Dr. Tom Shinder’s Blog RSS

All Blogs  »  Dr. Tom Shinder's Blog  »  Microsoft Security Space  »  Blog article: Securing Your Windows Server 2008 DHCP Server

Securing Your Windows Server 2008 DHCP Server

Almost all networks have a DHCP server in place. The DHCP server allows you to automatically assign IP addressing information to hosts on your network. In most cases, there is a DHCP server on each site so that if the WAN link goes down, computers will be able to obtain an IP address. Almost all client systems should be using DHCP to obtain IP addressing information. In most cases, you will want to assign static addresses to your servers.

DHCP therefore is a critical service. If the DHCP server goes down, and there are no other DHCP servers available on the network, clients will not be able to obtain IP addressing information and will no longer be able to connect to other computers on the network. Thus, a downed DHCP server essentially leads to denial of service.

Given how important DHCP is to the integrity of your network communications, you should do some things to help secure your DHCP server to prevent it from being attacked by intruders. Here’s a short list of some of the best things you can do to help secure your DHCP server:

  • Dedicate a computer to the DHCP server role. This reduces the attack surface on the server handling this mission critical network service
  • Deploy your DHCP server on Server Core. This reduces the overall attack surface on the DHCP server machine
  • Remove Rogue DHCP servers. You can use the DHCPLoc command line tool found in the \\Support\Tools folder on the Windows Server 2008 DVD
  • Add DHCP reservations and exclusion addresses. One way to assign static addresses to servers is to create DHCP reservations for server addresses. This is one way to manage your static IP address infrastructure. Make sure to create exclusions for these addresses
  • Restrict DHCP Security Group Membership. DHCP Administrators have the right to admin the DHCP server. This allows members of this group to manage the DHCP server without needing to be a domain member
  • Make DHCP servers members of the DnsUpdateProxy group
  • Make sure that the Windows Firewall with Advanced Security is enabled on the machine, allowing only required protocols to be allowed through the machine

These are just some basic things you can do to help increase the security of your DHCP servers.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

This entry was posted on Thursday, March 27th, 2008 at 6:28 pm and is filed under Microsoft Security Space. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Securing Your Windows Server 2008 DHCP Server”

  1. IP Says:

    April 28th, 2008 at 4:32 am

    What kind of DHCP server attack usually occured? Can somebody takeover the DCHP server?

Leave a Reply

This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)

You must read and type the 6 chars within 0..9 and A..F, and submit the form.

  

If CAPTCHA image is missing or you cannot read the characters above, please generate a


Receive all the latest articles by email!

Receive Real-Time & Monthly WindowSecurity.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowSecurity.com member!

Discuss your security issues with thousands of other network security experts. Click here to join!

Community Area

Log in | Register

Solution Center