Prevent unauthorized systems from accessing your network
Right now I'm using Microsoft's DHCP service on a Windows 2000 Server. The problem is that anyone who plugs into the network can get an address. We would only like to give out IPs for those who have registered their MAC address with our IT department.
There are a couple of approaches to this. However, depending on the size of your environment, they may be cost prohibitive to implement. First, if you have maintained a registry of all MAC addresses in your environment, you can configure the DHCP server with nothing but reservations. This will ensure that the only systems that the DHCP server will service a DHCP request from are registered MAC addresses. However, in my opinion, the maintenance and upkeep of this would be virtually impossible.
An alternative is to address the issue with 802.1x port security in your switches. After all, I suspect that ultimately you want to prevent unauthorized systems from gaining access to your network -- not necessarily prevent them from getting an IP address from the DHCP server. 802.1x port security will ensure that only authenticated systems can access any network resources in your environment. 802.1x configurations depend on your switch vendors capabilities, but here is a set of instructions for Cisco 2950 and 2955 series switches. In addition, I covered 802.1x for Cisco IOS based switches in detail in chapter 9 of Hardening Network Infrastructure and would encourage you to check it out for more details.
This was first published in February 2005