Re: Attaching DHCP Server Management to Fixed TCP Port

On Mar 12, 2:46 am, "Will" <westes-...@xxxxxxxxxxxxxx> wrote:
"Juergen Kluth" <jkl...@xxxxxxxxxxx> wrote in message

news:u$KssK%23gIHA.4712@xxxxxxxxxxxxxxxxxxxxxxx

If u look to secure to network,
i would think only elementary services should be reachable via internet at
all (a web server for instance)
there may be enough ways to access ur dhcp server via vpn.

There is no vpn.   There is no Internet access.   I'm referring to
management of the DHCP server by machines behind our firewall only.

I cannot control when someone goes to a bad website and downloads an Active
/ X that compromises their computer.   The computer behind our firewall that
I trusted yesterday might today become a drone doing work for someone
outside our network.    The worst threats usually come from inside your
networks, from computers you were previously able to trust, that switched
sides over night and became tools for the bad guys to use against you.
It's easy to build a maginot line against the computer you knew was your
enemy from day one.   It's a much harder and more subtle thing from
protecting against a computer you are supposed to trust.

The most secure solution is one that locks the DHCP Server management port
to a single fixed port location, and a firewall on the DHCP server that
opens only that one port.   Then if my client is compromised I have given it
minimal attack surface on the computer it has direct access to.  If I expose
a range of dynamic ports, the compromised client with RPC access can use
(and attack) *any* code running as a server on the computer that uses a
dynamic RPC port.   It can in many cases install a trojan on the target
computer by writing a viral payload to a shared file system and then send a
service start command to the targeted computer.    I lost 60% of the servers
in my DMZ and not a small number internally from a single trojan that did
exactly that, so for me this is no longer a very theoretical subject.

Based on the lack of response I am gathering that the Windows 2003 DHCP
Server Management port cannot be locked down to a fixed location and must be
left dynamic.

--
Will

If it's security that you are worried about and clients on your
network that you can't trust, then why don't you look at locking down
their machines and quit trying to reinvent the wheel? You can control
whether or not a client can download ActiveX via Group Policy. Matter
of fact, you can do just about anything, from a security standpoint.
And the article that was linked to you originally:

http://support.microsoft.com/kb/154596/en-us

Explicitly states:

You should open up a range of ports above port 5000. Port numbers
below 5000 may already be in use by other applications and could cause
conflicts with your DCOM application(s). Furthermore, previous
experience shows that a minimum of 100 ports should be opened, because
several system services rely on these RPC ports to communicate with
each other.

Note The minimum number of ports may differ from computer to computer
and depends on the configuration of the computer. <----- Have you
even tried the regedit that was within this article and see how many
open ports you can get away with? If it's an attack surface that you
are worried about then, I would start there because your q's have been
answered. If it's bad user's then you'll need to develop a new
strategy as to how to keep your network secure. Start w/ a locked
down GPO and go with it.

Matt
.

Relevant Pages

  • Re: Regarding dhcp client problem
    ... I have captured the packet information from the device. ... win2k dhcp server sends ... But the dhcp client in the device is not receiving the offer at ... User Datagram Protocol, Src Port: bootpc, Dst Port: bootps ...
    (comp.arch.embedded)
  • Re: connect XP pro to domain
    ... switch and I have also connected the wireless router using ethernet to the ... Are you sure you want the server and the XP machine on different networks? ... 1st connect everything to the LAN ports, ... Make sure the server has an IP numer which is NOT provides by the DHCP ...
    (microsoft.public.cert.exam.mcse)
  • Re: Static IP outside of router DHCP range
    ... clearly defined MAC address which my video server "could" use to facilitate ... This would avoid the need for DHCP entirely, ... As I recall, the clients that use BootP will pull ... Unfortunately my 8 clients are little $50 boxes with an Ethernet port and yellow, red, and white outputs for composite NTSC video and stereo audio, but no provisions whatsoever to flash their NVRAM. ...
    (alt.comp.hardware.pc-homebuilt)
  • Re: dhclient DHCPREQUEST in logs
    ... > I have a server which runs under dhcp with dhclient. ... > port 67 ... Maybe the lease time was set for example one day and after that day the ...
    (comp.os.linux.networking)
  • =?windows-1252?Q?Re=3A_monit_=96_can=27t_connect_from_browser?=
    ... Apache welcome page. ... "Firefox can't established a connection to the server at ... As I said you haven't open this port on your public IP. ... 21/tcp open   ftp ...
    (comp.os.linux.networking)