Hi!

Thanks for the tips on usign classid. Unfortunately, I'm not that sure if
that'd work...

>From what I've been able to read / see about DHCP ClassID, it's not really
meant as a way to filter/select a DHCP server or to avoid getting a response
from a "wrong" server, but more as a way for a server to filter/refine the
results that the server sends back to the client. In this case, it's not
really a case of "get the proper options" but rather of "not talk to the
wrong server".. Of course, I might be wrong (and in this case, I'd really
love to be proven wrong ;) But from I've seen at:
http://technet2.microsoft.com/WindowsServer/en/library/13cbcfbd-2d9d-40fd-8b
54-5c8090924eb21033.mspx?mfr=true the classess are to be able to provide
specialized/extra info to clients.

I've done a bit of testing: I've set up one VM (XP SP2) with a (user)
classid on its lan, and a W2003 DHCP VM Server with different options
depending on the ClassID. The behaviour is as expected, the system gets
different options (DNS servers, etc) depending on the classid.

After that, I've turned off the DHCP server and started the VMware DHCP
Service (where no classid or other options have been set). I've done a
release/refresh on the network card, and I get an IP address from the
"wrong" DHCP server (the desired behaviour is, if no "good" DHCP servers are
listening, then the client should get no IP address). Maybe the client will
be able to reject the offer from the wrong DHCP server when it (also) gets
an offer from the proper DHCP server that is "branded" with the ClassID, but
although somewhat useful that's not what I'm after...

Maybe someone more familiar with DHCP than myself might correct me if my
understanding of classid is wrong?

Thanks a lot in advance.

        Javier Jarava


-----Mensaje original-----
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] En nombre de Dave Wade
Enviado el: lunes, 08 de enero de 2007 14:27
Para: ActiveDir@mail.activedir.org
Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP
servers? (or how do you find it?)

> -----Original Message-----
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
> Sent: 08 January 2007 12:20
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Likely OT: :) Managing/preventing 
> "rogue" DHCP servers? (or how do you find it?)
> 
> Hi all!
> 
> Just wondering, is there a way to "prevent" a rogue DCHP 
> server from playing havoc with a network?
> 
> I have been digging into "dhcp security" but I haven't really 
> found anything that makes it possible to auth. a DHCP server, 
> so that the clients don't fall for a rogue one.
> 
> >From what I've seen, the approach MS follows is that IF your DHCP 
> >server is
> Windows-based, you have to "auth" it on the Domain. That 
> prevents the AD/infrastructure admins from shooting 
> themselves on the foot by having too many/improperly 
> configured servers.. But that won't stop a rogue VM from 
> being a nuisance...
> 
> I've found this problem in one of our customers sites. They 
> use static IP addressing, but we were setting up a few of 
> their computers with a different sw load and configuration, 
> and they wanted to use DHCP to make config changes more 
> dynamic. When running on an isolated netowork segment, all 
> was fine, but once we moved "into" their network (to do a 
> pilot test) we found a DHCP server serving a range outside 
> their own, and really messing things up.

You could try using DHCP classid. If you set it on your clients when you
build them they will ignore anything with the "wrong" classid. I think
you can also control via group policy.


> What's more, nmap'ing the server, it had a VMWARE-owned MAC 
> and no open ports whatsoever (tcp/udp), at least that I could 
> find. Strange ;)
>

Probably an XP system with the firewall on. A real pain to manage
 
> We managed to overcome the issuse because the software load 
> included an IP filtering component, so we decided to block 
> UDP/67 and UDP/68 traffic from all IP addresses and only 
> allow it for 255.255.255.255 and the IP address of the 
> servers we were going to use... But using a whitelist is a 
> bit of a PITA, so I was wondering if there was some other 
> "cleaner" way to do it..
> 
> Thank a lot in advance
> 
>       Javier J
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> 
> 


**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose
this email,  or any response to it,  under the Freedom of Information Act
2000, unless the information in it is covered by one of the exemptions in
the Act. 

If you receive this email in error please notify Stockport e-Services via
[EMAIL PROTECTED] and then permanently remove it from your
system. 

Thank you.

http://www.stockport.gov.uk
**********************************************************************

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Reply via email to