| Author | Messages | |
dloder
Posts:149
 | | 11/06/2008 4:16 PM |
| Anyone ever notice this?
I've discovered numerous W2K servers in my forest that are offering Windows DHCP services. We've confirmed they are Windows DHCP servers and not a third party DHCP server.
Since our corporate standard is QIP, we've never authorized a single DHCP server, so our Config - Services - NetServices container is completely empty. Including not containing the CN=DhcpRoot object.
What we've found is that when a W2K DHCP server starts, it queries AD for the DhcpRoot object. AD appropriately returns a not-found response, yet the DHCP server still starts and logs an "authorized" event. We've also verified that Microsoft changed that behavior at some point because a W2K3 DHCP server appropriately logs an "unauthorized" event and does not start successfully.
I'm just wondering if that is everyone else's expectation for how the rogue DHCP protection is supposed to work. That at least for W2K, rogue DHCP protection doesn't work at all until at least one DHCP server has been authorized, because that causes the DhcpRoot object to be created in addition to creating an entry for the specific DHCP server.
I was unaware that the possibility for this condition existed.
| | | |
| Gil
Posts:316
| | 11/06/2008 4:56 PM |
| Are the DHCP services running on member servers or DCs? I seem to recall some difference in the authorization behavior in the case they were on DCs.
-gil
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Thursday, November 06, 2008 2:12 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unauthorized W2K DHCP services still start
Anyone ever notice this?
I've discovered numerous W2K servers in my forest that are offering Windows DHCP services. We've confirmed they are Windows DHCP servers and not a third party DHCP server.
Since our corporate standard is QIP, we've never authorized a single DHCP server, so our Config - Services - NetServices container is completely empty. Including not containing the CN=DhcpRoot object.
What we've found is that when a W2K DHCP server starts, it queries AD for the DhcpRoot object. AD appropriately returns a not-found response, yet the DHCP server still starts and logs an "authorized" event. We've also verified that Microsoft changed that behavior at some point because a W2K3 DHCP server appropriately logs an "unauthorized" event and does not start successfully.
I'm just wondering if that is everyone else's expectation for how the rogue DHCP protection is supposed to work. That at least for W2K, rogue DHCP protection doesn't work at all until at least one DHCP server has been authorized, because that causes the DhcpRoot object to be created in addition to creating an entry for the specific DHCP server.
I was unaware that the possibility for this condition existed.
| | | |
| TG
Posts:360
| | 11/06/2008 5:08 PM |
| If it runs on DC it is automatically authorized.
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
Hewitt Associates | 100 Half Day Road | Lincolnshire, IL 60069 |
USA
Tel 847.295.5000 x50526 | Fax 847.554.1574
tony dot gordon at hewitt dot com | www.hewitt.com
From:
"Gil Kirkpatrick" <Gil.Kirkpatrick@quest.com>
To:
"ActiveDir@mail.activedir.org" <ActiveDir@mail.activedir.org>
Date:
11/06/2008 03:52 PM
Subject:
RE: [ActiveDir] Unauthorized W2K DHCP services still start
Sent by:
ActiveDir-owner@mail.activedir.org
Are the DHCP services running on member servers or DCs? I seem to recall
some difference in the authorization behavior in the case they were on
DCs.
-gil
From: ActiveDir-owner@mail.activedir.org [
mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Thursday, November 06, 2008 2:12 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unauthorized W2K DHCP services still start
Anyone ever notice this?
I've discovered numerous W2K servers in my forest that are offering
Windows DHCP services. We've confirmed they are Windows DHCP servers and
not a third party DHCP server.
Since our corporate standard is QIP, we've never authorized a single DHCP
server, so our Config - Services - NetServices container is completely
empty. Including not containing the CN=DhcpRoot object.
What we've found is that when a W2K DHCP server starts, it queries AD for
the DhcpRoot object. AD appropriately returns a not-found response, yet
the DHCP server still starts and logs an "authorized" event. We've also
verified that Microsoft changed that behavior at some point because a W2K3
DHCP server appropriately logs an "unauthorized" event and does not start
successfully.
I'm just wondering if that is everyone else's expectation for how the
rogue DHCP protection is supposed to work. That at least for W2K, rogue
DHCP protection doesn't work at all until at least one DHCP server has
been authorized, because that causes the DhcpRoot object to be created in
addition to creating an entry for the specific DHCP server.
I was unaware that the possibility for this condition existed.
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
| | | |
| dloder
Posts:149
| | 11/10/2008 8:24 AM |
| These are regular member servers.
