Security information for DHCP

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Security information for DHCP

It is important to follow best practices for security when using DHCP servers on your network. For more information, see Best practices for security.

The following are known security issues for DHCP and related protocols:

  • DHCP is an unauthenticated protocol.

    When a user connects to the network, the user is not required to provide credentials in order to obtain a lease. An unauthenticated user can, therefore, obtain a lease for any DHCP client whenever a DHCP server is available to provide a lease. Any option values that the DHCP server provides with the lease, such as WINS server or DNS server IP addresses, are available to the unauthenticated user. If the DHCP client is identified as a member of a user class or vendor class, the options that are associated with the class are also available.

    Malicious users with physical access to the DHCP-enabled network can instigate a denial-of-service attack on DHCP servers by requesting many leases from the server, thereby depleting the number of leases that are available to other DHCP clients.

    Recommendations:

    • Ensure that unauthorized persons do not have physical or wireless access to your network.

    • Enable audit logging for every DHCP server on your network. Regularly check audit log files, and monitor them when the DHCP server receives an unusually high number of lease requests from clients. Audit log files provide the information that you need to track the source of any attacks made against the DHCP server. The default location of audit log files is %windir%\System32\Dhcp. For more information, see Enable DHCP server logging, Audit logging, and Analyzing server log files. You can also check the system event log for explanatory information about the DHCP Server service.

      Note

When clients running Microsoft® Windows® XP use 802.1X-enabled local area network (LAN) switches or wireless access points to access the network , authentication occurs before the DHCP server assigns a lease, thereby providing greater security for DHCP.

  • Denial-of-service attacks against the DNS server can be made through the DHCP server.

    When the DHCP server is configured to act as a DNS proxy server for DHCP clients and to perform DNS dynamic updates, it is possible for a malicious user to perform a denial-of-service attack against both the DHCP server and the DNS server by flooding the DHCP server with requests for leases.

    Recommendations:

    • Ensure that unauthorized persons do not have physical or wireless access to your network.

    • Use the DHCP audit logs, located by default at %windir%\System32\Dhcp, to monitor DNS dynamic updates by the DHCP server. The following event IDs are used for DNS dynamic update events:

      Event ID DHCP Event

      30

      DNS dynamic update request to the DNS server

      31

      DNS dynamic update failed

      32

      DNS dynamic update successful

      The IP address of the DHCP client is included in the DHCP audit log, providing the ability to track the source of the denial-of-service attack. For more information, see Analyzing server log files and Audit logging.

  • Unauthorized, non-Microsoft DHCP servers can lease IP addresses to DHCP clients.

    Only DHCP servers running Windows 2000 or Windows Server 2003 can be authorized in Active Directory®. If a DHCP server running Windows 2000 or Windows Server 2003 discovers it is not authorized in Active Directory, the DHCP server stops servicing DHCP clients. Because of this authorization feature, if a malicious or incompetent user installs an unauthorized DHCP server running Windows 2000 or Windows Server 2003 on the organization network, the server cannot assign incorrect or conflicting leases, configure DHCP clients with inaccurate options, or disrupt network services.

    Non-Microsoft DHCP server software does not include the authorization feature that is included in Windows 2000 and Windows Server 2003 DHCP. Because DHCP clients broadcast DHCP discover messages to the nearest DHCP server, if a malicious user installs a non-Microsoft DHCP server on the organization network, nearby DHCP clients will receive incorrect leases that might conflict with the IP addresses assigned to other DHCP clients on the network. In addition, DHCP clients that obtain a lease from the non-Microsoft DHCP server can be configured by the server with option information that is inaccurate. This might reroute network traffic, causing the network to function improperly.

    Recommendation:

    • Ensure that unauthorized persons do not have physical or wireless access to your network.

Additional recommendations

Before you install and configure DHCP for your network, consider:

  • Restricting who can administer the DHCP service.

    You must be a member of the Administrators group or the DHCP Administrators group to administer DHCP servers using the DHCP console or the Netsh commands for DHCP. In addition, only members of the Domain Admins group can authorize or unauthorize a DHCP server in Active Directory. Restrict the membership of these groups to the minimum number of users necessary to administer the server.

    If there are users who need read-only access to the DHCP console, add them to the DHCP Users group instead of to the DHCP Administrators group. For more information, see DHCP groups.