Lesson 2: Designing DHCP Security

Dynamic Host Configuration Protocol (DHCP) allows a client computer to lease an IP address from a DHCP server so that the client can participate in the network. Your DHCP design should include provisions for securing the DHCP process.

After this lesson, you will be able to

  • Design security for the DHCP Service

Estimated lesson time: 30 minutes

Assessing the Security Risks of the DHCP Service

The DHCP Service provides IP address configuration to DHCP clients on the network. These clients depend on the DHCP Service to provide them with correct IP addressing information. If the client were to receive an incorrect IP address from the DHCP Service, the result could be a loss of connectivity on the network—and, in the worst case, provide connectivity to unauthorized servers on the network.

The DHCP Service's security risks can be broken down into three categories:

  • The risk of an unauthorized DHCP server assigning incorrect IP addressing information.
  • The ability of the DHCP server to overwrite static IP address information in DNS.
  • Unauthorized DHCP clients leasing IP addresses on the network.

Preventing Unauthorized DHCP Servers

A common security concern is the possibility that an unauthorized DHCP server might provide incorrect IP addressing information to the DHCP clients. Windows 2000 has reduced the possibility of unauthorized Windows 2000–based DHCP servers by requiring the DHCP servers to be authorized in Active Directory. Only authorized DHCP servers can issue IP addresses for DHCP clients, as shown in Figure 9.5.

click to view at full size.

Figure 9.5 Identifying authorized DHCP servers

The DHCP server won't issue IP addresses to clients if it determines that it's not authorized to do so.

How DHCP Authorization Works

A DHCP server sends a DHCPInform message when the DHCP Service starts to the limited broadcast address ( By using the address, the DHCPInform message doesn't cross network routers to other network segments. The purpose of the DHCPInform message is to find the directory enterprise root that maintains infor-mation on authorized DHCP servers. Any DHCP servers that receive the DHCPInform message respond with a DHCPAck message, allowing the DHCP server to collect information on other active DHCP servers. The DHCP server also collects information on the directory service used by the other DHCP servers.

The newly started DHCP server queries the directory enterprise root to ensure that it's listed as an authorized DHCP server. If it's authorized to do so, the DHCP Service initializes and provides IP address information to DHCP clients. If it isn't, the DHCP services don't initialize. The DHCP Service also starts if it determines that there's no configured directory enterprise root and therefore no restrictions on the DHCP Service.

By default, only members of the Enterprise Admins universal group can authorize DHCP servers in Active Directory.


Non-Windows 2000 DHCP services can still be started on the network and issue incorrect IP addressing information to DHCP clients. Your security plan must include provisions for the detection of unauthorized DHCP servers on the network. One way to find the IP address of an unauthorized DHCP server is to run IPCONFIG /ALLat a client computer that has received incorrect IP addressing information.

Preventing DHCP Servers from Overwriting Static IP Addresses in DNS

Client computers that are running previous versions of Microsoft operating systems aren't able to perform dynamic updates to the DNS server. You can configure DHCP servers to perform the updates on behalf of these clients by selecting the Enable Updates For DNS Clients That Do Not Support Dynamic Update check box for a DHCP scope, as shown in Figure 9.6.

Figure 9.6 Configuring DHCP to perform DNS updates on behalf of down-level clients

If the DNS update is sent to an Active Directory–integrated zone, the DHCP server will become the owner of the DNS resource records in Active Directory. This may cause problems if the non-Windows 2000 client is later upgraded to Windows 2000. The default behavior for registration of DNS resource records for Windows 2000 clients is as follows:

  • The DHCP server updates the Pointer (PTR) resource records to the reverse lookup zone.
  • The Windows 2000 client updates the Host (A) resource record to the forward lookup zone.

If the DHCP server is the owner of the DNS resource record, the Windows 2000 client won't be able to update the resource record.

You can change this behavior by adding the DHCP server to the DNSUpdateProxy global group. Membership in this group changes the behavior of DNS updates to Active Directory–integrated zones. If the DHCP server is a member of the DNSUpdateProxy group, it won't take ownership of any DNS resource records that it writes to the DNS Active Directory–integrated zone. The client is able to register the resource records after upgrade and then take ownership of the resource records.


In one circumstance, preventing the DHCP server from taking ownership of a DNS resource record isn't the desired behavior. Never make the DHCP server a member of the DNSUpdateProxy group if the DHCP Service is running on a DC. Membership in the DNSUpdateProxy group doesn't differentiate between resource records registered on behalf of another client and resource records registered by that specific client. Membership in the DNSUpdateProxy group allows any user or computer to modify resource records corresponding to the DC, including all related SRV resource records.

Preventing Unauthorized DHCP Clients from Leasing IP Addresses

In higher-security networks, DHCP may introduce security weaknesses because any DHCP client can lease a valid IP address on the network. To prevent this, you must reserve all IP addresses in the scope to specific Media Access Control (MAC) addresses.

This practice requires that all approved client MAC addresses are documented and that reservations are created for each MAC address. Nonleased addresses in the DHCP pool of IP addresses must be reserved to nonexistent MAC addresses to prevent the assignment of these IP addresses until the IP address is assigned to a valid MAC address.


This practice can be difficult to manage. In some cases it will be easier to deploy IP addressing using static IP addresses rather than using IP address reservations in DHCP.

Making the Decision

Table 9.4 reviews the design decisions that you face when you deploy the DHCP Service in a Windows 2000 network and want to ensure that security is maintained.

Table 9.4 Securing the DHCP Service

To Include the Following in Your Design
Prevent unauthorized DHCP servers on the network Upgrade all computers running DHCP services to Windows 2000.

Only authorize the required DHCP servers in Active Directory.

Protect DC-related DNS resource records Don't install DHCP services on a Windows 2000 DC and make the DHCP server a member of the DNSUpdateProxy group.
Ensure that only authorized clients receive DHCP addresses from the DHCP serverCreate reservations for all DHCP clients. Ensure that all addresses in the DHCP scope are associated with a MAC address to prevent unauthorized clients from receiving DHCP-assigned IP addresses.
Detect unauthorized non-Windows 2000 DHCP servers Watch for pockets of misconfigured IP addresses.

Use IPCONFIG /ALL at the DHCP client to determine the IP address of the DHCP server that assigned the address.

Applying the Decision

Lucerne Publishing should move the DHCP services at the Caracas and Casablanca offices to member servers. Lucerne Publishing wants the client computers that have been upgraded to Windows 2000 to take over the registration of DNS resource records. To do this, you must make the DHCP servers members of the DNSUpdateProxy group to prevent the DHCP server from taking ownership of the DNS resource records.

If the Caracas and Casablanca DHCP services remain on DCs, it's possible to overwrite the DC's DNS resource records or the static DNS resource records. Additionally, the DHCP servers should be configured to perform dynamic updates on behalf of all DNS clients that don't support dynamic updates.

Lesson Summary

DHCP is a key service on most Windows 2000 networks. If an unauthorized DCHP server is introduced on the network, the results can range from temporary loss of connectivity to the loss of data to an unauthorized server posing as the actual server.

Your DHCP deployment plan should include strategies for detecting and preventing unauthorized DHCP servers. You should also consider how the DHCP service will integrate with the DNS service.

Microsoft Corporation - MCSE Training Kit (Exam 70-220. Designing Microsoft Windows 2000 Network Security)
MCSE Training Kit (Exam 70-220): Designing Microsoft Windows 2000 Network Security: Designing Microsoft(r) Windows(r) 2000 Network Security (IT-Training Kits)
ISBN: 0735611343
EAN: 2147483647
Year: 2001
Pages: 172

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net