Threats to DHCP Servers

Previous page
Table of content
Next page

Threats to DHCP Servers

If attackers are able to compromise a DHCP server on the network, they might disrupt network services, preventing DHCP clients from connecting to network resources. By gaining control of a DHCP server, attackers can configure DHCP clients with fraudulent TCP/IP configuration information, including an invalid default gateway or Domain Name System (DNS) server configuration.

The following threats exist when you implement DHCP on your network:

  • Unauthorized DHCP servers can issue incorrect TCP/IP configuration information to DHCP clients.

  • DHCP servers can overwrite valid DNS resource records with incorrect information.

  • DHCP can create DNS resource records without ownership defined.

  • Unauthorized DHCP clients can obtain IP addresses on the network.

Unauthorized DHCP Servers

If attackers can connect a computer to your company s network, they can launch an unauthorized DHCP server. This DHCP server can provide incorrect IP addressing information to DHCP clients. Microsoft Windows 2000 reduces the possibility of unauthorized Windows 2000 based DHCP servers by requiring that Windows 2000 based DHCP servers be authorized in the Active Directory directory service. Only Windows 2000 based DHCP servers authorized by a member of the Enterprise Admins group can issue IP addresses to DHCP clients.

A Windows 2000 DHCP server uses DHCPINFORM messages to determine whether it is authorized. When a DHCP server starts, the DHCP server queries any domain controller to ensure it is listed as an authorized DHCP server in the Configuration naming context. If the DHCP server is authorized, the DHCP service initializes and provides IP address information to DHCP clients. If the server is not authorized, DHCP services do not initialize. The DHCP service will also start if it determines that Active Directory does not exist on the network, indicating that DHCP servers do not require authorization.

The DHCPINFORM process does not prevent DHCP servers that do not support DHCPINFORM messages, such as a Microsoft Windows NT 4.0 DHCP server, from issuing addresses on the network.

DHCP Servers Overwriting Valid DNS Resource Records

By default, the DHCP server and the DHCP client split the process of registering DNS resource records with the DNS server. By default, the DHCP server registers and owns the Pointer (PTR) resource records written to the reverse lookup zone at the DNS server. The DHCP client registers its Host (or A) resource record in the forward lookup zone.

If attackers modify the DHCP server s configuration, it is possible for the DHCP server to register and own both resource records. If the DHCP server overwrites the client information, the client can be blocked from updating its IP address information in DNS. The client is blocked because the DNS resource record s discretionary access control list (DACL) allows only the owner of the resource record to modify the resource record when secure dynamic updates are implemented at the DNS server.

This modification is required for pre-Windows 2000 clients that do not support dynamic DNS updates but is not recommended for Windows 2000, Microsoft Windows XP, or other operating systems that support dynamic DNS updates.

DHCP Not Taking Ownership of DNS Resource Records

If a DHCP server is configured as a member of the DNSUpdateProxy group, the DHCP server does not take ownership of the DNS resource records it registers. Although this behavior is desired when a DHCP server registers Host (A) resource records for pre-Windows 2000 client computers, allowing pre-Windows 2000 client computers to take ownership of the A resource record when upgraded to Windows 2000 or Windows XP is not recommended if the DHCP server is also a domain controller.

It also is not desirable for a DHCP server to take ownership of DNS resource records when multiple DHCP servers provide IP addresses for the network. If the DHCP server took ownership of A resource records registered on behalf of a downlevel client, another DHCP server would not be able to overwrite the record if the client acquired its IP address from a different DHCP server.

If the DHCP service runs on a domain controller, membership in the DNSUpdateProxy group results in the DHCP server not taking ownership of any DNS resource records it registers with the DNS server. This includes all Service (SRV) resource records registered with DNS. If the DHCP server does not take ownership of the SRV resource records, attackers will be able to modify the SRV resource records, causing DNS clients to connect to incorrect servers.

Unauthorized DHCP Clients

By default, a DHCP server will issue an IP address to any DHCP client that requests one, as long as addresses are available in the DHCP scope, which is a pool of IP addresses leased by the DHCP server. This means that any DHCP client can obtain an IP address and TCP/IP configuration information from a DHCP server, even if the DHCP client is not an authorized computer. Once a DHCP client has obtained TCP/IP configuration information, the DHCP client can communicate with any TCP/IP services on the network, including file servers and other Active Directory services on the network.


Previous page
Table of content
Next page
Microsoft Windows Security Resource Kit
Microsoft Windows Security Resource Kit
ISBN: 0735621748
EAN: 2147483647
Year: 2003
Pages: 189
Authors: Ben Smith, Brian Komar
BUY ON AMAZON
MySQL Stored Procedure Programming
Absolute Beginner[ap]s Guide to Project Management
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
Extending and Embedding PHP
Special Edition Using FileMaker 8
.NET-A Complete Development Cycle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy