Windows DHCP Client Restriction

[Igore65]

Is there a way to stop 2003 Server DHCP from handing out IP addresses to non-domain members? When 'foreign' PC is connected to the network, I do not want them to get an IP address.

 

[Lienori]

Addresses are given out before the operating system has fully loaded, so you won't have much luck that way.

What is your reason, security? Since a client could manually specify the IP address, it won't help you much. You can use MAC address locking on your switches, if they are managed. I think you might be able to limit DHCP leases to a lost of MAC addresses on the DHCP server, if I recall correctly. Of course, MAC addresses could be spoofed too.

 

[lhuegele]

What exactly are you trying to accomplish? Are you just trying to prevent visitors from being able to access your network or the internet? Are you having a problem with users bringing in rogue PC's that endanger your network?

 

[Igore65]

Yeah, We want to prevent visitors from getting an IP Address when they come in and plug into the network. Already, to due Proxy and Firewall config, they cannot get out to the Internet, and access to Network resources is limited because they do not have Username, PW or computer account in AD... But do not want them even getting an IP from our DHCP...

 

[itsp1965]

Are these consultants/foreign users set up to connect in a particular office? You can always disable the network connection where they sit. Otherwise you can setup your switches to filter connection based on a list of MAC addresses for your machines (but this is a bit overkill)

 

[Igore65]

The 'foreign' machines that I want to restrict are not constant...That is to say it is a different user, consultant or visitor all the time, so I cannot easily create a MAC address list to restrict their PC's on the Switch, and to try to maintain a reservation list for our in-house PC's is unrealistic...

 

[lhuegele]

What we do is de-activate all un-used data and voice ports. If someone wants it activated, they have to submit a ticket to the help desk. I don't know if that will work for you but we are a large corporation, so it might help you to know what others do in this case.

I can't think of any way to tell a DHCP server to give IP addresses only to domain PC's. It's a non-routable protocol and if you have a broadcast network, the DHCP server will respond to any request for an IP addresses, regardless of device or domain membership.

 

[gdvissch]

Tis is where NAP (Network Access Prevention) from MS or NAC (Network Admission Control) from Cisco comes in... however we looked at both to find that for now we'd better wait a little longer before implementing as they are not really standard yet (at least when I looked).
We think that when longhorn server commes out things will be different. (Vista already supports it out of the box, even XP in a limited way)

Also some vendors of desktop management systems are provinding such kind of solutions (e.g. Landesk does it)

finally I've reently heard for the first time about "post-access" NAC which is supposedly based on tools like snort etc... and which then I suppose dynamically adapt firewall rules.

G.