FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


DHCP - Block unauthorised computers obtaining address lease





welshsteve
Hi everyone.

Does anybody know how I can block unauthorised computers from obtaining a DHCP address lease in our Windows Server 2003 environment?

One particular person is plugging themselves into a mini switch and gaining access to the network/internet, which I'm not happy about because I have no way of telling whether they have decent AV and firewall etc on the machine.

As this PC no doubt has it's adapter settings set to "auto", one thing I have tried is to create a reservation for the computer's MAC address in DHCP, and set the IP to be outside the address pool. Should this stop it working?
Relentless
If he knows the ip ranges then by doing that there is nothing stopping him from making a manual IP address to gain access..

Best way to block a network PC is on the Switch. Block the computers MAC address on the switch. Alas stopping his computer from seeing anything on the network.
welshsteve
Thanks, I will do that.

I'm not aware that he knows the IP range. I just think he has his DNS settings set to automatically detect
badai
here how to do it on win2003: http://www.petri.co.il/filter-mac-address-windows-server-2008-dhcp-server-callout-dll.htm

unfortunately the link to download is dead. i also do not have copy since i switched job. you can try google for it in case it still floating around somewhere.

there is one problem though, when they know the ip range, they can enter it manually, and it WILL connect to the network. they will have full access to the network because what you do is to block dhcp from giving them IP.

also, if they use IP already used by other user, you will have IP conflict.

so the best solution is still using managed switch.
menino
I think you can block it from the dhcp server itself, and what you have already done with the exclusion sounds about right, in the reservations bit.

Perhaps if the firewall is enabled on the server, you could use the mac address part of it in there, to prevent that user from even reaching the server and its resources.
badai
menino wrote:
I think you can block it from the dhcp server itself, and what you have already done with the exclusion sounds about right, in the reservations bit.

Perhaps if the firewall is enabled on the server, you could use the mac address part of it in there, to prevent that user from even reaching the server and its resources.


the server might not be accessible but what about other computers? the main concern here is whether "they have decent AV and firewall etc" which implied it's going to infect the whole network, except the server. how do we deal we that? we don't even know when the computer is plug in, and what it's mac address is to configure it at all nodes in the network.

the way i see it, only managed switch can handle this, unless you want to only protect the server and don't want the computer to go out (implying the dhcp server is also the gateway).
sanalskumar
In a Cisco devices network, you can enable port level security in the switches. This way, only a predefined MAC/MACs will have access to a switch port. This will help you to control access to network.

If you have resources available, you can go for network access control solutions like...

Network Access Protection Server ( Microsoft )
Network Admission Control ( cisco )

Let me remind you that these are not cheap options. If you really want to stick to your current network setup, the aforementioned option of controlling access to your switch ports will do the job.


If you have a properly configured and managed Domain controller, you can restrict users from changing IP address or any such settings. I have heard, its possible to integrate AD and DHCP, so as to release a defined IP for a particular user. Didn't test it on my end though.

Hope, this might be useful for you... Smile
Related topics
pay attition to the new virus Backdoor.Nibu.K
Booting time
If Hardly Davidson made Computers instead of Motorcycles...
Bluetooth
Boot up Windows XP 60 times faster
wifi computer to computer
Computer won't route
DHCP allow
need IP blocker on my site
private server
Detecting Second Hard Drive over a two Computer Network
Thunderbird SMTP
Limit download upload limit of pc on lan
I'm still a noobie at home networks, please help...
Reply to topic    Frihost Forum Index -> Computers -> Computer Problems and Support

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.