Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP)
-
Wtf how are there 132 posts? Just noticed. I can't read all those...
-
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
It's been a busy morning here.
-
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Because the thread had to change from a request on how to do NAC using MS products into - why do you want NAC? oh you're being audited? The Audit wants what? it wants a NIST requirement/suggestion that you have Static IPs only - well then NAC doesn't solve your audit issue, and oh yeah... your Audit isn't about security, it's about check boxes.
I think that about sums it up.
-
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
-
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Because the thread had to change from a request on how to do NAC using MS products into - why do you want NAC? oh you're being audited? The Audit wants what? it wants a NIST requirement/suggestion that you have Static IPs only - well then NAC doesn't solve your audit issue, and oh yeah... your Audit isn't about security, it's about check boxes.
I think that about sums it up.
Yes, good job.
snorts ghost pepper
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
If that's all you need to worry about, you can either use IPAM with DHCP filtering, or you can use IPSEC.
-
Becuase, if you get into that stuff without IPAM, it becomes harder to manage and to see what's what. Not sure of your network size, but assuming it's not 10 computers.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
You can't. DHCP just doesn't work that way.
For security while using DHCP, NAC is solution ( as you already found the settings in DHCP and the use of Network Access Protection).
Of course, this will still fail the - I plugged my laptop in and got an IP address test that the auditor is using for that checkbox (that's the wrong test to use for that checkbox by the way). -
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
But we figured out that that was not your goal. You keep going back and forth between three different things....
- How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.
-
Of the three options. One should be ruled out immediately because it meets neither your personal goals (security) or the company's political goals (satisfying the audit)... and that's the one in the OP.... locking down DHCP meets no goals at all. It won't secure the environment nor will it satisfy the audit. That is the one that makes no logical sense for you to be considering at all. It serves no purpose.
The other two options.... actually securing the environment and telling the auditor (and your boss) to screw off; or just going static and doing what the auditor and your boss have demanded that you do, both have their own merits.
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
But we figured out that that was not your goal. You keep going back and forth between three different things....
- How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.
I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.
-
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
But we figured out that that was not your goal. You keep going back and forth between three different things....
- How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.
I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.
Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do.
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
But we figured out that that was not your goal. You keep going back and forth between three different things....
- How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.
I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.
Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do.
That makes sense.
I don't see why static IPs would be a requirement for anything. That accomplishes nothing except a weird audit request.
-
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
But we figured out that that was not your goal. You keep going back and forth between three different things....
- How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.
I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.
Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do.
That makes sense.
I don't see why static IPs would be a requirement for anything. That accomplishes nothing except a weird audit request.
There's no logical reason. Boss and auditor just decided that they want them. That's all that there is to it. There is no business or technological reason. This is just about politics.
-
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
But we figured out that that was not your goal. You keep going back and forth between three different things....
- How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.
I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.
Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do.
That makes sense.
I don't see why static IPs would be a requirement for anything. That accomplishes nothing except a weird audit request.
And that is what the basis of this topic is.
The audit question reads along the lines of "If I connect my laptop to a ethernet port, will I get an IP address? If Yes, fail, If No, Pass. "
-
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
But we figured out that that was not your goal. You keep going back and forth between three different things....
- How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.
I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.
Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do.
That makes sense.
I don't see why static IPs would be a requirement for anything. That accomplishes nothing except a weird audit request.
And that is what the basis of this topic is.
The audit question reads along the lines of "If I connect my laptop to a ethernet port, will I get an IP address? If Yes, fail, If No, Pass. "
Lol.
That's like saying... "Can I stick my hand in the cookie jar and take a cookie? If yes, fail (lid is off)... If no, pass (lid is on)."
-
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
But we figured out that that was not your goal. You keep going back and forth between three different things....
- How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.
I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.
Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do.
That makes sense.
I don't see why static IPs would be a requirement for anything. That accomplishes nothing except a weird audit request.
And that is what the basis of this topic is.
The audit question reads along the lines of "If I connect my laptop to a ethernet port, will I get an IP address? If Yes, fail, If No, Pass. "
But their stated goal is more than that. Only reading what you put will lead us to bad ideas, like the original question stated. Once the actual quote from the auditor was provided, it was MUCH more clear... static was the only option.
-
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
But we figured out that that was not your goal. You keep going back and forth between three different things....
- How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.
I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.
Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do.
That makes sense.
I don't see why static IPs would be a requirement for anything. That accomplishes nothing except a weird audit request.
And that is what the basis of this topic is.
The audit question reads along the lines of "If I connect my laptop to a ethernet port, will I get an IP address? If Yes, fail, If No, Pass. "
Lol.
That's like saying... "Can I stick my hand in the cookie jar and take a cookie? If yes, fail (lid is off)... If no, pass (lid is on)."
It's actually worse than that.
-
When determining the goals and what direction to go here, I think that this recent video is highly relevant.
-
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Wtf how are there 132 posts? Just noticed. I can't read all those...
Don't. Just tell me how the eff can I easily restrict non-company computers from getting a DHCP address.
But we figured out that that was not your goal. You keep going back and forth between three different things....
- How do you secure your network (never asked, but you stated was your goal.)
- How do restrict DHCP in the way stated here and in the OP.
- How to meet the requirements of the audit.
There totally different goals. You haven't settled on one. Every time someone asks, you state a different one as being what you are trying to do. You have to decide on your goal before anyone can answer clearly. This is why this has gone on so long. We've been trying to determine what the goal is, that's why I dug into your work situation to help to find out what the goal is.
I didn't read the all the posts, but if this is the case, then IPSEC all network communications would be a great start.
Sort of. But what we REALLY determined is that he has one, and only one solid requirement... that he has to move to static IPs. The desire for security was a misunderstanding he had based on something he thought that they were implying with the requirement, but it was incorrect and not what it said (and definitely not what it implied.) The only answer that doesn't risk his job is going to static IPs. The goal for security is his own personal one and not one from the audit or his boss. The demand for static IPs is from the auditor and his boss. That's the task he's required to do.
That makes sense.
I don't see why static IPs would be a requirement for anything. That accomplishes nothing except a weird audit request.
And that is what the basis of this topic is.
The audit question reads along the lines of "If I connect my laptop to a ethernet port, will I get an IP address? If Yes, fail, If No, Pass. "
Lol.
That's like saying... "Can I stick my hand in the cookie jar and take a cookie? If yes, fail (lid is off)... If no, pass (lid is on)."
But that is exactly what is taking place here. There is no specification (at least with this question on the audit) about security.
Just simply "are you using dhcp, if yes, fail. If no, pass"