Hi all!
Just wondering, is there a way to "prevent" a rogue DCHP server from playing
havoc with a network?
I have been digging into "dhcp security" but I haven't really found anything
that makes it possible to auth. a DHCP server, so that the clients don't
fall for a rogue one.
>From what I've seen, the approach MS follows is that IF your DHCP server is
Windows-based, you have to "auth" it on the Domain. That prevents the
AD/infrastructure admins from shooting themselves on the foot by having too
many/improperly configured servers.. But that won't stop a rogue VM from
being a nuisance...
I've found this problem in one of our customers sites. They use static IP
addressing, but we were setting up a few of their computers with a different
sw load and configuration, and they wanted to use DHCP to make config
changes more dynamic. When running on an isolated netowork segment, all was
fine, but once we moved "into" their network (to do a pilot test) we found a
DHCP server serving a range outside their own, and really messing things up.
What's more, nmap'ing the server, it had a VMWARE-owned MAC and no open
ports whatsoever (tcp/udp), at least that I could find. Strange ;)
We managed to overcome the issuse because the software load included an IP
filtering component, so we decided to block UDP/67 and UDP/68 traffic from
all IP addresses and only allow it for 255.255.255.255 and the IP address of
the servers we were going to use... But using a whitelist is a bit of a
PITA, so I was wondering if there was some other "cleaner" way to do it..
Thank a lot in advance
Javier J
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