--- On Thu, 11/6/08, Tony Gordon <Tony.Gordon@hewitt.com> wrote:
From: Tony Gordon <Tony.Gordon@hewitt.com>
Subject: RE: [ActiveDir] Unauthorized W2K DHCP services still start
To: ActiveDir@mail.activedir.org
Date: Thursday, November 6, 2008, 5:03 PM
If it runs on DC it is automatically authorized.
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
Hewitt Associates | 100 Half Day Road | Lincolnshire, IL 60069 | USA
Tel 847.295.5000 x50526 | Fax 847.554.1574
tony dot gordon at hewitt dot com | www.hewitt.com
From:
"Gil Kirkpatrick" <Gil.Kirkpatrick@quest.com>
To:
"ActiveDir@mail.activedir.org" <ActiveDir@mail.activedir.org>
Date:
11/06/2008 03:52 PM
Subject:
RE: [ActiveDir] Unauthorized W2K DHCP services still start
Sent by:
ActiveDir-owner@mail.activedir.org
Are the DHCP services running on member servers or DCs? I seem to recall some difference in the authorization behavior in the case they were on DCs.
-gil
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Thursday, November 06, 2008 2:12 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unauthorized W2K DHCP services still start
Anyone ever notice this?
I've discovered numerous W2K servers in my forest that are offering Windows DHCP services. We've confirmed they are Windows DHCP servers and not a third party DHCP server.
Since our corporate standard is QIP, we've never authorized a single DHCP server, so our Config - Services - NetServices container is completely empty. Including not containing the CN=DhcpRoot object.
What we've found is that when a W2K DHCP server starts, it queries AD for the DhcpRoot object. AD appropriately returns a not-found response, yet the DHCP server still starts and logs an "authorized" event. We've also verified that Microsoft changed that behavior at some point because a W2K3 DHCP server appropriately logs an "unauthorized" event and does not start successfully.
I'm just wondering if that is everyone else's expectation for how the rogue DHCP protection is supposed to work. That at least for W2K, rogue DHCP protection doesn't work at all until at least one DHCP server has been authorized, because that causes the DhcpRoot object to be created in addition to creating an entry for the specific DHCP server.
I was unaware that the possibility for this condition existed.
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
| | | |
| amulnick
Posts:169
| | 11/11/2008 5:14 PM |
| That would be a bug. In W2K. Have you considered a workaround of
authorizing a server account and then just destroying the machine? Could be
a DC if you're concerned someone might try and take the computer account
from you.
You may also want to ping Microsoft support and see if there's a patch for
that.
On Thu, Nov 6, 2008 at 4:12 PM, David Loder <dloder@yahoo.com> wrote:
> Anyone ever notice this?
>
> I've discovered numerous W2K servers in my forest that are offering Windows
> DHCP services. We've confirmed they are Windows DHCP servers and not a
> third party DHCP server.
>
> Since our corporate standard is QIP, we've never authorized a single DHCP
> server, so our Config - Services - NetServices container is completely
> empty. Including not containing the CN=DhcpRoot object.
>
> What we've found is that when a W2K DHCP server starts, it queries AD for
> the DhcpRoot object. AD appropriately returns a not-found response, yet the
> DHCP server still starts and logs an "authorized" event. We've also
> verified that Microsoft changed that behavior at some point because a W2K3
> DHCP server appropriately logs an "unauthorized" event and does not start
> successfully.
>
> I'm just wondering if that is everyone else's expectation for how the rogue
> DHCP protection is supposed to work. That at least for W2K, rogue DHCP
> protection doesn't work at all until at least one DHCP server has been
> authorized, because that causes the DhcpRoot object to be created in
> addition to creating an entry for the specific DHCP server.
>
> I was unaware that the possibility for this condition existed.
>
>
>
| | | |
| dloder
Posts:149
| | 11/12/2008 8:32 AM |
| That was my point. How many people are aware this bug exists? I doubt many do. I was convinced they couldn't possibly be running W2K DHCP services until I finally took the time to duplicate it for myself. Rogue DHCP server suppression is broken right out of the box for W2K SP4 member servers until at least the DhcpRoot object has been created.
A patch doesn't do any good, since by definition, rogue DHCP servers are already rogue, and W2K is already into extended support so little incentive for a rouge admin to apply a hotfix / service pack that would have / should have included a fix.
"Here, please install this hotfix. It will disable the service you've been running for the past nine years."
So yes, we're planning on authorizing a W2K3 DHCP server. Only difficulty in that is, who knows what critical infrastructure has been stood up in the past nine years that relies on this bug to continue working. The people who make widgets get mad when they can't make widgetsΏ]. And its actually handheld widget tracking hardware that already relies on the "known" rogue DHCP servers - and their attempts to upgrade that infrastructure from W2K to W2K3 that brought to light they already had unauthorized W2K DHCP servers and they couldn't understand why W2K3 was "broken" (from their point of view).
