V. Instead you have to manage all the components the exact same way you would a normal server. Computer Management handles a lot of them, but not all. For example, you can't look at Device Manager that way anymore - MS removed remote access a bit ago.

OOOOOOOOOOOOOOOOOH... yes. Shit. LOL

yeah - this is why I #$#%^@ hate Hyper-V

ugh.. I wish I knew this before.. Maybe I'll just use the free version of ESXi instead..

no - you shouldn't do that. If you bail on Hyper-V, you should look at KVM instead, so you aren't leaving often needed/desired feature that are free in KVM and Hyper-V and cost a ton in ESXi.

well I do want to gain some experience with Hyper-V so maybe I'll stick it out.. I just need to find a centralized guide on this or something.. The way to do things so far has been murky and illusive.. Part of the problem may be that I'm so used to VMware with ESXi and vSphere.

I have a thread.
https://mangolassi.it/topic/15767/building-a-hyper-v-2016-host-take-2

it covers all the things to get all the pieces working.
It assumes an Active Directory though.

Oh nice! I will comb thru this. And I do have AD running here. Thanks!

@dbeato said in question about Hyper-V resource management?:

@dave247 said in question about Hyper-V resource management?:

@dashrender said in question about Hyper-V resource management?:

@dave247 said in question about Hyper-V resource management?:

@dashrender said in question about Hyper-V resource management?:

@dave247 said in question about Hyper-V resource management?:

@dashrender said in question about Hyper-V resource management?:

@dave247 said in question about Hyper-V resource management?:

@dashrender said in question about Hyper-V resource management?:

@dave247 said in question about Hyper-V resource management?:

@dashrender said in question about Hyper-V resource management?:

@nerdydad said in question about Hyper-V resource management?:

Computer Management -> Action -> Connect to another computer... -> Your Hyper-V host

Exactly - what he's not telling you is that Computer Management is a completely different tool. It's the Windows tool.

If you came from ESXi or even XS, you're in for some surprises. Unlike ESXi and XS, there is no single pane of glass to see all of the things related to Hyper-V. Instead you have to manage all the components the exact same way you would a normal server. Computer Management handles a lot of them, but not all. For example, you can't look at Device Manager that way anymore - MS removed remote access a bit ago.

OOOOOOOOOOOOOOOOOH... yes. Shit. LOL

yeah - this is why I #$#%^@ hate Hyper-V

ugh.. I wish I knew this before.. Maybe I'll just use the free version of ESXi instead..

no - you shouldn't do that. If you bail on Hyper-V, you should look at KVM instead, so you aren't leaving often needed/desired feature that are free in KVM and Hyper-V and cost a ton in ESXi.

well I do want to gain some experience with Hyper-V so maybe I'll stick it out.. I just need to find a centralized guide on this or something.. The way to do things so far has been murky and illusive.. Part of the problem may be that I'm so used to VMware with ESXi and vSphere.

I have a thread.
https://mangolassi.it/topic/15767/building-a-hyper-v-2016-host-take-2

it covers all the things to get all the pieces working.
It assumes an Active Directory though.

Oh nice! I will comb thru this. And I do have AD running here. Thanks!

You will find tons of guides here on ML.

I think this has become my favorite forum. Much nicer than reddit, less BS than Spiceworks.. everyone is nice and thorough and we have SAM ruling with an iron fist

Interesting, yet still you post on both....

Yeah they all serve their purposes for me, but this forum is by far the friendliest with actual knowledgeable people.

I know very little about fiber, so I wanted to come here and get some help with this. Don't laugh

We have a couple 3rd party VPN T1 lines coming into our company. On of the vendors called and said they were going to upgrade our T1 to something like a "2.5 meg Ethernet connection". This was months ago and they gave me no details. Then the other day, a telcom company shows up to install fiber and runs a new line from the telcom poles outside all the way to our networking room.

I ended up getting pulled away all day with IT issues and they finished up and left without saying anything. I went into our networking room to check everything and saw that they had installed this in our rack:

Now I am trying to figure out what this is. I assume it is basically like a fiber patch panel that will allow more fiber connections in and out of the building, but I don't know how this works beyond that in both a technical and business sense. There is only one single white fiber line that comes into the building and connects into the back of this and so I am assuming that single line is being split up into 24 individual optic fibers. But does that mean other vendors can use this same line or is it typically limited to the company that owns it?

I'm partially confused because I don't get why one company would install this for use with one single connection. We do have one other fiber connection for our primary ISP and that is a single line that connects to a little vendor-provided, 4 port Cisco switch that converts the fiber to a regular Ethernet cable..

@dashrender said in Building a Hyper-V 2016 host Take 2:

@dave247 said in Building a Hyper-V 2016 host Take 2:

@dashrender said in Building a Hyper-V 2016 host Take 2:

@dave247 said in Building a Hyper-V 2016 host Take 2:

I've successfully added Windows Server Management to my Windows 10 system and am now able to connect to my Hyper-V 2016 server. However, I am having trouble viewing server info such as hard disk space. I get this error when trying to go to disk management:

did you run this command as noted above

Enable-NetFirewallRule -DisplayGroup “Remote Volume Management”

Yes, I ran that on the server but not my pc. I just ran it on my Windows 10 pc too and now it works.

THANKS

Do I need to change something in my instructions to make that specifically stand out more?

Maybe, "Run these commands on both server and management workstation"

@dbeato said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

Are you using automatic updates directly to Microsoft or WSuS right now?

In my original email, I say I am using a 3rd party software tool named DesktopCentral. It is a pretty nice tool as it has a load of inventory and management features which I've been learning for over a year now. However, I am in the works of setting up WSUS on a server to see how well that works in comparison.

