Location: Mailing List

Syndicate

Friends

Friends

Adventnet Sky

The List

ActiveDir.org is the home of the Active Directory Discussions Mailing List which was started in January 2001 with the aim of providing a forum for discussing various aspects of Microsoft's Active Directory technology. Since then the list has grown to a membership of over 1000 subscribers and 5000 site members.  The list has become extremely active, and includes many of the foremost experts in Active Directory.

The focus here at ActiveDir.org is the mailing list, but we now also offer a range of useful resources (see left navigation options).

The forum below is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our mailing list community.  See more info about this here.

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

The Archives

Subject: [ActiveDir] Unauthorized W2K DHCP services still start
Prev Next
You are not authorized to post a reply.

AuthorMessages
dloderUser is Offline

Posts:151

11/06/2008 4:16 PM  
Anyone ever notice this?

I've discovered numerous W2K servers in my forest that are offering Windows DHCP services.  We've confirmed they are Windows DHCP servers and not a third party DHCP server.

Since our corporate standard is QIP, we've never authorized a single DHCP server, so our Config - Services - NetServices container is completely empty.  Including not containing the CN=DhcpRoot object.

What we've found is that when a W2K DHCP server starts, it queries AD for the DhcpRoot object.  AD appropriately returns a not-found response, yet the DHCP server still starts and logs an "authorized" event.  We've also verified that Microsoft changed that behavior at some point because a W2K3 DHCP server appropriately logs an "unauthorized" event and does not start successfully.

I'm just wondering if that is everyone else's expectation for how the rogue DHCP protection is supposed to work.  That at least for W2K, rogue DHCP protection doesn't work at all until at least one DHCP server has been authorized, because that causes the DhcpRoot object to be created in addition to creating an entry for the specific DHCP server.

I was unaware that the possibility for this condition existed.

GilUser is Offline

Posts:316

11/06/2008 4:56 PM  
Are the DHCP services running on member servers or DCs? I seem to recall some difference in the authorization behavior in the case they were on DCs.

-gil

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Thursday, November 06, 2008 2:12 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unauthorized W2K DHCP services still start

Anyone ever notice this?

I've discovered numerous W2K servers in my forest that are offering Windows DHCP services. We've confirmed they are Windows DHCP servers and not a third party DHCP server.

Since our corporate standard is QIP, we've never authorized a single DHCP server, so our Config - Services - NetServices container is completely empty. Including not containing the CN=DhcpRoot object.

What we've found is that when a W2K DHCP server starts, it queries AD for the DhcpRoot object. AD appropriately returns a not-found response, yet the DHCP server still starts and logs an "authorized" event. We've also verified that Microsoft changed that behavior at some point because a W2K3 DHCP server appropriately logs an "unauthorized" event and does not start successfully.

I'm just wondering if that is everyone else's expectation for how the rogue DHCP protection is supposed to work. That at least for W2K, rogue DHCP protection doesn't work at all until at least one DHCP server has been authorized, because that causes the DhcpRoot object to be created in addition to creating an entry for the specific DHCP server.

I was unaware that the possibility for this condition existed.




TGUser is Offline

Posts:364

11/06/2008 5:08 PM  
If it runs on DC it is automatically authorized.

Thank you, Tony.


Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
Hewitt Associates | 100 Half Day Road | Lincolnshire, IL 60069 |
USA
Tel 847.295.5000 x50526 | Fax 847.554.1574
tony dot gordon at hewitt dot com | www.hewitt.com



From:
"Gil Kirkpatrick" <Gil.Kirkpatrick@quest.com>
To:
"ActiveDir@mail.activedir.org" <ActiveDir@mail.activedir.org>
Date:
11/06/2008 03:52 PM
Subject:
RE: [ActiveDir] Unauthorized W2K DHCP services still start
Sent by:
ActiveDir-owner@mail.activedir.org



Are the DHCP services running on member servers or DCs? I seem to recall
some difference in the authorization behavior in the case they were on
DCs.

-gil

From: ActiveDir-owner@mail.activedir.org [
mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Thursday, November 06, 2008 2:12 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unauthorized W2K DHCP services still start


Anyone ever notice this?

I've discovered numerous W2K servers in my forest that are offering
Windows DHCP services. We've confirmed they are Windows DHCP servers and
not a third party DHCP server.

Since our corporate standard is QIP, we've never authorized a single DHCP
server, so our Config - Services - NetServices container is completely
empty. Including not containing the CN=DhcpRoot object.

What we've found is that when a W2K DHCP server starts, it queries AD for
the DhcpRoot object. AD appropriately returns a not-found response, yet
the DHCP server still starts and logs an "authorized" event. We've also
verified that Microsoft changed that behavior at some point because a W2K3
DHCP server appropriately logs an "unauthorized" event and does not start
successfully.

