DHCP Security (Recommendations)


I decided to write this article about DHCP security features which i recommend to all admins who are responsible for Domain Controllers, DHCP, DNS, NPS, PKI and etc. What i have observed in my career till so far that many administrators do not configure all DHCP security settings. Below i have mentioned some examples which i have experienced in my career.

1. We had a host record "WATCH" which was pointing to the IP address of a server. A user came with this home macbook and connected office LAN cable to its macbook. Our bad luck was, his macbook name was also "WATCH" and its IP address was replaced by the IP address of the Macbook.

2. We have a WiFi scope for visitors. So one day, someone came for an interview and connected his iPad to our Visitor Wifi. Suddenly our exchange team emailed me that their "SPAM" server logs have stopped working, please rectify it. When i checked, they used to have a DNS A record by the name of SPAM which was modified by a visitor Wifi IP Address. After check it more, we found that the visitor who came for an interview, his iPad name is SPAM. UUUfffffff..

3. In my first organisation, there was a problem of duplicate host records. And most of the teams like security, exchange and sccm were totally fucked up due to this issue. Issue was like, if you want to deploy something on system A it used to go on system D. If you need to run a script remotely on system D, it used to go on system G. Totally messed.

Here are the settings which i recommend for every admin.
A. Let DHCP owns DNS records.
B. Name Protection
C. Disable DNS record creation for some scopes.

Let DHCP owns DNS records. (DHCP Credentials)
This is the first step which we need to configure. After this, all DHCP scopes will be in control of your DHCP service account. DHCP will create system DNS record not system itself. Major reason to do this step is, all systems DNS entries will be create/modify/delete by DHCP service account. So lets do it.

Step 1: Create a service account and name it which suits you best. In my case, i made DHCPown. There is no need to add it in any security group, just leave it as "Domain User" only.
Step 2: Open DHCP Console and add your DHCP server in it.
Step 3: Expand your DHCP server in DHCP console. Right click on "IPv4" or "IPv6". Then, Click on Properties.
Step 4: Click on "Advance", then click on "Credentials". As shown in the image below.
Step 5: Mention your DHCP service account in Username without domain name.
Step 6: Mention your domain name in Domain.
Step 7: Mention service account credential in Password and Confirm Password. (Make they are correct and password is selected on never expire.)
Step 8: If you have multiple DHCP servers across multiple sites. You have to add it in DHCP credentials on all servers.
Step 9: Once your all DHCP servers are configured with DHCP credentials. It is time to give DHCP server account access on your DNS as well.
Step 10: On DNS, either you can give it FULL CONTROL on DNS server or on the Forward lookup zone which would be mainly your domain (like, contoso.com). In my case, i just added DHCP service account on my main domain forward lookup zone (domain.local) with FULL CONTROL. Because i have other zones also configured as secondary and stub zone which are totally different from my main working area. So be careful, when you want to take this decision.

Name Protection.
After this second step, non-windows dns record will not be able to take place of windows dns records.
Step 1: You can configure this setting scope wise and server wise. So, it will be depend on your need. In my case, i configure it on all servers.
Step 2: Login to your DHCP server, open DHCP console.
Step 3: Expand to IPv4, right click on it and click on "Properties".
Step 4: Click on "DNS" tab, click on "Configure" under "Name Protection". As shown in below image.
Step 5: Check "Enable Name Protection".
Step 6: If you are doing it scope wise, then you have to do the same steps on all scopes. If it is server wise, then you have to do it on all servers.

Disable DNS Creation
If you have some DHCP scopes which are mainly for Visitors and Mobile devices for which there is no need to create their DNS records. It is a best practice to disable their DNS creation from their scope settings. It will reduce unnecessary DNS records creation and will not create any problems with important DNS records.

Step 1: Right click on any DHCP scope and click on "Properties".
Step 2: Click on "DNS" tab and clear check box for "Enable DNS dynamic updates according to the setting below:". As shown in the below image.
Step 3: After this option unchecked, no DNS record will be created of any lease from this scope.

After all these three settings, you have done mainly all security settings to make your DHCP more reliable and more secure.

Suggestions are most welcome.

Supported Articles : Name Protection, DHCP Credentials

1 comments:

  1. Borgata Hotel Casino & Spa - Mapyro
    Borgata Hotel Casino 속초 출장안마 & Spa is in Atlantic City, New Jersey 아산 출장샵 and is open daily 전주 출장안마 24 hours. The casino offers over 2,000 slots, video poker, live 서산 출장안마 entertainment, 전라남도 출장안마

    ReplyDelete