Please, let's keep this on topic as much as possible as I am really just trying to nail down the best solution.

When I came into my job as IT admin, all our servers and workstations and thin clients were statically mapped, like manually, the hard way (no DHCP reservation). It's taken me a while but I rolled out DHCP for all our thin clients and desktops and everything is a lot easier to manage.

One of the security concerns that was brought up to me now was that anyone can plug their laptop into an open network jack and get an IP address and my boss is trying to get me to assign everything static again.

BEFORE YOU SAY IT: Yes, I know that either way is not actually secure and I've tried explaining that someone with Wireshark could still sniff our traffic or use other tools to get onto our network, etc.

I have mentioned that I specifically don't patch in network jacks unless they are needed by someone and that there are no open jacks just hanging out on random walls where customers have easy access.

So now, I am trying to find out the best way to set up DHCP and have it so that only the people I want on our network can get on.

First and foremost, we run a 2008 R2 domain controller and that is also our DHCP server. I noticed in the DHCP settings that there is a "Network Access Protection" tab, which would work with Network Policy Server. I would assume this is the go-to method for this in a Windows domain, but I have never heard about it until now.

Any input is welcome, but please don't get side-tracked with this as I don't want to go down a rabbit-hole of explaining the why of everything.

@dustinb3403 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@dustinb3403 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@jaredbusch said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

And remember auditors are not IT. Most of them don't know their ass from a hole in the ground.

They just click buttons in the order they are told.

This too is true.

Unfortunately it's now on you to prove that the auditors assessment is flawed, by proving you're systems are secured from the oldest threats.

Not really, put it on them. Ask them to show which things are missing since all patches are applied.

These audits always read as "it's on the customer to prove compliance, not the auditor to prove non-compliance"

Have you ever read one of these contracts from these auditors? They're as bad as the ToC from most big ISPs.

"You have to be available between 3AM and 9PM all of December so we can troubleshoot any cablebox issues"
http://4.images.southparkstudios.com/images/shows/south-park/clip-thumbnails/season-17/1702/south-park-s17e02c05-the-cable-company-runaround-16x9.jpg?quality=0.8

aaaaahahahahahahhahaa... omfg this gave me a good laugh. THANK YOU

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.

This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.

Well I'm at a bank, and the banks are under the various banking cartel systems and so we have imposed on us the need for these audits and stuff.

I worked for a bank and we didn't have that. We had internal auditors, and we'd kick them out for incompetence. They'd literally demand that we do things like shut down the connections to the NY Stock Exchange claiming it was an "unneeded link."

Well, I'm still new to banking and IT (only 1.6 years now or something) so I am still learning how it all works. I'm sure it's all FUBAR but hey, I got a family to feed.

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.

This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.

Well I'm at a bank, and the banks are under the various banking cartel systems and so we have imposed on us the need for these audits and stuff.

I worked for a bank and we didn't have that. We had internal auditors, and we'd kick them out for incompetence. They'd literally demand that we do things like shut down the connections to the NY Stock Exchange claiming it was an "unneeded link."

Well, I'm still new to banking and IT (only 1.6 years now or something) so I am still learning how it all works. I'm sure it's all FUBAR but hey, I got a family to feed.

That's why I'm pushing you to figure out where you fit into the equation. At some point, you just follow orders and don't worry about it. Sure, post here, ask what a good solution would have been so that you learn options or whatever. But in a case like this, boss says listen to auditor, auditor tells you to burn the company to the ground, you burn it to the ground because your job is to follow the boss' orders.

It is what it is. But it sounds like the bank has decided that the boss' whims are a higher priority than security or efficiency. It is what it is. BUt that's what they want.

Here is an early Christmas present: Additionally, the auditors have suggested having phones on their own VLAN for security. SO now I'm trying to set up LLDP.

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.

So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.

but it's been buried under the fluff of doing business and passing audits

Any my point was you can pass the audit without setting everything statically. It's not a requirement.

Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?

It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.

You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."

The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.

And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.

I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.

Way to many unknowns.

Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.

That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.

My understanding that the verbiage that we got was the one for the checkbox.

He says right here that he doesn't know the actual question asked.

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: Technical

Ah good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.

This is why I've been pounding on the actual verbiage of the question.
It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?

That's true, but why the boss is making his decision doesn't stop it being his decision.

Well, he is open to suggestions. I just have to do a good job at explaining why static addresses are bad and sell my alternative solution. I suck at communicating sometime but also my boss likes to jump in and give direction at any moment where I might be having trouble making my point... so I have to nail it the first time usually.

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.

So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.

but it's been buried under the fluff of doing business and passing audits

Any my point was you can pass the audit without setting everything statically. It's not a requirement.

Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?

It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.

You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."

The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.

And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.

I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.

Way to many unknowns.

Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.

That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.

My understanding that the verbiage that we got was the one for the checkbox.

He says right here that he doesn't know the actual question asked.

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: Technical

Ah good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.

This is why I've been pounding on the actual verbiage of the question.
It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?

That's true, but why the boss is making his decision doesn't stop it being his decision.

Well, he is open to suggestions. I just have to do a good job at explaining why static addresses are bad and sell my alternative solution. I suck at communicating sometime but also my boss likes to jump in and give direction at any moment where I might be having trouble making my point... so I have to nail it the first time usually.

Well that's encouraging. Definitely make an attempt. To do that, though, I would recommend getting the boss to tell you the goal to meet. Make him articulate it. If you have that, then you have a discrete "problem to solve" that you can argue your solution does better than solution "X". If you don't, then you will have a high chance of facing a moving goalpost where you solve the assumed problem, but are then presented with something else you didn't address.

I usually communicate better in text so I wrote a nice email explaining how neither DHCP or static addresses have anything to do with network security.