This article explains how you can secure a network running DHCP Service.
Microsoft has developed or added some security to DHCP Server by means of CLASS ID. You can use Class ID to secure a network for client who is part of the network or laptop users who recieve their IP Address from this DHCP Server on the network.
In DHCP Server you can configure the Class ID. When you configure Class ID you need to use the Same ID on all client machines so any DHCP Packet sent by the client can be understood by the DHCP server of that class. You set Class ID on client machines using *Ipconfig /setclassid* command.
Prevent computers gaining IP Address from DHCP Server if they are not authorized
A computer is authorized to obtain an IP Address on network only when it is configured with DHCP Class ID where you have implemented MS DHCP Server. This Class ID mechanism can be understood by MS DHCP Servers only.
We have secured our DHCP Network using *MS Class Options* (You can find this mechanism only in MS DHCP Implementation).
Client machines can’t get IP Address from any DHCP server available on the network *IF* you have configured Class ID on client machines using *Ipconfig /setclassid* command. A DHCP packet will be dropped by DHCP server if *same Class ID* scope is not found on the network or MS DHCP server.
This is what happen when you implement Class ID on your network:
1. A computer plugs in your network.
2. DHCP client service starts and shouts on network to get an IP address (I assume this is a new computer and configured with Class ID).
3. DHCP Server goes throught its database or scopes check to see if it belongs to any Class ID scope, a simple scope or superscope if request is coming from different network id:
a. If DHCP packet from client machine contains Class ID information, DHCP
Server goes through the Class ID Scopes. If it doesn’t find same class ID in
its database, the DHCP packet is dropped off. Exit Loop. Next, if DHCP server
finds the Class ID Scope, it leases out the IP address to client machine and
b. DHCP server goes to next condiation available that is *DHCP Scope for
same subnet*. HERE DHCP server can lease out IP address from any scope
if you haven’t configured client machine with Class ID. This is where DHCP
Security is failing. If DHCP server finds no other scope, DHCP packet is
dropped off. Exit Loop.
c. Next available condition is to check in *DHCP Superscope for same or other
subnet* or if client doesn’t belong to same subnet. B condition applies in this case.
3. After checking above conditions, DHCP Server finally decides to drop off packets therefore client obtains IP Address using APIPA (169.254.x.x). This makes client out of network or it can’t participate in network.
Restrict IPs to known MAC addresses (both static or DHCP) when the unauthorized machine has physical access to a NAM on the network.
2. Define a scope for these MAC systems only.
3. Create a unqiue Class ID for this scope.
4. Configure client machines using *Ipconfig /setclassid*. Set the Class ID which you have configured at DHCP Server.
Now when a DHCP server receive a packet from a client machine configuerd for the same Class ID, it will go through it’s scopes to check whether they belong to any Scope Class you have configured at DHCP server.
If DHCP Server finds Class Scope with same Class ID then this will lease IP address *ONLY* from this class regardless of the subnet clinet machines belong to. Condition No. A applies in this scenario.
1. This way you can secure your DHCP Server.
2. This only applies when client machines has configured to obtain IP address automatically from a DHCP Server. If client machine has configured with Static IP address then you can’t. You need to disable DHCP client service on client machine or unregister a DLL from their system or set permissions on registry on client machine so they can’t save informations.
3. You shouldn’t have any other Scope configured in your DHCP server without Class ID. If you do so DHCP server can lease out IP addresses from this scope if client request is coming without Class ID information or DHCP Packet from a client doesn’t contain Class ID. Either you can use scopes or Class ID but you can’t use both to implement this securtiy stuff. Check option A.B.C. described earliear in this article.
DHCP Security: -
The following articles only address how you secure or detect rouge DHCP servers running in a network. It’s worth reading.
If your DHCP clients are all Windows 2000 or newer, then this will work pretty well for you. If you have non-Windows 2000 or newer clients that need to use DHCP, this won’t work.
Class ID won’t work for:
Windows 9x/NT clients
PXE boot clients/other boot clients (Altiris Bootworks)
Non-Windows clients (Linux and Mac are most common)