Hi! Thanks for the tips on usign classid. Unfortunately, I'm not that sure if that'd work...
>From what I've been able to read / see about DHCP ClassID, it's not really meant as a way to filter/select a DHCP server or to avoid getting a response from a "wrong" server, but more as a way for a server to filter/refine the results that the server sends back to the client. In this case, it's not really a case of "get the proper options" but rather of "not talk to the wrong server".. Of course, I might be wrong (and in this case, I'd really love to be proven wrong ;) But from I've seen at: http://technet2.microsoft.com/WindowsServer/en/library/13cbcfbd-2d9d-40fd-8b 54-5c8090924eb21033.mspx?mfr=true the classess are to be able to provide specialized/extra info to clients. I've done a bit of testing: I've set up one VM (XP SP2) with a (user) classid on its lan, and a W2003 DHCP VM Server with different options depending on the ClassID. The behaviour is as expected, the system gets different options (DNS servers, etc) depending on the classid. After that, I've turned off the DHCP server and started the VMware DHCP Service (where no classid or other options have been set). I've done a release/refresh on the network card, and I get an IP address from the "wrong" DHCP server (the desired behaviour is, if no "good" DHCP servers are listening, then the client should get no IP address). Maybe the client will be able to reject the offer from the wrong DHCP server when it (also) gets an offer from the proper DHCP server that is "branded" with the ClassID, but although somewhat useful that's not what I'm after... Maybe someone more familiar with DHCP than myself might correct me if my understanding of classid is wrong? Thanks a lot in advance. Javier Jarava -----Mensaje original----- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Dave Wade Enviado el: lunes, 08 de enero de 2007 14:27 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava > Sent: 08 January 2007 12:20 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Likely OT: :) Managing/preventing > "rogue" DHCP servers? (or how do you find it?) > > Hi all! > > Just wondering, is there a way to "prevent" a rogue DCHP > server from playing havoc with a network? > > I have been digging into "dhcp security" but I haven't really > found anything that makes it possible to auth. a DHCP server, > so that the clients don't fall for a rogue one. > > >From what I've seen, the approach MS follows is that IF your DHCP > >server is > Windows-based, you have to "auth" it on the Domain. That > prevents the AD/infrastructure admins from shooting > themselves on the foot by having too many/improperly > configured servers.. But that won't stop a rogue VM from > being a nuisance... > > I've found this problem in one of our customers sites. They > use static IP addressing, but we were setting up a few of > their computers with a different sw load and configuration, > and they wanted to use DHCP to make config changes more > dynamic. When running on an isolated netowork segment, all > was fine, but once we moved "into" their network (to do a > pilot test) we found a DHCP server serving a range outside > their own, and really messing things up. You could try using DHCP classid. If you set it on your clients when you build them they will ignore anything with the "wrong" classid. I think you can also control via group policy. > What's more, nmap'ing the server, it had a VMWARE-owned MAC > and no open ports whatsoever (tcp/udp), at least that I could > find. Strange ;) > Probably an XP system with the firewall on. A real pain to manage > We managed to overcome the issuse because the software load > included an IP filtering component, so we decided to block > UDP/67 and UDP/68 traffic from all IP addresses and only > allow it for 255.255.255.255 and the IP address of the > servers we were going to use... But using a whitelist is a > bit of a PITA, so I was wondering if there was some other > "cleaner" way to do it.. > > Thank a lot in advance > > Javier J > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx > > ********************************************************************** This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ********************************************************************** List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
