Microsoft uses 802.1x auth. I believe ... as do many. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, February 03, 2006 8:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Getting better control over DHCP Can't this be done with ...what is MS using? Is it Ipsec and smartcard authentication? You go to Redmond, stick in a rj45 and unless you have a lovely plastic thingy with a chip you don't get access on corpnet. joe wrote: > There is nothing you can do around a DHCP server that will really help > you as you point out. You simply need to plug into a port, enter any > IP address or let one of the 169 addresses kick in and turn on a > sniffer and you start seeing enough traffic to figure out where to > come up with a random IP address at. All the DHCP server is is a > helper, it doesn't give you network access, it helps you find it. This > type of thing needs to be controlled either at the network level where > the switches say, sorry you can't route packets anywhere but this > private secured network or you need to make all proper network traffic > secure with some kind of tunneling/vpn type tech. The later is quite > popular for companies with wireless, you get on the wireless network > and then have to VPN into the corporate network. That way anyone who > compromises the WAPs still doesn't get anything but a network and all > traffic from everyone properly on the network is encrypted. At best > the company may allow you to surf out to the internet, this is > especially good for companies who have visitors from other companies > dropping by their facilities or are in close vicinity to other > companies who may pick up their WAPs. > You really want to start looking into Network Quarantine//Network > Access Protection/etc. It is not a simple whip out in an hour > solution, it will take forethought and possibly upgrades of network > infrastructure and your machines to do it correctly. But with it you > can set specific policy on who gets to get on the real network and who > doesn't, this includes things like domain membership as well as what > software is installed on machines and virus definition levels or OS > fix levels, etc. You write the policy that the clients have to meet or > else they don't get anything but a dead network. > I would recommend going to google, typing in network quarantine and > hit enter. You will almost certainly see several hits on MS because > they have been spending a lot of time and energy the last 4 or so > years working on this stuff and getting all of the right hardware > people together to make a good solution. They had some preliminary > stuff done a couple of years ago that people were really interested in > but started redesigning some of it to make it more flexible/capable. I > expect most of what happens in this space will most likely fall out of > Cisco and Microsoft. > joe > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > ------------------------------------------------------------------------ > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin > *Sent:* Friday, February 03, 2006 7:55 PM > *To:* ActiveDir@mail.activedir.org > *Subject:* RE: [ActiveDir] Getting better control over DHCP > > Assigning IP's based off of MAC addresses would be a huge headache! > Besides, just as you said the "network savvy" person can easily find > out the IP range if needed and assign them self an IP and spoof the > MAC if needed. > > If something like this is possible, I would like to have a more > concrete solution. > > But thank you very much for your reply. > > Edwi > > ------------------------------------------------------------------------ > > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Marc A. > Mapplebeck > *Sent:* Friday, February 03, 2006 7:38 PM > *To:* ActiveDir@mail.activedir.org > *Subject:* RE: [ActiveDir] Getting better control over DHCP > > I'm not sure if it's the best way to do it, but you could set your > entire scope to be in one exclusion range, then assign static DHCP to > authorised MACs. After that, for added security, you could set a > second scope to give out leases outside your network range so that > unauth ppl will get a lease, but not be able to see anybody, only > downside to that would be that the network savvy user could look under > network settings and see what the IP of the DHCP server is and then > assign a static IP within that range. HTH - Marc > > ------------------------------------------------------------------------ > > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin > *Sent:* February 3, 2006 20:13 > *To:* ActiveDir@mail.activedir.org > *Subject:* [ActiveDir] Getting better control over DHCP > > Is it possible within a domain on an authorized DHCP server to > restrict what machines get a DHCP IP Address? For example, I want to > prevent someone from bringing in an unauthorized laptop and getting an > IP Address on the network. I want it to be so that if the machine is > not a part of the domain, it does not get any network connectivity > from the DHCP server. > > Thanks, > > Edwin > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/