In addition to the below, routers can be configured to only forward BOOTP packets to/from 'authorised' DHCP servers.
neil ___________________________ Neil Ruston Global Technology Infrastructure Nomura International plc Telephone: +44 (0) 20 7521 3481 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: 08 January 2007 13:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava > Sent: 08 January 2007 12:20 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP > servers? (or how do you find it?) > > Hi all! > > Just wondering, is there a way to "prevent" a rogue DCHP server from > playing havoc with a network? > > I have been digging into "dhcp security" but I haven't really found > anything that makes it possible to auth. a DHCP server, so that the > clients don't fall for a rogue one. > > >From what I've seen, the approach MS follows is that IF your DHCP > >server is > Windows-based, you have to "auth" it on the Domain. That prevents the > AD/infrastructure admins from shooting themselves on the foot by > having too many/improperly configured servers.. But that won't stop a > rogue VM from being a nuisance... > > I've found this problem in one of our customers sites. They use static > IP addressing, but we were setting up a few of their computers with a > different sw load and configuration, and they wanted to use DHCP to > make config changes more dynamic. When running on an isolated netowork > segment, all was fine, but once we moved "into" their network (to do a > pilot test) we found a DHCP server serving a range outside their own, > and really messing things up. You could try using DHCP classid. If you set it on your clients when you build them they will ignore anything with the "wrong" classid. I think you can also control via group policy. > What's more, nmap'ing the server, it had a VMWARE-owned MAC and no > open ports whatsoever (tcp/udp), at least that I could find. Strange > ;) > Probably an XP system with the firewall on. A real pain to manage > We managed to overcome the issuse because the software load included > an IP filtering component, so we decided to block > UDP/67 and UDP/68 traffic from all IP addresses and only allow it for > 255.255.255.255 and the IP address of the servers we were going to > use... But using a whitelist is a bit of a PITA, so I was wondering if > there was some other "cleaner" way to do it.. > > Thank a lot in advance > > Javier J > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx > > ********************************************************************** This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ********************************************************************** List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