I'm just wondering if that is everyone else's expectation for how the
rogue DHCP protection is supposed to work. That at least for W2K, rogue
DHCP protection doesn't work at all until at least one DHCP server has
been authorized, because that causes the DhcpRoot object to be created in
addition to creating an entry for the specific DHCP server.

I was unaware that the possibility for this condition existed.






The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.



dloderUser is Offline

Posts:151

11/10/2008 8:24 AM  
These are regular member servers.

--- On Thu, 11/6/08, Tony Gordon <Tony.Gordon@hewitt.com> wrote:

From: Tony Gordon <Tony.Gordon@hewitt.com>
Subject: RE: [ActiveDir] Unauthorized W2K DHCP services still start
To: ActiveDir@mail.activedir.org
Date: Thursday, November 6, 2008, 5:03 PM



If it runs on DC it is automatically authorized.

Thank you, Tony.


Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
Hewitt Associates  |  100 Half Day Road  |  Lincolnshire,  IL  60069  |  USA
Tel  847.295.5000 x50526  |  Fax  847.554.1574  
tony dot gordon at hewitt dot com  |  www.hewitt.com






From:
"Gil Kirkpatrick" <Gil.Kirkpatrick@quest.com>

To:
"ActiveDir@mail.activedir.org" <ActiveDir@mail.activedir.org>

Date:
11/06/2008 03:52 PM

Subject:
RE: [ActiveDir] Unauthorized W2K DHCP services still start

Sent by:
ActiveDir-owner@mail.activedir.org





Are the DHCP services running on member servers or DCs? I seem to recall some difference in the authorization behavior in the case they were on DCs.

-gil

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Thursday, November 06, 2008 2:12 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unauthorized W2K DHCP services still start





Anyone ever notice this?

I've discovered numerous W2K servers in my forest that are offering Windows DHCP services.  We've confirmed they are Windows DHCP servers and not a third party DHCP server.

Since our corporate standard is QIP, we've never authorized a single DHCP server, so our Config - Services - NetServices container is completely empty.  Including not containing the CN=DhcpRoot object.

What we've found is that when a W2K DHCP server starts, it queries AD for the DhcpRoot object.  AD appropriately returns a not-found response, yet the DHCP server still starts and logs an "authorized" event.  We've also verified that Microsoft changed that behavior at some point because a W2K3 DHCP server appropriately logs an "unauthorized" event and does not start successfully.

I'm just wondering if that is everyone else's expectation for how the rogue DHCP protection is supposed to work.  That at least for W2K, rogue DHCP protection doesn't work at all until at least one DHCP server has been authorized, because that causes the DhcpRoot object to be created in addition to creating an entry for the specific DHCP server.

I was unaware that the possibility for this condition existed.







The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.

amulnickUser is Offline

Posts:170

11/11/2008 5:14 PM  
That would be a bug. In W2K. Have you considered a workaround of
authorizing a server account and then just destroying the machine? Could be
a DC if you're concerned someone might try and take the computer account
from you.

You may also want to ping Microsoft support and see if there's a patch for
that.

On Thu, Nov 6, 2008 at 4:12 PM, David Loder <dloder@yahoo.com> wrote:

> Anyone ever notice this?
>
> I've discovered numerous W2K servers in my forest that are offering Windows
> DHCP services. We've confirmed they are Windows DHCP servers and not a
> third party DHCP server.
>
> Since our corporate standard is QIP, we've never authorized a single DHCP
> server, so our Config - Services - NetServices container is completely
> empty. Including not containing the CN=DhcpRoot object.
>
> What we've found is that when a W2K DHCP server starts, it queries AD for
> the DhcpRoot object. AD appropriately returns a not-found response, yet the
> DHCP server still starts and logs an "authorized" event. We've also
> verified that Microsoft changed that behavior at some point because a W2K3
> DHCP server appropriately logs an "unauthorized" event and does not start
> successfully.
>
> I'm just wondering if that is everyone else's expectation for how the rogue
> DHCP protection is supposed to work. That at least for W2K, rogue DHCP
> protection doesn't work at all until at least one DHCP server has been
> authorized, because that causes the DhcpRoot object to be created in
> addition to creating an entry for the specific DHCP server.
>
> I was unaware that the possibility for this condition existed.
>
>
>

dloderUser is Offline

Posts:151

11/12/2008 8:32 AM  
That was my point.  How many people are aware this bug exists?  I doubt many do.  I was convinced they couldn't possibly be running W2K DHCP services until I finally took the time to duplicate it for myself.  Rogue DHCP server suppression is broken right out of the box for W2K SP4 member servers until at least the DhcpRoot object has been created.

A patch doesn't do any good, since by definition, rogue DHCP servers are already rogue, and W2K is already into extended support so little incentive for a rouge admin to apply a hotfix / service pack that would have / should have included a fix.

"Here, please install this hotfix.  It will disable the service you've been running for the past nine years."

