Securing DHCP Servers | Microsoft Windows Security Resource Kit

Securing DHCP Servers

You can take several measures to prevent attacks against DHCP servers and DHCP clients. These measures range from monitoring membership in the DHCP Administrators group to performing specific DHCP service configuration. Specifically, consider the following measures:

Keep default behavior for name registrations.
Determine whether to include the DHCP server computer account in the DNSUpdateProxy group.
Do not install DHCP on domain controllers.
Review the DHCP database frequently for BAD_ADDRESS entries.
Limit membership in the DHCP Administrators group.
Enable DHCP auditing.

Keeping Default Name Registration Behavior

By default, when a DHCP client obtains IP configuration information from a DHCP server, the DHCP server registers the PTR resource record for the client and the client registers its own A resource record. We recommend you maintain this default behavior so that the DHCP server maintains ownership of PTR resource records. You can change this default behavior, but doing so can lead to incorrect DNS information if the client changes subnets and the TCP/IP address configuration information is supplied by a different DHCP server that cannot modify the DNS resource records.

If a Windows 2000 or Windows XP computer is assigned a static IP address, that computer will use the DHCP Client service to register both its A and PTR resource records. You must not disable the DHCP Client service on computers that are assigned a static TCP/IP configuration.

Determining Whether to Use the DNSUpdateProxy Group

If a computer is a member of the DNSUpdateProxy group, the computer does not take ownership of resource records it registers in DNS. In upgrade scenarios, it is common to configure the DHCP server to register DNS information on behalf of Windows clients that do not support dynamic DNS updates. Including the DHCP server s computer account in the DNSUpdateProxy group ensures that the DHCP server does not take ownership of DNS resource records it updates. This allows the Windows client to take ownership of the A resource record when the OS is upgraded to Windows 2000 or Windows XP.

You should place the DHCP server s computer account in the DNSUpdateProxy group only if you plan to upgrade pre-Windows 2000 computers to Windows 2000 or Windows XP or if you run multiple DHCP servers on the network that might register A and PTR records for the same computers.

Avoiding Installation of DHCP on Domain Controllers

You should not install the DHCP service on Windows 2000 domain controllers, especially if you require that DHCP servers be members of the DNSUpdateProxy group. If the computer account is a member of the DNSUpdateProxy group, the computer will not take ownership of any DNS resource records it registers with DNS. This includes all SRV resource records registered by a Windows 2000 domain controller.

We do not recommend you deploy DHCP services on a domain controller to ensure that the domain controller always has ownership of its A and SRV resource records.

Another Solution for Running DHCP and DNS on Domain Controllers

The risk of running DHCP and DNS on a domain controller is that the DNS registrations are performed in the security context of the domain controller. If you do not include the domain controller s computer account in the DNSUpdateProxy group, all registrations are owned by the domain controller. Members of the Domain Controllers group are assigned Full Control for all DNS zones and resource records, allowing the domain controller to overwrite existing resource records.

If you include the domain controller s computer account in the DNSUpdateProxy group, no ownership is assigned to the resource records registered by the domain controller. This includes both DHCP registrations and the SRV resource records registered by the Netlogon service.

Windows 2000 Service Pack 1 introduces the ability to configure the DHCP service to impersonate another user account when registering DHCP-related DNS resource records. When implemented, all DNS registrations performed by the DHCP service are performed in the security context of this designated user account, rather than using the DHCP server s computer account.

To designate the user account, you must have access to the Netsh.exe tool included in Windows 2000 Support Tools. The process for designating the user account is as follows:

Create a user account in the Active Directory Users And Computers console. This user account will be used by the DHCP Server service for all DNS registrations.
In a command prompt, use the Netsh.exe tool to designate the user account:
```
Netsh dhcp server set dnscredentials UserName DomainName Password
```

Alternatively, you can replace the Password option with an asterisk (*) to have the command prompt you for the password assigned to the user account. Once you have typed this command, you must restart the DHCP Server service.

Reviewing DHCP Database for BAD_ADDRESS Entries

If an IP address in the DHCP database is registered to BAD_ADDRESS, it might be in conflict with an address that already resides on the network. This scenario occurs when the DHCP server assigns a DHCP client an IP address that is in use. When a DHCP client receives IP address information from a DHCP server, the DHCP client sends an Address Resolution Protocol (ARP) packet that ensures that the IP address is not in use. If the DHCP client determines that the IP address is in use, the client informs the DHCP server and the DHCP server marks the reservation as a BAD_ADDRESS.

A BAD_ADDRESS lease can take place under different circumstances. If you overlap DHCP scopes between DHCP servers, it is possible for two DHCP servers to issue the same IP address. When a second DHCP server attempts to issue a duplicate IP address, the second DHCP server will register the IP address as a BAD_ADDRESS.

Alternatively, an attacker could assign multiple static IP addresses to her computer. If those addresses are assigned by a DHCP server, DHCP clients determine that the IP addresses are in use and reject the offered DHCP-assigned IP address.

Monitoring Membership in the DHCP Administrators Group

Members of the DHCP Administrators group are delegated permissions to configure a DHCP server. DHCP Administrators can create DHCP scopes, define DHCP configuration options, and create DHCP reservations.

Closely monitor membership in the DHCP Administrators group as well as membership in the local Administrators group, the Domain Admins group, and the Enterprise Admins group to determine who has the necessary permissions to manage DHCP services. Membership in these groups allows management of all DHCP servers in the domain.

A member of the DHCP Administrators group cannot authorize a DHCP server in Active Directory. Only members of the Enterprise Admins group can perform this task. You can delegate the right to authorize DHCP servers by following the solution proposed in Knowledge Base article 239004, How to Allow Non-Root or Enterprise Administrators to Authorize RIS Servers in Active Directory.

Enabling DHCP Auditing

To determine exactly which DHCP clients are connecting to the DHCP server and where BAD_ADDRESS entries originate, enable DHCP auditing at the DHCP server. You can permit DHCP server auditing by enabling the Enable DHCP Auditing Logging option in the properties of the DHCP server in the DHCP console. This option provides daily log files for the DHCP service in the %windir%\system32\dhcp folder. In addition to enabling DHCP auditing in the DHCP console, you can further adjust DHCP auditing by modifying the HKLM\SYSTEM\CurrentControlSet\Services\DhcpServer\Parameters\DhcpLogFilesMaxSize registry entry, which defines the maximum size of DHCP log files.