Ώ]Of course it's even worse when people stop buying the widgets my company makes, as is evidenced by the news on a daily basis lately.
--- On Tue, 11/11/08, Al Mulnick <amulnick@gmail.com> wrote:
From: Al Mulnick <amulnick@gmail.com>
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
To: ActiveDir@mail.activedir.org
Date: Tuesday, November 11, 2008, 5:11 PM
That would be a bug. In W2K. Have you considered a workaround of authorizing a server account and then just destroying the machine? Could be a DC if you're concerned someone might try and take the computer account from you.
You may also want to ping Microsoft support and see if there's a patch for that.
On Thu, Nov 6, 2008 at 4:12 PM, David Loder <dloder@yahoo.com> wrote:
Anyone ever notice this?
I've discovered numerous W2K servers in my forest that are offering Windows DHCP services. We've confirmed they are Windows DHCP servers and not a third party DHCP server.
Since our corporate standard is QIP, we've never authorized a single DHCP server, so our Config - Services - NetServices container is completely empty. Including not containing the CN=DhcpRoot object.
What we've found is that when a W2K DHCP server starts, it queries AD for the DhcpRoot object. AD appropriately returns a not-found response, yet the DHCP server still starts and logs an "authorized" event. We've also verified that Microsoft changed that behavior at some point because a W2K3 DHCP server appropriately logs an "unauthorized" event and does not start successfully.
I'm just wondering if that is everyone else's expectation for how the rogue DHCP protection is supposed to work. That at least for W2K, rogue DHCP protection doesn't work at all until at least one DHCP server has been authorized, because that causes the DhcpRoot object to be created in addition to creating an entry for the specific DHCP server.
I was unaware that the possibility for this condition existed.
| | | |
| amulnick
Posts:169
| | 11/12/2008 8:36 AM |
| Dude. You've got issues 
>From my perspective, the biggest issue is that you have uncontrolled
entities that are being relied on for critical functions. My usual take on
that is that you need to identify those critical functions that rely on the
non-conformist infrastructure. Once you can identify that which is already
there, you can then initiate the 2k3 entry and authorize the 2k dhcp servers
that are required for widgetmaking. Then you can remove them one by one
until you are reliant on approved and supported dhcp servers.
Al
On Wed, Nov 12, 2008 at 8:28 AM, David Loder <dloder@yahoo.com> wrote:
> That was my point. How many people are aware this bug exists? I doubt
> many do. I was convinced they couldn't possibly be running W2K DHCP
> services until I finally took the time to duplicate it for myself. Rogue
> DHCP server suppression is broken right out of the box for W2K SP4 member
> servers until at least the DhcpRoot object has been created.
>
> A patch doesn't do any good, since by definition, rogue DHCP servers are
> already rogue, and W2K is already into extended support so little incentive
> for a rouge admin to apply a hotfix / service pack that would have / should
> have included a fix.
>
> "Here, please install this hotfix. It will disable the service you've been
> running for the past nine years."
>
> So yes, we're planning on authorizing a W2K3 DHCP server. Only difficulty
> in that is, who knows what critical infrastructure has been stood up in the
> past nine years that relies on this bug to continue working. The people who
> make widgets get mad when they can't make widgetsΏ]. And its actually
> handheld widget tracking hardware that already relies on the "known" rogue
> DHCP servers - and their attempts to upgrade that infrastructure from W2K to
> W2K3 that brought to light they already had unauthorized W2K DHCP servers
> and they couldn't understand why W2K3 was "broken" (from their point of
> view).
>
> Ώ]Of course it's even worse when people stop buying the widgets my company
> makes, as is evidenced by the news on a daily basis lately.
>
>
>
> --- On *Tue, 11/11/08, Al Mulnick <amulnick@gmail.com>* wrote:
>
> From: Al Mulnick <amulnick@gmail.com>
> Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
> To: ActiveDir@mail.activedir.org
> Date: Tuesday, November 11, 2008, 5:11 PM
>
>
> That would be a bug. In W2K. Have you considered a workaround of
> authorizing a server account and then just destroying the machine? Could be
> a DC if you're concerned someone might try and take the computer account
> from you.
>
> You may also want to ping Microsoft support and see if there's a patch for
> that.
>
> On Thu, Nov 6, 2008 at 4:12 PM, David Loder <dloder@yahoo.com> wrote:
>
>> Anyone ever notice this?
>>
>> I've discovered numerous W2K servers in my forest that are offering
>> Windows DHCP services. We've confirmed they are Windows DHCP servers and
>> not a third party DHCP server.