So yes, we're planning on authorizing a W2K3 DHCP server.  Only difficulty in that is, who knows what critical infrastructure has been stood up in the past nine years that relies on this bug to continue working.  The people who make widgets get mad when they can't make widgetsΏ].  And its actually handheld widget tracking hardware that already relies on the "known" rogue DHCP servers - and their attempts to upgrade that infrastructure from W2K to W2K3 that brought to light they already had unauthorized W2K DHCP servers and they couldn't understand why W2K3 was "broken" (from their point of view).

Ώ]Of course it's even worse when people stop buying the widgets my company makes, as is evidenced by the news on a daily basis lately.



--- On Tue, 11/11/08, Al Mulnick <amulnick@gmail.com> wrote:

From: Al Mulnick <amulnick@gmail.com>
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
To: ActiveDir@mail.activedir.org
Date: Tuesday, November 11, 2008, 5:11 PM



That would be a bug. In W2K.  Have you considered a workaround of authorizing a server account and then just destroying the machine? Could be a DC if you're concerned someone might try and take the computer account from you.

You may also want to ping Microsoft support and see if there's a patch for that.


On Thu, Nov 6, 2008 at 4:12 PM, David Loder <dloder@yahoo.com> wrote:






Anyone ever notice this?

I've discovered numerous W2K servers in my forest that are offering Windows DHCP services.  We've confirmed they are Windows DHCP servers and not a third party DHCP server.

Since our corporate standard is QIP, we've never authorized a single DHCP server, so our Config - Services - NetServices container is completely empty.  Including not containing the CN=DhcpRoot object.

What we've found is that when a W2K DHCP server starts, it queries AD for the DhcpRoot object.  AD appropriately returns a not-found response, yet the DHCP server still starts and logs an "authorized" event.  We've also verified that Microsoft changed that behavior at some point because a W2K3 DHCP server appropriately logs an "unauthorized" event and does not start successfully.

I'm just wondering if that is everyone else's expectation for how the rogue DHCP protection is supposed to work.  That at least for W2K, rogue DHCP protection doesn't work at all until at least one DHCP server has been authorized, because that causes the DhcpRoot object to be created in addition to creating an entry for the specific DHCP server.

I was unaware that the possibility for this condition existed.



amulnickUser is Offline

Posts:170

11/12/2008 8:36 AM  
Dude. You've got issues :)

>From my perspective, the biggest issue is that you have uncontrolled
entities that are being relied on for critical functions. My usual take on
that is that you need to identify those critical functions that rely on the
non-conformist infrastructure. Once you can identify that which is already
there, you can then initiate the 2k3 entry and authorize the 2k dhcp servers
that are required for widgetmaking. Then you can remove them one by one
until you are reliant on approved and supported dhcp servers.

Al

On Wed, Nov 12, 2008 at 8:28 AM, David Loder <dloder@yahoo.com> wrote:

> That was my point. How many people are aware this bug exists? I doubt
> many do. I was convinced they couldn't possibly be running W2K DHCP
> services until I finally took the time to duplicate it for myself. Rogue
> DHCP server suppression is broken right out of the box for W2K SP4 member
> servers until at least the DhcpRoot object has been created.
>
> A patch doesn't do any good, since by definition, rogue DHCP servers are
> already rogue, and W2K is already into extended support so little incentive
> for a rouge admin to apply a hotfix / service pack that would have / should
> have included a fix.
>
> "Here, please install this hotfix. It will disable the service you've been
> running for the past nine years."
>
> So yes, we're planning on authorizing a W2K3 DHCP server. Only difficulty
> in that is, who knows what critical infrastructure has been stood up in the
> past nine years that relies on this bug to continue working. The people who
> make widgets get mad when they can't make widgetsΏ]. And its actually
> handheld widget tracking hardware that already relies on the "known" rogue
> DHCP servers - and their attempts to upgrade that infrastructure from W2K to
> W2K3 that brought to light they already had unauthorized W2K DHCP servers
> and they couldn't understand why W2K3 was "broken" (from their point of
> view).
>
> Ώ]Of course it's even worse when people stop buying the widgets my company
> makes, as is evidenced by the news on a daily basis lately.
>
>
>
> --- On *Tue, 11/11/08, Al Mulnick <amulnick@gmail.com>* wrote:
>
> From: Al Mulnick <amulnick@gmail.com>
> Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
> To: ActiveDir@mail.activedir.org
> Date: Tuesday, November 11, 2008, 5:11 PM
>
>
> That would be a bug. In W2K. Have you considered a workaround of
> authorizing a server account and then just destroying the machine? Could be
> a DC if you're concerned someone might try and take the computer account
> from you.
>
> You may also want to ping Microsoft support and see if there's a patch for
> that.
>
> On Thu, Nov 6, 2008 at 4:12 PM, David Loder <dloder@yahoo.com> wrote:
>
>> Anyone ever notice this?
>>
>> I've discovered numerous W2K servers in my forest that are offering
>> Windows DHCP services. We've confirmed they are Windows DHCP servers and
>> not a third party DHCP server.
>>
>> Since our corporate standard is QIP, we've never authorized a single DHCP
>> server, so our Config - Services - NetServices container is completely
>> empty. Including not containing the CN=DhcpRoot object.
>>
>> What we've found is that when a W2K DHCP server starts, it queries AD for
>> the DhcpRoot object. AD appropriately returns a not-found response, yet the
>> DHCP server still starts and logs an "authorized" event. We've also
>> verified that Microsoft changed that behavior at some point because a W2K3
>> DHCP server appropriately logs an "unauthorized" event and does not start
>> successfully.
>>
>> I'm just wondering if that is everyone else's expectation for how the
>> rogue DHCP protection is supposed to work. That at least for W2K, rogue
>> DHCP protection doesn't work at all until at least one DHCP server has been
>> authorized, because that causes the DhcpRoot object to be created in
>> addition to creating an entry for the specific DHCP server.
>>
>> I was unaware that the possibility for this condition existed.
>>
>>
>>
>
>

