4

Is there any way of not allowing users to statically set an IP address on their machines?

We have a lot of servers with static IP addresses and also a DHCP server. I am afraid of allowing users to set a static IP address on their machines and they eventually get a server IP address by mistake.

I know we could create a rule on Active Directory blocking changes on network interfaces, or create logins without administrative rights, but all of those solutions can be bypassed. I want some server rule that only our network administrator has access to.

  • Our DHCP server is Ubuntu
  • Our desktop machines are Windows 7 based
  • Our firewall is Ubuntu + iptables
  • Active Directory
Peter Mortensen
  • 2,318
  • 5
  • 23
  • 24
Rafael Colucci
  • 183
  • 1
  • 10
  • 4
    "I know we could create a rule on Active Directory blocking changes on network interfaces, or create logins without administrative rights, but all of that solutions can be bypassed." If your users can bypass AD/GP restrictions there's something wrong, and shouldn't your users be non-admin anyway? –  Feb 15 '12 at 12:52
  • @sam Because of some old applications, my users need to be administrators. I cannot change this for now. – Rafael Colucci Feb 15 '12 at 13:03
  • @sam Also, I work on a software house. Which means I have a lot of developers. And as we all know, developers need to be administrator of their machines. – Rafael Colucci Feb 15 '12 at 13:08
  • 6
    In that case, why not explain to them that they shouldn't change their settings and should leave their network on DHCP? So many questions around here try to solve HR problems with technology. –  Feb 15 '12 at 13:11
  • Have you asked them why they think they "need" static IPs? – Andrew Feb 15 '12 at 13:19
  • 1
    I agree with sam. This is a people problem. – Sirex Feb 15 '12 at 14:05
  • @sam you do realize we cant trust users, right? If we could, them there should not have firewall rules blocking some sites, neither anti virus. Even though they are developers, to my point of view they are users and I am responsible for the sake of the network. I dont want to sound rude, but that is not the question. Lets stick on my question, shall we? Maybe we can create another topic about that, but not in this one please. – Rafael Colucci Feb 15 '12 at 15:05
  • @sam just another example, yesterday we got a problem of a user who created a virtual machine and gave it a static if. This IP turned out to be a cluster IP and the cluster went down. – Rafael Colucci Feb 15 '12 at 15:07
  • @RafaelColucci If you can't trust users they shouldn't have admin accounts. You can't give them freedom and restrict what they can do at the same time. –  Feb 15 '12 at 15:14
  • @sam again sam, thats not what is being asked here. I already told you that my users NEED to be admins, theres nothing i can do about it. Yes, i can give them freedom in their computers, but i cannot let some crazy guy in a bad day ruin my network. Lets stick to the question!!!! – Rafael Colucci Feb 15 '12 at 15:18
  • 3
    @RafaelColucci Then your problem isn't a technical one, it's a human one. If your users need admin then they need to be trusted. If you can't stop them being admins, change the environment so you can trust them. It's probably not even a trust issue, I'm sure the developers won't do things to harm the system deliberately. Teach them why they can and can't do things, if they want an IP, get them to email you and ask for one that's free. –  Feb 15 '12 at 15:24
  • @sam I give up. Not gonna discuss this here. I am gonna delete the question. – Rafael Colucci Feb 15 '12 at 15:27
  • @Sam I have to disagree with you. It's a technical problem that you might not have had the privilege of having to deal with, but users should generally not be trusted to do intelligent things. I do agree with the sentiment that problem users *should be dealt with by HR*, but realistically that isn't always something admins can depend on (especially for "valuable" employees). – Chris S Feb 15 '12 at 15:36
  • 1
    @ChrisS But surely if untrusted users have full admin rights, regardless of how many technical solutions you put in place there will always be *something* they can do to bugger up something else. Is it not easier just to say "Hey, when you do x, y or z it breaks things, shoot me an email if you ever need to do anything like this and I'll show you how"? –  Feb 15 '12 at 15:51

3 Answers3

9

Workaround: Put your users and your servers in separate subnets. A quick VLAN and router change should get it running. Then your users couldn't take a server's IP address, because they're on the "wrong" physical connection to be able to do so.

Peter Mortensen
  • 2,318
  • 5
  • 23
  • 24
Chris S
  • 77,945
  • 11
  • 124
  • 216
5

You could delegate only the "administrator" privileges these users need (create a new AD group and use group policy to (for example) let them install software, but not modify network settings). This is of course contingent on whatever they "need" admin rights for not being stupid and demanding that they be members of the Administrators group...

This solution also has the advantage of enforcing the Principle of Least Privilege - From what I can glean from your question and your comments this is something you should be working to apply throughout your organization as your developers seem to be running roughshod over sane policy and environment stability.

Changing network settings is today's problem. Tomorrow's problem will be something else a clueless user breaks by misusing their admin rights. As Sam pointed out in the comments you really need to deal with the underlying problem (untrusted users being given admin rights) in order to keep control of your environment.

voretaq7
  • 79,879
  • 17
  • 130
  • 214
  • 2
    Well, that should solve part of the problems i am having. But users could install a virtual machine and set it to static ip. But ill keep it in mind. Thanks for the answer!!! – Rafael Colucci Feb 15 '12 at 15:52
  • 1
    You could lock your switches to only allow authorized MAC addresses on authorized ports... (I've worked in places that do that, it sucks, but it also prevents "Well I just brought my laptop, plugged it in, and assigned it a static IP" problems.) – voretaq7 Feb 15 '12 at 16:03
  • Well, i will give it a try. – Rafael Colucci Feb 15 '12 at 16:15
3

Rafael, I would recommend a two-pronged approach to this problem.

As Chris S. stated, it would definitely be worth putting your users and your servers in separate subnets. You could also put static IP network printers in that server subnet or in their own subnet. It's a little effort with a big reward in security, organization, and management.

Second, I apologize for bringing up the local administrator privileges again, but I believe that there is a solution that will work for you. The Microsoft Application Compatibility Toolkit is designed for this kind of issue, and brought some impressive improvements for Windows 7 clients. Have you tried it yet? In short, what it does is detect what permissions your application needs (whether it be admin rights or on restricted registry keys) and then create a "shim" to make the application work when run under a limited user account. When run as a limited user, them shim elevates the rights for that specific application and not the entire user session. This would then free you to remove those pesky administrative privileges and thus avoid your static/DHCP problem.

Give it a try, and good luck!

SamErde
  • 3,409
  • 3
  • 24
  • 44