Preventing Rogue DHCP Servers

The process of authorizing DHCP servers is useful or needed for DHCP servers running Windows 2000 Server. Where this scheme is used, authorization is neither used nor needed if the following conditions exist:

• If DHCP servers are running earlier versions of Windows NT Server, such as versions 3.51 or 4.0.

• If DHCP servers are running other DHCP server software.

For the directory authorization process to work properly, it is assumed and necessary that the first DHCP server introduced onto your network participate in the Active Directory service. This requires that the server be installed as either a domain controller or a member server. When you are either planning for or actively deploying Active Directory services, it is important that you do not elect to install your first DHCP server computer as a stand-alone server.

Most commonly, there will be only one enterprise root and therefore only a single point for directory authorization of the DHCP servers. However, there is no restriction on authorizing DHCP servers for more than one enterprise root.

When configured correctly and authorized for use on a network, DHCP servers provide a useful and intended administrative service. However, when a misconfigured or unauthorized DHCP server is introduced into a network, it can cause problems. For example, if a rogue DHCP server starts, it can begin leasing incorrect IP addresses to clients or negatively acknowledging DHCP clients attempting to renew their current address lease.

Either of these misconfiguration problems can produce further problems for DHCP-enabled clients. For example, clients that obtain a configuration lease from the unauthorized server can then fail to locate valid domain controllers, preventing clients from successfully logging on to the network.

Windows 2000 Server provides some integrated security support for networks that use Active Directory. This avoids most of the accidental damage caused by running DHCP servers with wrong configurations or on the wrong networks.

This support uses an additional object type (the DhcpServer object) to the base directory schema. This provides for the following enhancements:

• A list of IP addresses available for the computers that you authorize to operate as DHCP servers on your network.

• Detection of rogue DHCP servers and prevention of their starting or running on your network.

Note

For the directory authorization process to work properly, it is necessary that the first Windows 2000 DHCP server introduced onto your network participate in the Active Directory service. This requires that the server be installed in a domain (as either a domain controller or a member server), and not in a workgroup. When you are either planning for or actively deploying Active Directory services, do not elect to install your first DHCP server as a workgroup server. You must have enterprise administrator rights to authorize a DHCP server in the Active Directory.

How DHCP Servers Are Authorized

The authorization process for DHCP server computers in Active Directory depends on the role of the server on your network. For Windows 2000 Server (as in earlier versions) there are three roles or server types for which each server computer can be installed:

• Domain controller. The computer keeps and maintains a copy of the Active Directory service database and provides secure account management for domain member users and computers.

• Member server. The computer is not operating as a domain controller but has joined a domain in which it has a membership account in the Active Directory database.

• Stand-alone Server. The computer is not operating as a domain controller or a members server in a domain. Instead, the server computer is made known to the network through a specified workgroup name, which can be shared by other computers, but is used only for browsing purposes and not to provide secured logon access to shared domain resources.

If you deploy Active Directory, all computers operating as DHCP servers must be either domain controllers or domain member servers before they can be authorized in the directory service or start providing DHCP service to clients. When a DHCP server is authorized, the server computer is added to the list of authorized DHCP servers maintained in the directory service database.

How Unauthorized Servers Are Detected

The DHCP implementation under Windows 2000 Server provides detection of both authorized and unauthorized DHCP servers in two ways:

• The use of information messaging between DHCP servers using the DHCPInform message.

• The addition of several new vendor-specific option types, used for communicating information about the directory service enterprise root.

The Windows 2000 DHCP service uses the following process to detect other DHCP servers currently running on the reachable network and determine if they are authorized to provide service.

When the DHCP service starts, it sends a DHCPInform request message to the reachable network, using the local limited broadcast address (255.255.255.255), to locate the directory service enterprise root on which other DHCP servers are installed and configured.

This message includes several vendor-specific option types that are known and supported by other DHCP servers running Windows 2000 Server. When received by other DHCP servers, these option types provide for the query and retrieval of information about the directory service enterprise root.

When queried, other DHCP servers reply with DHCPAck messages to acknowledge and answer with directory service enterprise root information. In this way, the initializing DHCP server collects and compiles a list of all currently active DHCP servers on the reachable network, along with the root of the directory service enterprise used by each server.

Typically, only one single enterprise root is detected: the same one for all DHCP servers that are reachable and that respond to acknowledge the initializing server. However, if additional enterprise roots are detected, each root is queried in turn to see if the computer is authorized for DHCP service for those other enterprises discovered during this phase.

After a list is built of all DHCP servers running on the network, the next step in the detection process depends on whether a directory service is available from the local computer.

If the directory service is not available (such as where the initializing DHCP server is installed in a confined network environment used for testing), the initializing server can start if no other DHCP servers are discovered on the network that are part of any enterprise. When this condition is met, the server successfully initializes and begins serving DHCP clients.

However, the server continues every 5 minutes to collect information about other DHCP servers running on the network, using DHCPInform as it did at startup. Each time, it checks to see whether the directory service is available. If a directory service is found, the server makes sure it is authorized by following the procedure, depending on whether the server is a member server or a stand-alone server.

• For member servers (a server joined to some domain that is part of the enterprise), the DHCP server queries the directory service for the DHCP server list of addresses that are authorized.

• If the server finds its IP address in the authorized list, it initializes and starts providing DHCP service to clients. If it does not find itself in the authorized list, it does not initialize, and stops providing DHCP services.

• For stand-alone servers (a server not joined to any domain or part of an existing enterprise), the DHCP server queries the directory service with the root of the enterprise returned by each of the other DHCP servers to see if it can find itself on the authorized list with any of the reported enterprises.
  The server initializes and starts providing DHCP services to clients only if the server finds its IP address in the authorized list for each of the enterprise roots reported by other DHCP servers. If it does not find itself in the authorized list for each of the reported enterprise roots, it does not initialize, and the DHCP service is stopped.