dloderUser is Offline

Posts:151

11/12/2008 9:23 AM  
The only saving grace is these are W2K servers.  So we're able to read SC with just an authenticated user and see who has the service running.  Definitive list created.

The widgetmakers decide who stays and who goes, and our QIP admins have a new job to do to be delegated gatekeepers for the authorization of Windows DHCP servers.



Date: Wed, 12 Nov 2008 08:33:28 -0500
From: amulnick@gmail.com
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start


Dude.  You've got issues :)

>From my perspective, the biggest issue is that you have uncontrolled entities that are being relied on for critical functions.  My usual take on that is that you need to identify those critical functions that rely on the non-conformist infrastructure.  Once you can identify that which is already there, you can then initiate the 2k3 entry and authorize the 2k dhcp servers that are required for widgetmaking. Then you can remove them one by one until you are reliant on approved and supported dhcp servers.

Al


On Wed, Nov 12, 2008 at 8:28 AM, David Loder <dloder@yahoo.com> wrote:






That was my point.  How many people are aware this bug exists?  I doubt many do.  I was convinced they couldn't possibly be running W2K DHCP services until I finally took the time to duplicate it for myself.  Rogue DHCP server suppression is broken right out of the box for W2K SP4 member servers until at least the DhcpRoot object has been created.

A patch doesn't do any good, since by definition, rogue DHCP servers are already rogue, and W2K is already into extended support so little incentive for a rouge admin to apply a hotfix / service pack that would have / should have included a fix.

"Here, please install this hotfix.  It will disable the service you've been running for the past nine years."

So yes, we're planning on authorizing a W2K3 DHCP server.  Only difficulty in that is, who knows what critical infrastructure has been stood up in the past nine years that relies on this bug to continue working.  The people who make widgets get mad when they can't make widgetsΏ].  And its actually handheld widget tracking hardware that already relies on the "known" rogue DHCP servers - and their attempts to upgrade that infrastructure from W2K to W2K3 that brought to light they already had unauthorized W2K DHCP servers and they couldn't understand why W2K3 was "broken" (from their point of view).

Ώ]Of course it's even worse when people stop buying the widgets my company makes, as is evidenced by the news on a daily basis lately.



--- On Tue, 11/11/08, Al Mulnick <amulnick@gmail.com> wrote:

From: Al Mulnick <amulnick@gmail.com>
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start

To: ActiveDir@mail.activedir.org
Date: Tuesday, November 11, 2008, 5:11 PM






That would be a bug. In W2K.  Have you considered a workaround of authorizing a server account and then just destroying the machine? Could be a DC if you're concerned someone might try and take the computer account from you.

You may also want to ping Microsoft support and see if there's a patch for that.


On Thu, Nov 6, 2008 at 4:12 PM, David Loder <dloder@yahoo.com> wrote:






Anyone ever notice this?

I've discovered numerous W2K servers in my forest that are offering Windows DHCP services.  We've confirmed they are Windows DHCP servers and not a third party DHCP server.

Since our corporate standard is QIP, we've never authorized a single DHCP server, so our Config - Services - NetServices container is completely empty.  Including not containing the CN=DhcpRoot object.

What we've found is that when a W2K DHCP server starts, it queries AD for the DhcpRoot object.  AD appropriately returns a not-found response, yet the DHCP server still starts and logs an "authorized" event.  We've also verified that Microsoft changed that behavior at some point because a W2K3 DHCP server appropriately logs an "unauthorized" event and does not start successfully.

I'm just wondering if that is everyone else's expectation for how the rogue DHCP protection is supposed to work.  That at least for W2K, rogue DHCP protection doesn't work at all until at least one DHCP server has been authorized, because that causes the DhcpRoot object to be created in addition to creating an entry for the specific DHCP server.

I was unaware that the possibility for this condition existed.




dloderUser is Offline

Posts:151

11/19/2008 8:56 AM  
Just to close the loop on this.  No one has to manage authorizations at all.

The DisableRogueDetection registry value has apparently been around since W2K SP2.

http://support.microsoft.com/kb/297847

Free speech beer DHCP for everyone!

--- On Wed, 11/12/08, David Loder <dloder@yahoo.com> wrote:

From: David Loder <dloder@yahoo.com>
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
To: ActiveDir@mail.activedir.org
Date: Wednesday, November 12, 2008, 9:18 AM







The only saving grace is these are W2K servers.  So we're able to read SC with just an authenticated user and see who has the service running.  Definitive list created.

The widgetmakers decide who stays and who goes, and our QIP admins have a new job to do to be delegated gatekeepers for the authorization of Windows DHCP servers.



Date: Wed, 12 Nov 2008 08:33:28 -0500
From: amulnick@gmail.com
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start


Dude.  You've got issues :)

>From my perspective, the biggest issue is that you have uncontrolled entities that are being relied on for critical functions.  My usual take on that is that you need to identify those critical functions that rely on the non-conformist infrastructure.  Once you can identify that which is already there, you can then initiate the 2k3 entry and authorize the 2k dhcp servers that are required for widgetmaking. Then you can remove them one by one until you are reliant on approved and supported dhcp servers.

Al


On Wed, Nov 12, 2008 at 8:28 AM, David Loder <dloder@yahoo.com> wrote:






That was my point.  How many people are aware this bug exists?  I doubt many do.  I was convinced they couldn't possibly be running W2K DHCP services until I finally took the time to duplicate it for myself.  Rogue DHCP server suppression is broken right out of the box for W2K SP4 member servers until at least the DhcpRoot object has been created.

A patch doesn't do any good, since by definition, rogue DHCP servers are already rogue, and W2K is already into extended support so little incentive for a rouge admin to apply a hotfix / service pack that would have / should have included a fix.

"Here, please install this hotfix.  It will disable the service you've been running for the past nine years."

So yes, we're planning on authorizing a W2K3 DHCP server.  Only difficulty in that is, who knows what critical infrastructure has been stood up in the past nine years that relies on this bug to continue working.  The people who make widgets get mad when they can't make widgetsΏ].  And its actually handheld widget tracking hardware that already relies on the "known" rogue DHCP servers - and their attempts to upgrade that infrastructure from W2K to W2K3 that brought to light they already had unauthorized W2K DHCP servers and they couldn't understand why W2K3 was "broken" (from their point of view).

Ώ]Of course it's even worse when people stop buying the widgets my company makes, as is evidenced by the news on a daily basis lately.



--- On Tue, 11/11/08, Al Mulnick <amulnick@gmail.com> wrote:

From: Al Mulnick <amulnick@gmail.com>
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start

To: ActiveDir@mail.activedir.org
Date: Tuesday, November 11, 2008, 5:11 PM






That would be a bug. In W2K.  Have you considered a workaround of authorizing a server account and then just destroying the machine? Could be a DC if you're concerned someone might try and take the computer account from you.

You may also want to ping Microsoft support and see if there's a patch for that.


On Thu, Nov 6, 2008 at 4:12 PM, David Loder <dloder@yahoo.com> wrote:






Anyone ever notice this?

I've discovered numerous W2K servers in my forest that are offering Windows DHCP services.  We've confirmed they are Windows DHCP servers and not a third party DHCP server.

Since our corporate standard is QIP, we've never authorized a single DHCP server, so our Config - Services - NetServices container is completely empty.  Including not containing the CN=DhcpRoot object.

What we've found is that when a W2K DHCP server starts, it queries AD for the DhcpRoot object.  AD appropriately returns a not-found response, yet the DHCP server still starts and logs an "authorized" event.  We've also verified that Microsoft changed that behavior at some point because a W2K3 DHCP server appropriately logs an "unauthorized" event and does not start successfully.

I'm just wondering if that is everyone else's expectation for how the rogue DHCP protection is supposed to work.  That at least for W2K, rogue DHCP protection doesn't work at all until at least one DHCP server has been authorized, because that causes the DhcpRoot object to be created in addition to creating an entry for the specific DHCP server.

I was unaware that the possibility for this condition existed.





amulnickUser is Offline

Posts:170

11/19/2008 9:21 AM  
Bummer. NAC? :)

On Wed, Nov 19, 2008 at 8:52 AM, David Loder <dloder@yahoo.com> wrote:

> Just to close the loop on this. No one has to manage authorizations at
> all.
>
> The DisableRogueDetection registry value has apparently been around since
> W2K SP2.
>
> http://support.microsoft.com/kb/297847
>
> Free speech beer DHCP for everyone!
>
> --- On *Wed, 11/12/08, David Loder <dloder@yahoo.com>* wrote:
>
> From: David Loder <dloder@yahoo.com>
> Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
> To: ActiveDir@mail.activedir.org
> Date: Wednesday, November 12, 2008, 9:18 AM
>
>
> The only saving grace is these are W2K servers. So we're able to read
> SC with just an authenticated user and see who has the service running.
> Definitive list created.
>
> The widgetmakers decide who stays and who goes, and our QIP admins have a
> new job to do to be delegated gatekeepers for the authorization of Windows
> DHCP servers.
>
> ------------------------------
> Date: Wed, 12 Nov 2008 08:33:28 -0500
> From: amulnick@gmail.com
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
>
> Dude. You've got issues :)
>
> From my perspective, the biggest issue is that you have uncontrolled
> entities that are being relied on for critical functions. My usual take on
> that is that you need to identify those critical functions that rely on the
> non-conformist infrastructure. Once you can identify that which is already
> there, you can then initiate the 2k3 entry and authorize the 2k dhcp servers
> that are required for widgetmaking. Then you can remove them one by one
> until you are reliant on approved and supported dhcp servers.
>
> Al
>
> On Wed, Nov 12, 2008 at 8:28 AM, David Loder <dloder@yahoo.com> wrote:
>
> That was my point. How many people are aware this bug exists? I doubt
> many do. I was convinced they couldn't possibly be running W2K DHCP
> services until I finally took the time to duplicate it for myself. Rogue
> DHCP server suppression is broken right out of the box for W2K SP4 member
> servers until at least the DhcpRoot object has been created.
>
> A patch doesn't do any good, since by definition, rogue DHCP servers are
> already rogue, and W2K is already into extended support so little incentive
> for a rouge admin to apply a hotfix / service pack that would have / should
> have included a fix.
>
> "Here, please install this hotfix. It will disable the service you've been
> running for the past nine years."
>
> So yes, we're planning on authorizing a W2K3 DHCP server. Only difficulty
> in that is, who knows what critical infrastructure has been stood up in the
> past nine years that relies on this bug to continue working. The people who
> make widgets get mad when they can't make widgetsΏ]. And its actually
> handheld widget tracking hardware that already relies on the "known" rogue
> DHCP servers - and their attempts to upgrade that infrastructure from W2K to
> W2K3 that brought to light they already had unauthorized W2K DHCP servers
> and they couldn't understand why W2K3 was "broken" (from their point of
> view).
>
> Ώ]Of course it's even worse when people stop buying the widgets my company
> makes, as is evidenced by the news on a daily basis lately.
>
>
>
> --- On *Tue, 11/11/08, Al Mulnick <amulnick@gmail.com>* wrote:
>
> From: Al Mulnick <amulnick@gmail.com>
> Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
> To: ActiveDir@mail.activedir.org
> Date: Tuesday, November 11, 2008, 5:11 PM
>
>
> That would be a bug. In W2K. Have you considered a workaround of
> authorizing a server account and then just destroying the machine? Could be
> a DC if you're concerned someone might try and take the computer account
> from you.
>
> You may also want to ping Microsoft support and see if there's a patch for
> that.
>
> On Thu, Nov 6, 2008 at 4:12 PM, David Loder <dloder@yahoo.com> wrote:
>
> Anyone ever notice this?
>
> I've discovered numerous W2K servers in my forest that are offering Windows
> DHCP services. We've confirmed they are Windows DHCP servers and not a
> third party DHCP server.
>
> Since our corporate standard is QIP, we've never authorized a single DHCP
> server, so our Config - Services - NetServices container is completely
> empty. Including not containing the CN=DhcpRoot object.
>
> What we've found is that when a W2K DHCP server starts, it queries AD for
> the DhcpRoot object. AD appropriately returns a not-found response, yet the
> DHCP server still starts and logs an "authorized" event. We've also
> verified that Microsoft changed that behavior at some point because a W2K3
> DHCP server appropriately logs an "unauthorized" event and does not start
> successfully.
>
> I'm just wondering if that is everyone else's expectation for how the rogue
> DHCP protection is supposed to work. That at least for W2K, rogue DHCP
> protection doesn't work at all until at least one DHCP server has been
> authorized, because that causes the DhcpRoot object to be created in
> addition to creating an entry for the specific DHCP server.
>
> I was unaware that the possibility for this condition existed.
>
>
>
>
>
>
>

dloderUser is Offline

Posts:151

11/19/2008 10:03 AM  
I'm sure we'll get there at some point this century.

--- On Wed, 11/19/08, Al Mulnick <amulnick@gmail.com> wrote:

From: Al Mulnick <amulnick@gmail.com>
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
To: ActiveDir@mail.activedir.org
Date: Wednesday, November 19, 2008, 9:17 AM


Bummer.  NAC? :)


On Wed, Nov 19, 2008 at 8:52 AM, David Loder <dloder@yahoo.com> wrote:






Just to close the loop on this.  No one has to manage authorizations at all.

The DisableRogueDetection registry value has apparently been around since W2K SP2.

http://support.microsoft.com/kb/297847

Free speech beer DHCP for everyone!

--- On Wed, 11/12/08, David Loder <dloder@yahoo.com> wrote:

From: David Loder <dloder@yahoo.com>

Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
To: ActiveDir@mail.activedir.org
Date: Wednesday, November 12, 2008, 9:18 AM










The only saving grace is these are W2K servers.  So we're able to read SC with just an authenticated user and see who has the service running.  Definitive list created.

The widgetmakers decide who stays and who goes, and our QIP admins have a new job to do to be delegated gatekeepers for the authorization of Windows DHCP servers.



Date: Wed, 12 Nov 2008 08:33:28 -0500
From: amulnick@gmail.com
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start


Dude.  You've got issues :)

>From my perspective, the biggest issue is that you have uncontrolled entities that are being relied on for critical functions.  My usual take on that is that you need to identify those critical functions that rely on the non-conformist infrastructure.  Once you can identify that which is already there, you can then initiate the 2k3 entry and authorize the 2k dhcp servers that are required for widgetmaking. Then you can remove them one by one until you are reliant on approved and supported dhcp servers.

Al


On Wed, Nov 12, 2008 at 8:28 AM, David Loder <dloder@yahoo.com> wrote:






That was my point.  How many people are aware this bug exists?  I doubt many do.  I was convinced they couldn't possibly be running W2K DHCP services until I finally took the time to duplicate it for myself.  Rogue DHCP server suppression is broken right out of the box for W2K SP4 member servers until at least the DhcpRoot object has been created.

A patch doesn't do any good, since by definition, rogue DHCP servers are already rogue, and W2K is already into extended support so little incentive for a rouge admin to apply a hotfix / service pack that would have / should have included a fix.

"Here, please install this hotfix.  It will disable the service you've been running for the past nine years."

So yes, we're planning on authorizing a W2K3 DHCP server.  Only difficulty in that is, who knows what critical infrastructure has been stood up in the past nine years that relies on this bug to continue working.  The people who make widgets get mad when they can't make widgetsΏ].  And its actually handheld widget tracking hardware that already relies on the "known" rogue DHCP servers - and their attempts to upgrade that infrastructure from W2K to W2K3 that brought to light they already had unauthorized W2K DHCP servers and they couldn't understand why W2K3 was "broken" (from their point of view).

Ώ]Of course it's even worse when people stop buying the widgets my company makes, as is evidenced by the news on a daily basis lately.



--- On Tue, 11/11/08, Al Mulnick <amulnick@gmail.com> wrote:

From: Al Mulnick <amulnick@gmail.com>
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start

To: ActiveDir@mail.activedir.org
Date: Tuesday, November 11, 2008, 5:11 PM






That would be a bug. In W2K.  Have you considered a workaround of authorizing a server account and then just destroying the machine? Could be a DC if you're concerned someone might try and take the computer account from you.

You may also want to ping Microsoft support and see if there's a patch for that.


On Thu, Nov 6, 2008 at 4:12 PM, David Loder <dloder@yahoo.com> wrote:






Anyone ever notice this?

I've discovered numerous W2K servers in my forest that are offering Windows DHCP services.  We've confirmed they are Windows DHCP servers and not a third party DHCP server.

Since our corporate standard is QIP, we've never authorized a single DHCP server, so our Config - Services - NetServices container is completely empty.  Including not containing the CN=DhcpRoot object.

What we've found is that when a W2K DHCP server starts, it queries AD for the DhcpRoot object.  AD appropriately returns a not-found response, yet the DHCP server still starts and logs an "authorized" event.  We've also verified that Microsoft changed that behavior at some point because a W2K3 DHCP server appropriately logs an "unauthorized" event and does not start successfully.

I'm just wondering if that is everyone else's expectation for how the rogue DHCP protection is supposed to work.  That at least for W2K, rogue DHCP protection doesn't work at all until at least one DHCP server has been authorized, because that causes the DhcpRoot object to be created in addition to creating an entry for the specific DHCP server.

I was unaware that the possibility for this condition existed.







listmailUser is Offline

Posts:831

11/19/2008 11:04 AM  
Just deploy dhcploc out to the sites and keep a handy set of unpatched
Windows 2000 vulns handy so when you find those machines you can hack them
and drop them in their tracks...


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm



_____

From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Wednesday, November 19, 2008 10:00 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start



I'm sure we'll get there at some point this century.

--- On Wed, 11/19/08, Al Mulnick <amulnick@gmail.com> wrote:


From: Al Mulnick <amulnick@gmail.com>
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
To: ActiveDir@mail.activedir.org
Date: Wednesday, November 19, 2008, 9:17 AM


Bummer. NAC? :)


On Wed, Nov 19, 2008 at 8:52 AM, David Loder <dloder@yahoo.com> wrote:



Just to close the loop on this. No one has to manage authorizations at all.

