Preventing unauthorized DHCP servers
If you've ever had to manually configure IP addresses on every computer on a network, then you know how much Dynamic Host Configuration Protocol (DHCP) can simplify your life. By the same token, an unauthorized DHCP server can make your life miserable. In this article, I'll explain what makes an unauthorized DHCP server such a threat to your network's well-being. I'll then go on to explore some techniques you can use to prevent an unauthorized DHCP server from wreaking havoc on your network.
What's the big deal?
Besides the fact that you probably don't like the idea of any computer being added to the network or being reconfigured without your knowledge, an unauthorized DHCP server can cause other problems. The biggest threat from an unauthorized DHCP server is duplicate IP addresses. Another potential problem is the unauthorized server's denying lease renewals to legitimate clients. Although some precautions exist to prevent this from happening, the threat is very real.
Keep in mind that the request for an IP address occurs before the client even attempts to authenticate onto the network--the DHCP request is simply transmitted in broadcast form. If someone were trying to sabotage your operations with an unauthorized DHCP server, they wouldn't even have to know the administrative password to do so, because the new DHCP server wouldn't have to integrate with your domain security.
Some operating systems, such as Windows 2000, will try to ping an offered IP address before accepting it, to ensure that the address isn't already in use. However, not all operating systems take this precaution. A malicious user could exploit this fact and create DHCP scopes on a renegade DHCP server that contain addresses matching those used by your network server. If a Windows 95 user attached to this unauthorized DHCP server, he could unknowingly accept an IP address that's already in use by a server and cause routing problems or force the server off-line. Fortunately, there are some ways to fight back.
What can you do?
|"For this security mechanism to work properly, all legitimate DHCP servers either must be installed on domain controllers or on member servers. "|
The best way to fight back against an unauthorized DHCP server is to upgrade all your servers to Windows 2000. After doing so, you should enable directory services; then, you must install your first DHCP server on either a domain controller or on a member server. The idea is to make the directory service recognize the DHCP server; therefore, you shouldn't install the first DHCP server as a standalone server.
As you might have guessed from the prep work that we just outlined, Windows 2000 provides some integrated security to prevent unauthorized DHCP servers from damaging your network. This security involves adding information to the DhcpServer directory service object. The DhcpServer object can contain information such as a list of the IP addresses of all computers authorized to function as DHCP servers. The integrated security provides a mechanism that allows the detection of unauthorized DHCP servers.
For this security mechanism to work properly, all legitimate DHCP servers either must be installed on domain controllers or on member servers. That way, the active directory can recognize them.
How does the security work?
Any time a DHCP server comes online, it sends a DHCPInform message to the rest of the network. This message allows the server to locate the directory service's enterprise root and the location within the active directory where other DHCP servers are referenced. When other DHCP servers receive the message, they respond by providing information about themselves. In this way, when the DHCP server comes online, it is able to compile a list of every other DHCP server on the reachable network.
Once the list has been compiled, the DHCP server checks to see if it can access the directory service. If the directory service isn't available, the DHCP server will check its list to see if any of the other DHCP servers it has detected are part of any enterprise. If they are, then the DHCP service isn't allowed to start. However, if none of the other DHCP servers are part of an enterprise, then the new DHCP server will complete the initialization process and begin servicing clients.
Once the DHCP server has fully initialized, it performs a check every five minutes to detect other DHCP servers on the network. Each time it performs the check, it also looks for the presence of a directory service. If the server detects a directory service, it scans the directory to make sure it is authorized to act as a DHCP server. If the DHCP server doesn't find its IP address on the list of authorized DHCP servers, the DHCP service is shut down. If the DHCP server does detect its IP address on the list, it will continue servicing clients' requests in the normal manner.
Be careful with a second enterprise root
Although the process we've described here tends to work very well, it's possible for a DHCP server that's been running for some time to shut down unexpectedly because it doesn't believe it's authorized. Such an occurrence may be related to a change in network relationships. When the DHCP server searches other DHCP servers, it collects information about the directory service, as well. This information includes the name of the enterprise root. Normally, all DHCP servers will have the same enterprise root. However, if any detected DHCP server contains information about a different enterprise root, both enterprise roots must contain permissions for all detected DHCP servers within their directory services. Otherwise, the DHCP servers will see that they don't have permission to function within one of the directory services, and the DHCP services will shut down. Therefore, if you're considering adding a second enterprise root to your network, you should carefully consider how doing so would impact your DHCP servers. //
Brien M. Pose is an MCSE who works as a freelance writer and as the Director of Information Systems for a national chain of health care facilities. His past experience includes working as a network engineer for the Department of Defense. You can contact him via e-mail at Brien_Posey@xpressions.com. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.