Securing DHCP Server

[Rob Devereux]

Forgive the X posting but I wanted to cover as many bases as possible with
this.

I have a DHCP Server set up on a Windows 2000 Server.

In order to have the best of both worlds (ie have the security and auditing
of Static addresses in cases of virus infection or abuse but the convenience
of setup and ability to recoup address from leaving clients), I have set it
up to have no "pool" of addresses and 100% either blocked or reserved by MAC
address(the clients have to send me the MAC address which I register against
an IP address).

What I have found is that if a rogue machine is put on the network(for
example if someone forgets to register their MAC address or just ignores the
need), particularly a 2000/XP one, the DHCP Server will assign it an address
even though there are supposedly none to be assigned. What I have found
happening is that it assigns one of the reserved addresses that is currently
inactive(because the pc is temporariliy off the network), and of course as
soon as that client goes back on the network and tries to use the address,
they get an IP conflict at best and more likely just a lock on usage.

Has anyone seen this or got a fix for it?

Rob

--
Rob Devereux
IT Officer
Linacre College
St Cross Road
Oxford
OX1 3JA
(01865) 271659
(e-mail address removed)

 

[Steven L Umbach]

The KB link below refers to the behaviour you are seeing for a setup similar
to yours and suggests that a service pack may help.

http://support.microsoft.com/default.aspx?scid=kb;en-us;284145

While using reservations as you do may help it will of course not stop
someone from configuring their computers with static tcp/ip info to access
the network. If you are in a domain with all W2K/XP Pro computers you could
consider using ipsec that uses kerberos machine authentication within the
forest to restrict access to domain machines other than domain controllers
which will not work with a secure server/require ipsec policy.

Another thing to consider is a layer 2 switch than can control access to
ports based on mac address and/or use 802.1X authentication that requires
certificate authentication to a radius/IAS server before allowed access to
the port and network. --- Steve

http://www.dlink.com/products/?pid=87 -- an under $450 secure 24 port
managed switch.

 

[Rob Devereux]

Steven

Thanks for the pointer.

Unfortunately in the situation I have, it doesnt just issue the NACK to a
non-reserved client but eventually hands out the address too ie you dont get
a disappointed client with 2000/XP but an unregistered client with an
address they shouldnt have. All Servers are SP4 anyway so dont think the
Service pack fix will make any difference.

Rob

 

[Steven L Umbach]

Hi Rob.

OK. That is very interesting. I wll have to try that out myself soon. It was
always my understanding [your's also I am sure]that a reserved IP address
would only be issued to client with the proper mac address. I don't know if
what your experiencing is supposed to be normal or a bug/undocumented
feature. Maybe Microsoft can comment on this. --- Steve

 

[Rob Devereux]

Yes Steve, was my view too but it doesnt seem to work that way. Anyone from
Microsoft want to comment.

Rob

Hi Rob.

OK. That is very interesting. I wll have to try that out myself soon. It was
always my understanding [your's also I am sure]that a reserved IP address
would only be issued to client with the proper mac address. I don't know if
what your experiencing is supposed to be normal or a bug/undocumented
feature. Maybe Microsoft can comment on this. --- Steve

Steven

Thanks for the pointer.

Unfortunately in the situation I have, it doesnt just issue the NACK to a
non-reserved client but eventually hands out the address too ie you dont get
a disappointed client with 2000/XP but an unregistered client with an
address they shouldnt have. All Servers are SP4 anyway so dont think the
Service pack fix will make any difference.

Rob

access

to possible
with

reserved

by course