Hi! Thanks for the answer. The issue is/was, the client has a pretty big network and they don't have layer 1 access control in place. They DO have their network segmented using VLANs, at least on their HQ, where the testing was takin place.
So we "knew" the rogue server was "close" to where we were testing: in the same VLAN. But that VLAN includes everybody from their IT dept (and they're a BIG client, with over 50,000 users in several hundreds, if not thousands, of locations, so they have a big IT dept). Another issue (not sure if it's relevant) is that the MAC address of the rogue server suggested that the server was in fact an VMWARE VM... So if the host computer has a "valid" network port on the switch, I guess that any of the VMs that use the same physical network card would be allowed to connect to the network.... -----Mensaje original----- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Myrick, Todd (NIH/CC/DCRI) [E] Enviado el: lunes, 08 de enero de 2007 13:46 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) Best I have seen is to control physical access to your network at layer 1. Things to include, don't activate ports until the device is provisioned. You might try a network monitor configured to listen for unauthorized offers from servers. The solution you posted below is pretty slick as well. It all depends on how secure your client wants their network to be ... and how useable. Todd -----Original Message----- From: Javier Jarava [mailto:[EMAIL PROTECTED] Sent: Monday, January 08, 2007 7:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) Hi all! Just wondering, is there a way to "prevent" a rogue DCHP server from playing havoc with a network? I have been digging into "dhcp security" but I haven't really found anything that makes it possible to auth. a DHCP server, so that the clients don't fall for a rogue one. >From what I've seen, the approach MS follows is that IF your DHCP server is Windows-based, you have to "auth" it on the Domain. That prevents the AD/infrastructure admins from shooting themselves on the foot by having too many/improperly configured servers.. But that won't stop a rogue VM from being a nuisance... I've found this problem in one of our customers sites. They use static IP addressing, but we were setting up a few of their computers with a different sw load and configuration, and they wanted to use DHCP to make config changes more dynamic. When running on an isolated netowork segment, all was fine, but once we moved "into" their network (to do a pilot test) we found a DHCP server serving a range outside their own, and really messing things up. What's more, nmap'ing the server, it had a VMWARE-owned MAC and no open ports whatsoever (tcp/udp), at least that I could find. Strange ;) We managed to overcome the issuse because the software load included an IP filtering component, so we decided to block UDP/67 and UDP/68 traffic from all IP addresses and only allow it for 255.255.255.255 and the IP address of the servers we were going to use... But using a whitelist is a bit of a PITA, so I was wondering if there was some other "cleaner" way to do it.. Thank a lot in advance Javier J List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
