Monday, May 26, 2008

Restrict DHCP on Windows 2003

A few months ago, I was facing off the problem of assigning ip address only to our domain computers. Anyone from the outside should not get an ip from our network. The result of all my conclusions are here. I hope those will help somebody in the future.
There are a few ways to restrict dhcp:
1. Create a dhcp scope with only reserved IP addresses for domain computers. But this will not stop people that manually configure their ip addresses on computers to access your network and is usually not practical if you have many computers.
2. Switches that can manage port access by mac address filtering. The drawback of this approach is that mac addreses can be spoofed.
3. The third and the last option is also the most secure of all: 802.1x authentication for wired clients. 802.1X for wired networks provides authentication and authorization protection at the switch port. Port-based network access control uses the physical characteristics of a switched LAN infrastructure to authenticate devices attached to a LAN port. Use of the port is denied if the authentication process fails. Alternately, the port can be assigned to a VLAN that does not contain important resources. For this you must have switches that support 802.1x authentication, a IAS server installed and certificate services deployed on Windows 2003. This is the help:

No comments: