Re: Attaching DHCP Server Management to Fixed TCP Port

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

"Juergen Kluth" <jkluth@xxxxxxxxxxx> wrote in message
news:u$KssK%23gIHA.4712@xxxxxxxxxxxxxxxxxxxxxxx
If u look to secure to network,
i would think only elementary services should be reachable via internet at
all (a web server for instance)
there may be enough ways to access ur dhcp server via vpn.

There is no vpn. There is no Internet access. I'm referring to
management of the DHCP server by machines behind our firewall only.

I cannot control when someone goes to a bad website and downloads an Active
/ X that compromises their computer. The computer behind our firewall that
I trusted yesterday might today become a drone doing work for someone
outside our network. The worst threats usually come from inside your
networks, from computers you were previously able to trust, that switched
sides over night and became tools for the bad guys to use against you.
It's easy to build a maginot line against the computer you knew was your
enemy from day one. It's a much harder and more subtle thing from
protecting against a computer you are supposed to trust.

The most secure solution is one that locks the DHCP Server management port
to a single fixed port location, and a firewall on the DHCP server that
opens only that one port. Then if my client is compromised I have given it
minimal attack surface on the computer it has direct access to. If I expose
a range of dynamic ports, the compromised client with RPC access can use
(and attack) *any* code running as a server on the computer that uses a
dynamic RPC port. It can in many cases install a trojan on the target
computer by writing a viral payload to a shared file system and then send a
service start command to the targeted computer. I lost 60% of the servers
in my DMZ and not a small number internally from a single trojan that did
exactly that, so for me this is no longer a very theoretical subject.

Based on the lack of response I am gathering that the Windows 2003 DHCP
Server Management port cannot be locked down to a fixed location and must be
left dynamic.

--
Will


.

Relevant Pages

  • Re: Urgent! New router and big disaster
    ... OK, yes, I've struck a router which would only allow DHCP clients access to ... no internet connection from the server. ...
    (microsoft.public.windows.server.sbs)
  • Re: Urgent! New router and big disaster
    ... Set the 'external' interface of SBS to get it's IP via DHCP from the router ... If the ws does not get an IP from DHCP check the event log on the server, ... They can go one day with out internet, ...
    (microsoft.public.windows.server.sbs)
  • RE: RRAS Port configuration
    ... it conencts to the internet via PPPoE and does not get issued an IP ... The server obviously gives it one of those random 169 addresses. ... I am not quite sure about your word "open port 40010". ... SBS clients or server need to access port 40010 on the internet? ...
    (microsoft.public.windows.server.sbs)
  • Re: Single 2003 Server with DHCP, DNS and ISA 2006
    ... As soon as I created my own DHCP ... I can ping the server by IP address and name from the workstation. ... Not too surprising with the above subnet problems. ... To the Internet. ...
    (microsoft.public.windows.server.general)
  • RE: VBscript Error on SBS2k3
    ... DHCP Server turned of SonicWALL with VPN Pass through request for IP to ... the problem should be caused by the 4125 port. ... > | Accessories and Communications and Remote Desktop Connection? ... > | 2.In Internet Explorer on the workstation you are connecting from, ...
    (microsoft.public.windows.server.sbs)