Joe, From what I understand of MS NAP, it only
helps if the machines belong to the domain, is that correct? It doesn’t stop
someone from plugging in and hard coding an IP. I get the impression it is
designed to be used in conjunction with Cisco’s CleanAccess product. Bryan Lucas Server Administrator (817) 257-6971 From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe There is nothing you can do around a DHCP
server that will really help you as you point out. You simply need to plug into
a port, enter any IP address or let one of the 169 addresses kick in and turn
on a sniffer and you start seeing enough traffic to figure out where to come up
with a random IP address at. All the DHCP server is is a helper, it doesn't
give you network access, it helps you find it. This type of thing needs to be
controlled either at the network level where the switches say, sorry you can't
route packets anywhere but this private secured network or you need to make all
proper network traffic secure with some kind of tunneling/vpn type tech. The
later is quite popular for companies with wireless, you get on the wireless
network and then have to VPN into the corporate network. That way anyone who
compromises the WAPs still doesn't get anything but a network and all traffic
from everyone properly on the network is encrypted. At best the company may
allow you to surf out to the internet, this is especially good for companies
who have visitors from other companies dropping by their facilities or are in
close vicinity to other companies who may pick up their WAPs. You really want to start looking into
Network Quarantine//Network Access Protection/etc. It is not a simple whip out
in an hour solution, it will take forethought and possibly upgrades of
network infrastructure and your machines to do it correctly. But with it you
can set specific policy on who gets to get on the real network and who doesn't,
this includes things like domain membership as well as what software is
installed on machines and virus definition levels or OS fix levels, etc. You
write the policy that the clients have to meet or else they don't get anything
but a dead network. I would recommend going to google, typing
in network quarantine and hit enter. You will almost certainly see several hits
on MS because they have been spending a lot of time and energy the last 4 or so
years working on this stuff and getting all of the right hardware people
together to make a good solution. They had some preliminary stuff done a couple
of years ago that people were really interested in but started redesigning some
of it to make it more flexible/capable. I expect most of what happens in
this space will most likely fall out of Cisco and Microsoft. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Assigning IP’s based off of MAC
addresses would be a huge headache! Besides, just as you said the
“network savvy” person can easily find out the IP range if needed
and assign them self an IP and spoof the MAC if needed. If something like this is possible, I
would like to have a more concrete solution. But thank you very much for your reply. Edwi From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc A. Mapplebeck I'm not sure if it's the best way to do
it, but you could set your entire scope to be in one exclusion range, then
assign static DHCP to authorised MACs. After that, for added security, you
could set a second scope to give out leases outside your network range so that
unauth ppl will get a lease, but not be able to see anybody, only downside to
that would be that the network savvy user could look under network settings and
see what the IP of the DHCP server is and then assign a static IP within that
range. HTH - Marc From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Is it possible within a domain on an authorized DHCP server
to restrict what machines get a DHCP IP Address? For example, I want to
prevent someone from bringing in an unauthorized laptop and getting an IP
Address on the network. I want it to be so that if the machine is not a
part of the domain, it does not get any network connectivity from the DHCP
server. Thanks, Edwin |
- RE: [ActiveDir] Ge... joe
- RE: [ActiveDir] Ge... Dean Wells
- Re: [ActiveDir... Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- RE: [Activ... Ken Schaefer
- Re: [ActiveDir... Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- RE: [ActiveDir... Brian Puhl
- Re: [Activ... Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- RE: [ActiveDir] Getting bet... Brian Desmond
- RE: [ActiveDir] Getting bet... Lucas, Bryan
- RE: [ActiveDir] Getting bet... Brian Puhl
- RE: [ActiveDir] Gettin... Dean Wells
- Re: [ActiveDir] Gettin... Al Mulnick
- RE: [ActiveDir] Gettin... Ulf B. Simon-Weidner
- RE: [ActiveDir] Getting bet... Al Garrett