@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.
So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.
but it's been buried under the fluff of doing business and passing audits
Any my point was you can pass the audit without setting everything statically. It's not a requirement.
Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?
It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.
You are missing the point that it is required by the company. You can't keep saying it is a suggestion, we are past that. It's fine that the auditor stated incorrect information about why to do static. But they didn't write "We need X, therefore we recommend static." They wrote "We recommend static, and here are some reasons...."
The auditor approached it as static being the goal, the reasons are just for you to understand a bit more. Not to meet some management goal and static, they think, will fulfill it.
And since the suggestions are required, any use of the term suggestion means required. The two are synonymous in any case where suggestions must be followed. You are hung up on the auditor suggesting it, but the employer has required it.
I think you, Scott, are reading to much into it. None of us know what the actual checkbox says on the original paper. We've only been told "the mark it if they plug in and get an IP address."
This could just be a lazy or equally as likely, ignorant auditor who is making up their own solution to that specific checkbox.
We also don't know if this being checked actually causes a failure.Way to many unknowns.
Maybe, but it is the auditor's checkbox. So their solution is the only one that we can know checks it.
That's absolutely true - but again, the human checking the box could be completely in error, without knowing the verbiage for that checkbox, we don't know.
My understanding that the verbiage that we got was the one for the checkbox.
He says right here that he doesn't know the actual question asked.
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalAh good, point. My bad. So maybe that is only a recommendation. Pretty tough to be in a position of completing an audit without being told exactly what the audit requires.
This is why I've been pounding on the actual verbiage of the question.
It's also likely why @stacksofplates is so adamant that this is only a suggestion, but not a requirement.
It also goes into the likeliness that the boss, not knowing anything about IT, is simply taking his queues from the auditor, instead of the supposedly trusted IT person they hired. I say supposedly because why would you trust the auditor over your own employee unless you didn't trust the employee?That's true, but why the boss is making his decision doesn't stop it being his decision.
Well, he is open to suggestions. I just have to do a good job at explaining why static addresses are bad and sell my alternative solution. I suck at communicating sometime but also my boss likes to jump in and give direction at any moment where I might be having trouble making my point... so I have to nail it the first time usually.
Well that's encouraging. Definitely make an attempt. To do that, though, I would recommend getting the boss to tell you the goal to meet. Make him articulate it. If you have that, then you have a discrete "problem to solve" that you can argue your solution does better than solution "X". If you don't, then you will have a high chance of facing a moving goalpost where you solve the assumed problem, but are then presented with something else you didn't address.
I usually communicate better in text so I wrote a nice email explaining how neither DHCP or static addresses have anything to do with network security.
Really, for this specific situation - you really need to find out the text of this checkmark you're currently failing so you can target your information against it specifically.
Good bloody point. I will have to pry it out of the ether asap. THanks.