Preventing Rogue DHCP Clients

by Mitch Tulloch [Published on 4 Aug. 2005 / Last Updated on 4 Aug. 2005]

If you are using DHCP on your network and you want to prevent rogue clients from obtaining IP addresses from your DHCP server and participating on your network, your options are simple.

If you are using DHCP on your network and you want to prevent rogue clients from obtaining IP addresses from your DHCP server and participating on your network, your options are simple:

  1. Enforce rigorous physical security. If a hacker can get through the front door and connect a laptop to your network, they can do a lot worse stuff than steal an IP address!
  2. Use 802.1x or IPSec to secure your existing clients from rogue clients. This won't prevent rogue clients from obtaining IP addresses however, just doing something useful with them.
  3. Use reservations for all your DHCP clients. In W2K3 you can use the getmac command to obtain the MAC address of a remote Windows machine if you know its IP address, and if you have a fairly small network you could write a script or batch file to run getmac for every IP address in each subnet.

The Author — Mitch Tulloch

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions. Mitch has published over two hundred articles on different IT websites and magazines, and he has written or contributed to almost two dozen books and is lead author for the Windows 7 Resource Kit from Microsoft Press. For more information, see www.mtit.com .

Latest Contributions

Featured Links