DHCP Best Practices and DC

All replies

• 

  

  0

  Sign in to vote

  I will say it's both.
  
  1. DHCP server service runs under "Local System Account" - one of most powerful account on Windows machine (even more than Admin). Someone can use DHCP server service to bring down complete box. DHCP server service also used to register records in DNS, which again allow records to register with Admin accounts (DC), again not recommended from security point of view.
  
  2. It can hurt performance if we use very less DHCP lease period (Less then 8 hours) or we have application which access domain controllers for GC info/LDAP requests/authentication, etc
  
  I believe with couple of hundred clients, performance will be not a big challenge for you (assume DC is running on good hardware config).  We cannot run DHCP server service under any other account, it has to run under "local system account". If you have good security protection in place (firewall/users with minimal permissions, etc) and internal users doesn't have admin permission on DC, you will be good.
  
  hope this helps.

  • Proposed as answer by Shilpesh Desai MSFT Wednesday, March 11, 2009 3:07 AM

  Wednesday, March 11, 2009 3:07 AM
• 

  

  2

  Sign in to vote

  Hi,
  
  I would lean more towards the security aspect as to why you should not install DHCP on your DC.
  
  When installed on a domain controller, the DHCP Server service inherits the security permissions of the DC computer account and has the authority to update or delete any DNS record that is registered in a secure Active Directory-integrated zone (I'm assuming you have enabled secure dynamic updates). 
  
  Please allow me to quote the following Technet article:
  
  http://technet.microsoft.com/en-us/library/cc787034.aspx
  
  "When the DHCP Server service is installed on a domain controller, configuring the DHCP server with the credentials of the dedicated user account will prevent the server from inheriting, and possibly misusing, the power of the domain controller. When installed on a domain controller, the DHCP Server service inherits the security permissions of the domain controller and has the authority to update or delete any DNS record that is registered in a secure Active Directory-integrated zone (this includes records that were securely registered by other computers running Windows 2000 or a Windows Server 2003 operating system, including domain controllers).

  It is necessary to configure a dedicated user account and configure the DHCP server with the account credentials under the following circumstances:

  • A domain controller is configured to function as a DHCP server.
  • The DHCP server is configured to perform DNS dynamic updates on behalf of DHCP clients.
  • The DNS zones to be updated by the DHCP server are configured to allow only secure dynamic updates.

  Once you have created a dedicated user account, you can configure DHCP servers with the user account credentials by using the DHCP console or by using the Netsh DHCP context command server set dnscredentials."
  
  Performance may play a part depending on how big your client base is and how you configure your DHCP lease time.
  
  Regards,
  
  Salvador Manaois III
  MCITP | Enterprise & Server Admin
  MCSE MCSA MCTS CIWA C|EH
  Bytes & Badz: http://badzmanaois.blogspot.com

  Wednesday, March 11, 2009 5:27 AM
• 

  

  0

  Sign in to vote

  Not sure if curt was looking for overall security or security while DNS and DHCP integration.
  
  We can allow clients to register records in DNS to avoid DNS registration issue. Above picture will come into effect if we force DHCP to do DNS registration on behalf of clients.

  Wednesday, March 11, 2009 8:14 AM
• 

  

  0

  Sign in to vote

  Hi Shilpesh,
  
  I was assuming that his DNS is AD-integrated (as what most MS DNS best-practice articles seem to evangelize) and using the DHCP server to register updates on behalf of the clients. Your earlier answer (point number 1) appears to describe the same thing, correct me if I am wrong. Again, unless he is using DHCP for dynamic updates (AD-integrated DNS), my earlier comment is moot.
  
  Regards,
  
  Salvador Manaois III
  MCITP | Enterprise & Server Admin
  MCSE MCSA MCTS CIWA C|EH
  Bytes & Badz: http://badzmanaois.blogspot.com

  Wednesday, March 11, 2009 8:55 AM
• 

  

  0

  Sign in to vote

  Hi Salvador,
  
  Whatever you have mentioned is totally true. I was looking from overall security perspective of Domain Controller.
  
  In Windows 2000 everything used to run under “Local System”,  we introduced “Local Service” and “Network Service” accounts with server 2003 to reduce risk of attack, to system account which has full control of box. DHCP server service still runs under "Local System" which can bring complete DC under risk along with access to other resources apart from DNS records.
  
  We can install DHCP on DC and allow clients to do DNS registration which can avoid DNS registration issues but still DHCP server service can put DC under risk. MS has already rejected idea of changing service account for DHCP Server service.
  
  Whatever you have recommended is true and if we have DHCP running on DC, DHCP will not initiate DNS registration unless we add user credentials under DHCP server properties.
  
  In all i was looking from overall security risk to machine - your recommendation is one of them.

  Wednesday, March 11, 2009 9:28 AM
• 

  

  0

  Sign in to vote

   

  Thanks to all who have responded.  Your answers are more in-depth than I was expecting.  Frankly they are a little over my head.  Your responses bring up more questions.  Let me ask for a little clarification.