The DisableRogueDetection registry value has apparently been around since
W2K SP2.

http://support.microsoft.com/kb/297847

Free speech beer DHCP for everyone!

--- On Wed, 11/12/08, David Loder <dloder@yahoo.com> wrote:


From: David Loder <dloder@yahoo.com>

Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
To: ActiveDir@mail.activedir.org

Date: Wednesday, November 12, 2008, 9:18 AM



The only saving grace is these are W2K servers. So we're able to read SC
with just an authenticated user and see who has the service running.
Definitive list created.

The widgetmakers decide who stays and who goes, and our QIP admins have a
new job to do to be delegated gatekeepers for the authorization of Windows
DHCP servers.


_____

Date: Wed, 12 Nov 2008 08:33:28 -0500
From: amulnick@gmail.com
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start


Dude. You've got issues :)

>From my perspective, the biggest issue is that you have uncontrolled
entities that are being relied on for critical functions. My usual take on
that is that you need to identify those critical functions that rely on the
non-conformist infrastructure. Once you can identify that which is already
there, you can then initiate the 2k3 entry and authorize the 2k dhcp servers
that are required for widgetmaking. Then you can remove them one by one
until you are reliant on approved and supported dhcp servers.

Al


On Wed, Nov 12, 2008 at 8:28 AM, David Loder <dloder@yahoo.com> wrote:



That was my point. How many people are aware this bug exists? I doubt many
do. I was convinced they couldn't possibly be running W2K DHCP services
until I finally took the time to duplicate it for myself. Rogue DHCP server
suppression is broken right out of the box for W2K SP4 member servers until
at least the DhcpRoot object has been created.

A patch doesn't do any good, since by definition, rogue DHCP servers are
already rogue, and W2K is already into extended support so little incentive
for a rouge admin to apply a hotfix / service pack that would have / should
have included a fix.

"Here, please install this hotfix. It will disable the service you've been
running for the past nine years."

So yes, we're planning on authorizing a W2K3 DHCP server. Only difficulty
in that is, who knows what critical infrastructure has been stood up in the
past nine years that relies on this bug to continue working. The people who
make widgets get mad when they can't make widgetsΏ]. And its actually
handheld widget tracking hardware that already relies on the "known" rogue
DHCP servers - and their attempts to upgrade that infrastructure from W2K to
W2K3 that brought to light they already had unauthorized W2K DHCP servers
and they couldn't understand why W2K3 was "broken" (from their point of
view).

Ώ]Of course it's even worse when people stop buying the widgets my company
makes, as is evidenced by the news on a daily basis lately.



--- On Tue, 11/11/08, Al Mulnick <amulnick@gmail.com> wrote:


From: Al Mulnick <amulnick@gmail.com>
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start

To: ActiveDir@mail.activedir.org

Date: Tuesday, November 11, 2008, 5:11 PM


That would be a bug. In W2K. Have you considered a workaround of
authorizing a server account and then just destroying the machine? Could be
a DC if you're concerned someone might try and take the computer account
from you.

You may also want to ping Microsoft support and see if there's a patch for
that.


On Thu, Nov 6, 2008 at 4:12 PM, David Loder <dloder@yahoo.com> wrote:



Anyone ever notice this?

I've discovered numerous W2K servers in my forest that are offering Windows
DHCP services. We've confirmed they are Windows DHCP servers and not a
third party DHCP server.

Since our corporate standard is QIP, we've never authorized a single DHCP
server, so our Config - Services - NetServices container is completely
empty. Including not containing the CN=DhcpRoot object.

What we've found is that when a W2K DHCP server starts, it queries AD for
the DhcpRoot object. AD appropriately returns a not-found response, yet the
DHCP server still starts and logs an "authorized" event. We've also
verified that Microsoft changed that behavior at some point because a W2K3
DHCP server appropriately logs an "unauthorized" event and does not start
successfully.

I'm just wondering if that is everyone else's expectation for how the rogue
DHCP protection is supposed to work. That at least for W2K, rogue DHCP
protection doesn't work at all until at least one DHCP server has been
authorized, because that causes the DhcpRoot object to be created in
addition to creating an entry for the specific DHCP server.

I was unaware that the possibility for this condition existed.










You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] Unauthorized W2K DHCP services still start



ActiveForums 3.7
Friends

Friends

VisualClickButoton
Members

Members

MembershipMembership:
Latest New UserLatest:QuiRMQ
New TodayNew Today:4
New YesterdayNew Yesterday:6
User CountOverall:7352

People OnlinePeople Online:
VisitorsVisitors:399
MembersMembers:0
TotalTotal:399

Online NowOnline Now:

Ads

Copyright 2014 ActiveDir.org
Terms Of Use