Securing Your Windows Server 2008 DHCP Server
Almost all networks have a DHCP server in place. The DHCP server allows you to automatically assign IP addressing information to hosts on your network. In most cases, there is a DHCP server on each site so that if the WAN link goes down, computers will be able to obtain an IP address. Almost all client systems should be using DHCP to obtain IP addressing information. In most cases, you will want to assign static addresses to your servers.
DHCP therefore is a critical service. If the DHCP server goes down, and there are no other DHCP servers available on the network, clients will not be able to obtain IP addressing information and will no longer be able to connect to other computers on the network. Thus, a downed DHCP server essentially leads to denial of service.
Given how important DHCP is to the integrity of your network communications, you should do some things to help secure your DHCP server to prevent it from being attacked by intruders. Here's a short list of some of the best things you can do to help secure your DHCP server:
- Dedicate a computer to the DHCP server role. This reduces the attack surface on the server handling this mission critical network service
- Deploy your DHCP server on Server Core. This reduces the overall attack surface on the DHCP server machine
- Remove Rogue DHCP servers. You can use the DHCPLoc command line tool found in the \\Support\Tools folder on the Windows Server 2008 DVD
- Add DHCP reservations and exclusion addresses. One way to assign static addresses to servers is to create DHCP reservations for server addresses. This is one way to manage your static IP address infrastructure. Make sure to create exclusions for these addresses
- Restrict DHCP Security Group Membership. DHCP Administrators have the right to admin the DHCP server. This allows members of this group to manage the DHCP server without needing to be a domain member
- Make DHCP servers members of the DnsUpdateProxy group
- Make sure that the Windows Firewall with Advanced Security is enabled on the machine, allowing only required protocols to be allowed through the machine
These are just some basic things you can do to help increase the security of your DHCP servers.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP - Microsoft Firewalls (ISA)