Best I have seen is to control physical access to your network at layer 1. Things to include, don't activate ports until the device is provisioned. You might try a network monitor configured to listen for unauthorized offers from servers. The solution you posted below is pretty slick as well.
It all depends on how secure your client wants their network to be ... and how useable. Todd -----Original Message----- From: Javier Jarava [mailto:[EMAIL PROTECTED] Sent: Monday, January 08, 2007 7:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) Hi all! Just wondering, is there a way to "prevent" a rogue DCHP server from playing havoc with a network? I have been digging into "dhcp security" but I haven't really found anything that makes it possible to auth. a DHCP server, so that the clients don't fall for a rogue one. >From what I've seen, the approach MS follows is that IF your DHCP server is Windows-based, you have to "auth" it on the Domain. That prevents the AD/infrastructure admins from shooting themselves on the foot by having too many/improperly configured servers.. But that won't stop a rogue VM from being a nuisance... I've found this problem in one of our customers sites. They use static IP addressing, but we were setting up a few of their computers with a different sw load and configuration, and they wanted to use DHCP to make config changes more dynamic. When running on an isolated netowork segment, all was fine, but once we moved "into" their network (to do a pilot test) we found a DHCP server serving a range outside their own, and really messing things up. What's more, nmap'ing the server, it had a VMWARE-owned MAC and no open ports whatsoever (tcp/udp), at least that I could find. Strange ;) We managed to overcome the issuse because the software load included an IP filtering component, so we decided to block UDP/67 and UDP/68 traffic from all IP addresses and only allow it for 255.255.255.255 and the IP address of the servers we were going to use... But using a whitelist is a bit of a PITA, so I was wondering if there was some other "cleaner" way to do it.. Thank a lot in advance Javier J List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx