Approve a DHCP lease first?

Is there a way for me to approve a DHCP lease before it is
given out?
I know that is kind of ridiculous or is there a way for me
to keep only
people who i currently have leases for?  I had someone come
in and plug
in on my network at work last week and I DO NOT want any
outside
computers on our network but it's pretty easy with DHCP
enabled to do
that.  I am open to any other ideas first.  Thanks!


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the
Google Groups "Windows 2003" group.
To post to this group, send email to Windows2003googlegroups.com
To unsubscribe from this group, send email to
Windows2003-unsubscribegooglegroups.com
For more options, visit this group at http://groups-beta.google.com/group/Windows2003?hl=en
-~----------~----~----~----~------~----~------~--~---

Yeah, there is a way without buying extra stuff, just so
long as you've
got your 2003 Server serving DHCP and not your hardware
router.

I haven't tried this yet but it should work. In the active
DHCP
scope(s), take your existing DHCP leases, and record the
"unique id"
(justi a nickname for MAC address) and leased IP address of
every NIC
on your network. Using those records, create DHCP
reservations for each
and every one of those NICs. When you're all done, confirm
that every
NIC has a reservation, then figure out how many reservations
you've
created and limit your DHCP scope to precisely that set of
addresses. I
would make sure your reservations are sequential i.e.
192.168.5.15,
.16, .17 etc.

Two catches. 1, if any of the existing DHCP clients is a NAT
device
(i.e. Windows XP with dual NICs and ICS running), you now
have a
potential workaround to your DHCP setup. This holds
especially true if
the second NIC in the XP example is wireless (think wireless
Router =o
) and 2, this doesn't prevent network access, only the
receipt of a
dynamic address.

If you have a security budget, you could look at SafeDHCP:
h
ttp://www.metainfo.com/index.cfm/page/metasafedhcp

On Nov 10, 9:29 am, "ridergroov"
<ridergro...comcast.net> wrote:
> Is there a way for me to approve a DHCP lease before it
is given out?
> I know that is kind of ridiculous or is there a way for
me to keep only
> people who i currently have leases for?  I had someone
come in and plug
> in on my network at work last week and I DO NOT want
any outside
> computers on our network but it's pretty easy with DHCP
enabled to do
> that.  I am open to any other ideas first.  Thanks!


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the
Google Groups "Windows 2003" group.
To post to this group, send email to Windows2003googlegroups.com
To unsubscribe from this group, send email to
Windows2003-unsubscribegooglegroups.com
For more options, visit this group at http://groups-beta.google.com/group/Windows2003?hl=en
-~----------~----~----~----~------~----~------~--~---

Also if you have a layer 3 switch you can just turn security
options on
each port to only allow one mac set to it, that way when
someone tries
to plug something else into it, it'll lock out the port and
turn it
off.  My guess is that you probably don't have a layer 3
switch since
you were looking to do it with Win2k3, but if you do and
would like
more info just let me know.  I'm most familiar with Cisco
switches
(>2900 series) but with like HP switches i know the
config manager are
pretty easy to work with.


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the
Google Groups "Windows 2003" group.
To post to this group, send email to Windows2003googlegroups.com
To unsubscribe from this group, send email to
Windows2003-unsubscribegooglegroups.com
For more options, visit this group at http://groups-beta.google.com/group/Windows2003?hl=en
-~----------~----~----~----~------~----~------~--~---

Hey, thanks for that tidbit, Christopher. I didn't know that
about
Catalysts and the HP switches (that's the procurve series
right?) I
should try that out.


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the
Google Groups "Windows 2003" group.
To post to this group, send email to Windows2003googlegroups.com
To unsubscribe from this group, send email to
Windows2003-unsubscribegooglegroups.com
For more options, visit this group at http://groups-beta.google.com/group/Windows2003?hl=en
-~----------~----~----~----~------~----~------~--~---

Port Security is really secure, except it requires a lot of
administration.  By this i mean, when you turn it on you
have the
option to set an action when the security is violated,
typical action
is Warn, but really secure places set it to disable the
port.  Now when
it disables the port, the only way to enabled it again, is
to log back
into your switch and do a no shutdown command (sometimes you
must even
go into that CLI to do so).  This is fine in my opinion
because it'll
teach your clients not to screw around real fast.  The warn
option is
only good if you have some type of program setup to watch
your syslog
and ssend updates to like your mail client or whatever. 
Again syslog
is a Cisco Proprietary function, that i'm sure is mimic'd in
HP's
switches (yes the procurve series etc.).  With cisco you can
use the
cisco security device manager to setup a SMTP forward
directly to your
email, or if your really cool you can set it up to send them
to you
Nextel phone =D


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the
Google Groups "Windows 2003" group.
To post to this group, send email to Windows2003googlegroups.com
To unsubscribe from this group, send email to
Windows2003-unsubscribegooglegroups.com
For more options, visit this group at http://groups-beta.google.com/group/Windows2003?hl=en
-~----------~----~----~----~------~----~------~--~---