Admin Tips
- Windows Server 2008/2003/2000/XP/NT Administrator Knowledge Base
  - Windows 2003
    - Admin Tips
      - Security
        Preventing Rogue DHCP Clients

Section(s): Security , Network
Published on Aug 04, 2005.
Last Modified on Aug 04, 2005.
Last Modified by Mitch Tulloch.
Rated 2.8 out of 5 based on 13 votes.

If you are using DHCP on your network and you want to prevent rogue clients from obtaining IP addresses from your DHCP server and participating on your network, your options are simple.

If you are using DHCP on your network and you want to prevent rogue clients from obtaining IP addresses from your DHCP server and participating on your network, your options are simple:

Enforce rigorous physical security. If a hacker can get through the front door and connect a laptop to your network, they can do a lot worse stuff than steal an IP address!
Use 802.1x or IPSec to secure your existing clients from rogue clients. This won't prevent rogue clients from obtaining IP addresses however, just doing something useful with them.
Use reservations for all your DHCP clients. In W2K3 you can use the getmac command to obtain the MAC address of a remote Windows machine if you know its IP address, and if you have a fairly small network you could write a script or batch file to run getmac for every IP address in each subnet.

About Mitch Tulloch

Mitch Tulloch was lead author for the Windows Vista Resource Kit from Microsoft Press, which is the book for IT pros who want to deploy, maintain and support Windows Vista in mid- and large-sized network environments. Mitch was also the author of Introducing Windows Server 2008 and technical project lead for the Microsoft Office Communications Server 2007 Resource Kit, both books also from Microsoft Press. For more information on these and other books by Mitch, see www.mtit.com .