Dynamic Host Configuration Protocol (DHCP) allows a client computer to lease an IP address from a DHCP server so that the client can participate in the network. Your DHCP design should include provisions for securing the DHCP process.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
The DHCP Service provides IP address configuration to DHCP clients on the network. These clients depend on the DHCP Service to provide them with correct IP addressing information. If the client were to receive an incorrect IP address from the DHCP Service, the result could be a loss of connectivity on the network—and, in the worst case, provide connectivity to unauthorized servers on the network.
The DHCP Service's security risks can be broken down into three categories:
A common security concern is the possibility that an unauthorized DHCP server might provide incorrect IP addressing information to the DHCP clients. Windows 2000 has reduced the possibility of unauthorized Windows 2000–based DHCP servers by requiring the DHCP servers to be authorized in Active Directory. Only authorized DHCP servers can issue IP addresses for DHCP clients, as shown in Figure 9.5.
Figure 9.5 Identifying authorized DHCP servers
The DHCP server won't issue IP addresses to clients if it determines that it's not authorized to do so.
How DHCP Authorization Works
A DHCP server sends a DHCPInform message when the DHCP Service starts to the limited broadcast address (255.255.255.255). By using the 255.255.255.255 address, the DHCPInform message doesn't cross network routers to other network segments. The purpose of the DHCPInform message is to find the directory enterprise root that maintains infor-mation on authorized DHCP servers. Any DHCP servers that receive the DHCPInform message respond with a DHCPAck message, allowing the DHCP server to collect information on other active DHCP servers. The DHCP server also collects information on the directory service used by the other DHCP servers.
The newly started DHCP server queries the directory enterprise root to ensure that it's listed as an authorized DHCP server. If it's authorized to do so, the DHCP Service initializes and provides IP address information to DHCP clients. If it isn't, the DHCP services don't initialize. The DHCP Service also starts if it determines that there's no configured directory enterprise root and therefore no restrictions on the DHCP Service.
By default, only members of the Enterprise Admins universal group can authorize DHCP servers in Active Directory.
WARNING
Non-Windows 2000 DHCP services can still be started on the network and issue incorrect IP addressing information to DHCP clients. Your security plan must include provisions for the detection of unauthorized DHCP servers on the network. One way to find the IP address of an unauthorized DHCP server is to run IPCONFIG /ALLat a client computer that has received incorrect IP addressing information.
Client computers that are running previous versions of Microsoft operating systems aren't able to perform dynamic updates to the DNS server. You can configure DHCP servers to perform the updates on behalf of these clients by selecting the Enable Updates For DNS Clients That Do Not Support Dynamic Update check box for a DHCP scope, as shown in Figure 9.6.
Figure 9.6 Configuring DHCP to perform DNS updates on behalf of down-level clients
If the DNS update is sent to an Active Directory–integrated zone, the DHCP server will become the owner of the DNS resource records in Active Directory. This may cause problems if the non-Windows 2000 client is later upgraded to Windows 2000. The default behavior for registration of DNS resource records for Windows 2000 clients is as follows:
If the DHCP server is the owner of the DNS resource record, the Windows 2000 client won't be able to update the resource record.
You can change this behavior by adding the DHCP server to the DNSUpdateProxy global group. Membership in this group changes the behavior of DNS updates to Active Directory–integrated zones. If the DHCP server is a member of the DNSUpdateProxy group, it won't take ownership of any DNS resource records that it writes to the DNS Active Directory–integrated zone. The client is able to register the resource records after upgrade and then take ownership of the resource records.
WARNING
In one circumstance, preventing the DHCP server from taking ownership of a DNS resource record isn't the desired behavior. Never make the DHCP server a member of the DNSUpdateProxy group if the DHCP Service is running on a DC. Membership in the DNSUpdateProxy group doesn't differentiate between resource records registered on behalf of another client and resource records registered by that specific client. Membership in the DNSUpdateProxy group allows any user or computer to modify resource records corresponding to the DC, including all related SRV resource records.
In higher-security networks, DHCP may introduce security weaknesses because any DHCP client can lease a valid IP address on the network. To prevent this, you must reserve all IP addresses in the scope to specific Media Access Control (MAC) addresses.
This practice requires that all approved client MAC addresses are documented and that reservations are created for each MAC address. Nonleased addresses in the DHCP pool of IP addresses must be reserved to nonexistent MAC addresses to prevent the assignment of these IP addresses until the IP address is assigned to a valid MAC address.
WARNING
This practice can be difficult to manage. In some cases it will be easier to deploy IP addressing using static IP addresses rather than using IP address reservations in DHCP.
Table 9.4 reviews the design decisions that you face when you deploy the DHCP Service in a Windows 2000 network and want to ensure that security is maintained.
Table 9.4 Securing the DHCP Service
To | Include the Following in Your Design |
---|---|
Prevent unauthorized DHCP servers on the network | Upgrade all computers running DHCP services to Windows 2000. Only authorize the required DHCP servers in Active Directory. |
Protect DC-related DNS resource records | Don't install DHCP services on a Windows 2000 DC and make the DHCP server a member of the DNSUpdateProxy group. |
Ensure that only authorized clients receive DHCP addresses from the DHCP server | Create reservations for all DHCP clients. Ensure that all addresses in the DHCP scope are associated with a MAC address to prevent unauthorized clients from receiving DHCP-assigned IP addresses. |
Detect unauthorized non-Windows 2000 DHCP servers | Watch for pockets of misconfigured IP addresses. Use IPCONFIG /ALL at the DHCP client to determine the IP address of the DHCP server that assigned the address. |
Lucerne Publishing should move the DHCP services at the Caracas and Casablanca offices to member servers. Lucerne Publishing wants the client computers that have been upgraded to Windows 2000 to take over the registration of DNS resource records. To do this, you must make the DHCP servers members of the DNSUpdateProxy group to prevent the DHCP server from taking ownership of the DNS resource records.
If the Caracas and Casablanca DHCP services remain on DCs, it's possible to overwrite the DC's DNS resource records or the static DNS resource records. Additionally, the DHCP servers should be configured to perform dynamic updates on behalf of all DNS clients that don't support dynamic updates.
DHCP is a key service on most Windows 2000 networks. If an unauthorized DCHP server is introduced on the network, the results can range from temporary loss of connectivity to the loss of data to an unauthorized server posing as the actual server.
Your DHCP deployment plan should include strategies for detecting and preventing unauthorized DHCP servers. You should also consider how the DHCP service will integrate with the DNS service.