  First with regard to DHCP lease period.  I’ve always been confused at why people are concerned about a short lease period.  Let’s say you have 200 clients and, for some reason you decide to set your lease period to two hours!  Every host would try to renew its lease every hour (half the lease period).  So, you’d have 200 renewals per hour or about 3.3/minute.  I’m guessing each DHCP request/renewal at worst, that would generate 1 broadcast plus a few packets (let’s say 4) sent back and forth between the DHCP server and the client.  So, that would be a total of 5 packets per request or 3.3*5=16.5 packets per minute.  That doesn’t seem particularly taxing on either the network or the DHCP server.  Certainly if you had a lease period of 1 minute, that would be a problem but it doesn't seem like the difference between a 2 hour lease and a 2 day lease would be that much in terms of server/network load.  I know my logic is wrong here – just seeking an explanation.

  Second – Salvador, are you suggesting that the security issues can be resolved by configuring a dedicated user account?

  More background information - I have AD integrated DNS with secure dynamic updates.  I’m using a split horizon DNS.  That is, only clients on my LAN can access my DNS.  Hosts that need to be accessed from outside my LAN have separate DNS entries on an external DNS server and those entries are entered manually into that system.  I’m not sure how clients get registered in my internal AD integrated DNS – if they do it themselves or if DHCP is doing it for them.  On my Vista box, in the Advanced IPv4 settings the ”Register this connection’s address in NDNS” checkbox is selected.  My DC is also my DHCP server.

  Third - As currently configured, how would my system be insecure?  I’m assuming it would have to be a malicious attack from inside my LAN (possible worm initiated).  Would it be done by a client requesting a bunch of DHCP leases and forcing bogus entries in my DNS?

  Thanks for taking the time to explain this to me.  As you can tell from my response, my technical knowledge on these issues isn’t too good.

  Curt

  Thursday, March 12, 2009 12:07 AM
• 

  

  0

  Sign in to vote

  1.  As we have mentioned with 200 clients, you might not run into performance issue even with short lease period unless we have application which continiously accessing Domain Controller.
  
  2. If you open DHCP MMC, right click DHCP server name and click on properties----> Advance tab ----> click on Credentials.
  
  If DHCP server is installed on DC, DHCP server will not register DNS records on behalf of client with default configuration. It will register records only if we specify dedicate user account.
  
  DHCP server properties ----> DNS tab, what all settings we have selected?????
  
  If you have default settings, client will register DNS records instead of DHCP server, which mean you are very safe with DNS registration issues.
  
  3. In case we run DHCP server service on DC, worn/virus can take advantage of credentials set for DHCP service (local system account) and complete box can be at risk. This can avoid with good antivirus/firewalls/encryption of data, etc
  
  Hope this helps

  • Proposed as answer by Shilpesh Desai MSFT Thursday, March 12, 2009 12:33 AM

  Thursday, March 12, 2009 12:32 AM
• 

  

  0

  Sign in to vote

  On DHCP server name and click on properties----> Advance tab ----> click on Credentials, the Username is the Enterprise Admin account!
  
  Should I change this to somethng else?
  
  On DHCP server properties ----> DNS tab the following are selected
  
      Enable DNS dynamic updates according to th esettings below
            Always dynamically update DNS A and PTR records
      Discard A and PTR records when lease is deleted
      Dynamically update DNS A and PTR records for DHCP clienst that do not request updates (for example, clients running Windows NT 4.0)
  
  It sounds like I should uncheck the first and last one.  Is that right?  What would be the consequences of unchecking them in terms of the functionality of systems on my network?  By default, will systems register themselves in DNS?  Is there a GP setting I can use to force them to register themselves in DNS?
  
  You say a worm/virus could take advantage of credentials set for DHCP service - In what way?  Like it would corrupt the DHCP service executables and cause them to do something malicious?  It seems like, if a worm gets that far, there are lots of executables that could cause similar problems.  How does DHCP increase the risk?  Perhaps a malformed DHCP request would be an open door for them to do their dirty work?  You say problems can be avoided with good AF/FW/encription of data.  I understand the AF/FW part.  What data should be encripted?
  
  Thanks again for your help.
  
  Curt

  Thursday, March 12, 2009 6:30 PM
• 

  

  0

  Sign in to vote

  1." Always dynamically update DNS A and PTR records" - Which mean we are asking DHCP to register DNS records on behalf of client machines. As we run DHCP on DC, DHCP will not register records in DNS unless we set credentials (standard user credentials). You can create one user and use his credentials for DNS registration, you don't need to use Admin accounts.
  
  2. instead of above option you can use another option "Dynamically update A and PTR records only if requested by DHCP client machines". If we select this option, client will register A records  and DHCP will register PTR records. We need to set credentials for registering PTR records.
  
  We need to use one of above two options.
  
  3. Dynamically update DNS A and PTR records for DHCP clienst that do not request updates (for example, clients running Windows NT 4.0) - This option can be selected if we have network printers/Downlevel clients (95/98/NT) or third party OS who doesn't have functionality of DDNS. If we uncheck them, mentioned clients will unable to register themselves with DNS.
  
  It's very difficult to crack DC directly as when we prompt server to DC, it enables lot of security. DHCP server mostly interact with clients directly and reason it will be good chance hacker will try to expolit it with melicious discover packet to duplicate IP request, get details about network IP range, etc. He can even use DHCP server service to act as proxy for run remote execution of melicious codes.
  
  if we are using encrypted traffic on network, unknown users will unable to track what traffic we are going through wire.
  
  Hope this helps.
  
  

  • Marked as answer by Elisa Willman Monday, March 30, 2009 11:31 PM

  Friday, March 13, 2009 12:08 AM