A computer is authorized to obtain an IP Address on network only when it is configured with DHCP Class ID where you have implemented MS DHCP Server. This Class ID mechanism can be understood by MS DHCP Servers only.

We have secured our DHCP Network using *MS Class Options* (You can find this mechanism only in MS DHCP Implementation).

Client machines can't get IP Address from any DHCP server available on the network  *IF* you have configured Class ID on client machines using *Ipconfig /setclassid* command. A DHCP packet will be dropped by DHCP server if *same Class ID* scope is not found on the network or MS DHCP server.

This is what happen when you implement Class ID on your network:

1. A computer plugs in your network.

2. DHCP client service starts and shouts on network to get an IP address (I assume this is a new computer and configured with Class ID).

3. DHCP Server goes throught its database or scopes check to see if it belongs to any Class ID scope, a simple scope or superscope if request is coming from different network id:

        a. If DHCP packet from client machine contains Class ID information, DHCP  
           Server goes through the Class ID Scopes. If it doesn't find same class ID in
           its database, the DHCP packet is dropped off. Exit Loop. Next, if DHCP server
           finds the Class ID Scope, it leases out the IP address to client machine and
           Exit Loop.

        b. DHCP server goes to next condiation available that is *DHCP Scope for
           same subnet*. HERE DHCP server can lease out IP address from any scope
           if you haven't configured client machine with Class ID. This is where DHCP
           Security is failing. If DHCP server finds no other scope, DHCP packet is
           dropped off. Exit Loop.

        c. Next available condition is to check in *DHCP Superscope for same or other
            subnet* or if client doesn't belong to same subnet. B condition applies in this case.

3. After checking above conditions, DHCP Server finally decides to drop off packets therefore client obtains IP Address using APIPA (169.254.x.x). This makes client out of network or it can't participate in network.

Restrict IPs to known MAC addresses (both static or DHCP) when the unauthorized machine has physical access to a NAM on the network.

1. Create a class on your network

2. Define a scope for these MAC systems only.

3. Create a unqiue Class ID for this scope.

4. Configure client machines using *Ipconfig /setclassid*. Set the Class ID which you have configured at DHCP Server.

Now when a DHCP server receive a packet from a client machine configured for the same Class ID, it will go through it's scopes to check whether they belong to any Scope Class you have configured at DHCP server.
If DHCP Server finds Class Scope with same Class ID then this will lease IP address *ONLY* from this class regardless of the subnet clinet machines belong to. Condition No. A applies in this scenario.

NOTE:

1. This way you can secure your DHCP Server.

2. This only applies when client machines has configured to obtain IP address automatically from a DHCP Server. If client machine has configured with Static IP address then you can't. You need to disable DHCP client service on client machine or unregister a DLL from their system or set permissions on registry on client machine so they can't save informations.

3. You shouldn't have any other Scope configured in your DHCP server without Class ID. If you do so DHCP server can lease out IP addresses from this scope if client request is coming without Class ID information or DHCP Packet from a client doesn't contain Class ID. Either you can use scopes or Class ID but you can't use both to implement this securtiy stuff. Check option A.B.C. described earlier in this article.

More here:  -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/