Windows 2000 server/DHCP question

The Insider

Quick question about DHCP, basically we are using DHCP in the office to assign IP addresses, now we don't want anyone to be able to plug in there laptop and get a IP address without asking someone who looks after the server first. I googled on this and found one or two applications that would stop this but they wouldnt really suit my purposes, just wondering does anyone know of any good applications or is there a way of configuring the DNCP server so it will only assign a IP to a new PC on the network if something ele is done.

Thanks

shurl

Hmm,
AFAIK DHCP is an un-authorised protocol.
Meaning that anyone, with or without network access credentials can get an IP.

THe only security on a W2K dhcp is enabling DHCP auditing. Not much good I know.

The only thing I can think of at the moment is setting the server to just give out a certain amound of IP's, I.e. if ye have 20 pc's set it to 20. However you'd have to make sure the machines are on all the time for them to keep their IP's/lease.

Not much help, sorry bit rusty.

S.

GUI

statically assign the ips

if you want that level of control.

deckie27

You can place a lock on the switch (i think) where it will only comunicate with the assigned mac addresses on a particular port

oakers

Just a quick question Insider,

Are you running a Win2K Domain controller or is it just set up as a work Group???

Please advise!

Thanks

spongebob

set the scope so if there are (example) 5 systems in the office (apart from the server and any other device with a static Ip) then have only 5 ip addresses in the scope ...available for allocation that is.

once all systems are on the network the scope is empty

M

The Insider

Win2k Domain controller

thxs

Capt'n Midnight

You can create a reservation for each MAC address to give it a fixed ip address.

This way you don't get any problems if you need to add a sixth PC later on.

Alternatively - setup a 64 address scope and exclude 59 addresses...

oakers

This seems a bit of a no brainer to me but I could well be missing a security issue that you are thinking of! If so I apologise!

If you are running a Win2K domain controller you should have a site and domain Admin account that only the sys admin should know the password to (probably you!).

If this is the case set your range of addresses (however many you require). For a system to access your network it has to be given a computer account which can only be done with the domain admin username and password.

Thus, if some joe bloggs dumps a laptop on your network yes, it will receive a valid IP address but will be unable to access any shared resources as it will not have a computer account based on the server! Also, it will not be a member of the domain and without hacking your server they will be unable to reconfigure it!

If the user is capable of hacking your server no matter what you do they will be able to change it anyway!

Just my two cents worth!

Hopefully some help to you!

Kali

Originally posted by oakers
If this is the case set your range of addresses (however many you require). For a system to access your network it has to be given a computer account which can only be done with the domain admin username and password.

err you can access network shares without being a member of the domain you know.. all you need is any user login on the domain or pc you are connecting to...
which means any normal user who decides to bring a laptop in can still access anything he/she wants.

Capt'n Midnight

Put a second NIC in the server (it should really have two anyway so if one dies you can swap over to the other without having to take the cover off.)

So the server will hand out reserved addresses to MAC's it recognises, and these will have the subnet of the current card - and junk addresses on the other subnet to other clients. (setup a firewall on the second IP address and bind pptp etc to it so the little darlings can't connect)

Also on the junk scope you can setup junk addresses for WINS/DNS/ROUTER=Gateway so they can'd go anywhere.

Note: a good switch will record mac addresses and the port to which it was connected - so you will have evidence of a connection...

oakers

Hi Kali,

If the domain controller is configured correctly and someone brings in a PC it won't be able to access anything as the PC has to have a computer account created on the domain server; thus becoming part of the internal domain.

The only way to do this is to connect up the PC and introduce it to the domain. At this point the Server will ask for authentication in the form of the admin username and password. If this is not known the computer account will be rejected! Thus no access is given.

Granted, if you've set up every user on your network as an administrator this kind of knackers your security as anyone can do anything they like!

Hope this answers your question!

P.S. If someone comes in with a laptop and is already aware of a username and password that will give them access doesn't this kind of defeat the object of having network security in the first place? and come to think of it, why wouldn't they just log on to an existing machine??

Any new user on my network signs a usage document stating that their network usage is a privilage, not a right and that they are responsible for their username and password and it should in no instances be released!

Capt'n Midnight

Originally posted by oakers
If the domain controller is configured correctly and someone brings in a PC it won't be able to access anything as the PC has to have a computer account created on the domain server; thus becoming part of the internal domain.

AFAIK this does not appy to Win95/Win98/Linux etc.
Only if it's an NT / 2K / XP machine that participtes in the domain does this apply.

oakers

Cheers Cap,

You're quite correct! My bad I did not mention this. To be quite honest I didn't even think about it! It's been some time since I encountered anything prior to 2K!

Sorry about that! Not to sure but I think you may be able to mess with group policy for this! Really not sure though, will have to investigate!

Kali

Originally posted by oakers
The only way to do this is to connect up the PC and introduce it to the domain. At this point the Server will ask for authentication in the form of the admin username and password. If this is not known the computer account will be rejected! Thus no access is given.

yes i am aware of that.. im a network administrator myself.. my simple point is that a machine does not have to have a specific domain account (i.e. lsited as a domain memmber) to access network shares... ANY machine can (as long as you have a domain user account, doesn't have to be an administrator account).
Which invalidates your original point equating a domain with a semblance of security.

I mean we've 3 windows xp home machines (for testing) in here (which has absolutely no support for domains) running perfectly fine with network shares.. (none are listed on the domain controller at all).

P.S. If someone comes in with a laptop and is already aware of a username and password that will give them access doesn't this kind of defeat the object of having network security in the first place?

Who else would be coming into your company in fairness? I don't know about yours, but in my company we don't allow random people to walk in off the street with PCs or laptops... the only people ever likely to do it are employees... who have their own individual logins.

and come to think of it, why wouldn't they just log on to an existing machine?? [/B]

Let me see: to use company bandwidth? to copy software? to take large files home? to do their own work on their own pc during work time? Theres lots of reasons, both legit and dodgy .. read any security books and the first thing they will tell you is that the majority of breachs come from inside companies from workers

Kali

Originally posted by Capt'n Midnight
AFAIK this does not appy to Win95/Win98/Linux etc.
Only if it's an NT / 2K / XP machine that participtes in the domain does this apply.

Doesn't apply to NT/2K or XP either i'm afraid..
you can still access shares via

net use z: \\myserver\myshare /user:myuser mypassword

or a myriad of other ways.. even if you just went to run and put in \\192.168.0.1 and then MYDOMAIN\user and the password..

The whole concept of a machine having to be part of a domain is pointless in terms of security (as far as I can see).

oakers

OK, I'm not getting into a bitch fight about this, Frankly I can't be arsed!

My main point was that you can do a certain amount and beyond that it becomes a waste of time. Users are resourcefull little swines so I just implement standard IT policy!

I run network monitors and check certain things every week. If certain things pop up that I don't recognise I can trace it including what resource it was accessing and who's logon was used. That user then gets a warning. Simple, 3 strikes and your out; FIRED! That usually scares the crap out of them enough for them not to risk it!

Anyways, have fun!

Capt'n Midnight

Net Use Y: \\10.0.0.1\c$ /user:domain\administrator

[php]
C:\WINDOWS>net use /?
The syntax of this command is:

NET USE
[devicename | *] [\\computername\sharename[\volume] [password | *]]
[/USER:[domainname\]username]
[/USER:[dotted domain name\]username]
[/USER:[username@dotted domain name]
[/SMARTCARD]
[/SAVECRED]
[/PERSISTENT:{YES | NO}

NET USE {devicename | *} [password | *] /HOME

NET USE [/PERSISTENT:{YES | NO}]
[/php]