> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava > Sent: 08 January 2007 12:20 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Likely OT: :) Managing/preventing > "rogue" DHCP servers? (or how do you find it?) > > Hi all! > > Just wondering, is there a way to "prevent" a rogue DCHP > server from playing havoc with a network? > > I have been digging into "dhcp security" but I haven't really > found anything that makes it possible to auth. a DHCP server, > so that the clients don't fall for a rogue one. > > >From what I've seen, the approach MS follows is that IF your DHCP > >server is > Windows-based, you have to "auth" it on the Domain. That > prevents the AD/infrastructure admins from shooting > themselves on the foot by having too many/improperly > configured servers.. But that won't stop a rogue VM from > being a nuisance... > > I've found this problem in one of our customers sites. They > use static IP addressing, but we were setting up a few of > their computers with a different sw load and configuration, > and they wanted to use DHCP to make config changes more > dynamic. When running on an isolated netowork segment, all > was fine, but once we moved "into" their network (to do a > pilot test) we found a DHCP server serving a range outside > their own, and really messing things up.
You could try using DHCP classid. If you set it on your clients when you build them they will ignore anything with the "wrong" classid. I think you can also control via group policy. > What's more, nmap'ing the server, it had a VMWARE-owned MAC > and no open ports whatsoever (tcp/udp), at least that I could > find. Strange ;) > Probably an XP system with the firewall on. A real pain to manage > We managed to overcome the issuse because the software load > included an IP filtering component, so we decided to block > UDP/67 and UDP/68 traffic from all IP addresses and only > allow it for 255.255.255.255 and the IP address of the > servers we were going to use... But using a whitelist is a > bit of a PITA, so I was wondering if there was some other > "cleaner" way to do it.. > > Thank a lot in advance > > Javier J > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx > > ********************************************************************** This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ********************************************************************** List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