>>
>> Since our corporate standard is QIP, we've never authorized a single DHCP
>> server, so our Config - Services - NetServices container is completely
>> empty. Including not containing the CN=DhcpRoot object.
>>
>> What we've found is that when a W2K DHCP server starts, it queries AD for
>> the DhcpRoot object. AD appropriately returns a not-found response, yet the
>> DHCP server still starts and logs an "authorized" event. We've also
>> verified that Microsoft changed that behavior at some point because a W2K3
>> DHCP server appropriately logs an "unauthorized" event and does not start
>> successfully.
>>
>> I'm just wondering if that is everyone else's expectation for how the
>> rogue DHCP protection is supposed to work. That at least for W2K, rogue
>> DHCP protection doesn't work at all until at least one DHCP server has been
>> authorized, because that causes the DhcpRoot object to be created in
>> addition to creating an entry for the specific DHCP server.
>>
>> I was unaware that the possibility for this condition existed.
>>
>>
>>
>
>
| | | |
| dloder
Posts:149
| | 11/12/2008 9:23 AM |
| The only saving grace is these are W2K servers. So we're able to read SC with just an authenticated user and see who has the service running. Definitive list created.
The widgetmakers decide who stays and who goes, and our QIP admins have a new job to do to be delegated gatekeepers for the authorization of Windows DHCP servers.
Date: Wed, 12 Nov 2008 08:33:28 -0500
From: amulnick@gmail.com
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
Dude. You've got issues
>From my perspective, the biggest issue is that you have uncontrolled entities that are being relied on for critical functions. My usual take on that is that you need to identify those critical functions that rely on the non-conformist infrastructure. Once you can identify that which is already there, you can then initiate the 2k3 entry and authorize the 2k dhcp servers that are required for widgetmaking. Then you can remove them one by one until you are reliant on approved and supported dhcp servers.
Al
On Wed, Nov 12, 2008 at 8:28 AM, David Loder <dloder@yahoo.com> wrote:
That was my point. How many people are aware this bug exists? I doubt many do. I was convinced they couldn't possibly be running W2K DHCP services until I finally took the time to duplicate it for myself. Rogue DHCP server suppression is broken right out of the box for W2K SP4 member servers until at least the DhcpRoot object has been created.
A patch doesn't do any good, since by definition, rogue DHCP servers are already rogue, and W2K is already into extended support so little incentive for a rouge admin to apply a hotfix / service pack that would have / should have included a fix.
"Here, please install this hotfix. It will disable the service you've been running for the past nine years."
So yes, we're planning on authorizing a W2K3 DHCP server. Only difficulty in that is, who knows what critical infrastructure has been stood up in the past nine years that relies on this bug to continue working. The people who make widgets get mad when they can't make widgetsΏ]. And its actually handheld widget tracking hardware that already relies on the "known" rogue DHCP servers - and their attempts to upgrade that infrastructure from W2K to W2K3 that brought to light they already had unauthorized W2K DHCP servers and they couldn't understand why W2K3 was "broken" (from their point of view).
Ώ]Of course it's even worse when people stop buying the widgets my company makes, as is evidenced by the news on a daily basis lately.
--- On Tue, 11/11/08, Al Mulnick <amulnick@gmail.com> wrote:
From: Al Mulnick <amulnick@gmail.com>
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
To: ActiveDir@mail.activedir.org
Date: Tuesday, November 11, 2008, 5:11 PM
That would be a bug. In W2K. Have you considered a workaround of authorizing a server account and then just destroying the machine? Could be a DC if you're concerned someone might try and take the computer account from you.
You may also want to ping Microsoft support and see if there's a patch for that.
On Thu, Nov 6, 2008 at 4:12 PM, David Loder <dloder@yahoo.com> wrote:
Anyone ever notice this?
I've discovered numerous W2K servers in my forest that are offering Windows DHCP services. We've confirmed they are Windows DHCP servers and not a third party DHCP server.
Since our corporate standard is QIP, we've never authorized a single DHCP server, so our Config - Services - NetServices container is completely empty. Including not containing the CN=DhcpRoot object.
What we've found is that when a W2K DHCP server starts, it queries AD for the DhcpRoot object. AD appropriately returns a not-found response, yet the DHCP server still starts and logs an "authorized" event. We've also verified that Microsoft changed that behavior at some point because a W2K3 DHCP server appropriately logs an "unauthorized" event and does not start successfully.
I'm just wondering if that is everyone else's expectation for how the rogue DHCP protection is supposed to work. That at least for W2K, rogue DHCP protection doesn't work at all until at least one DHCP server has been authorized, because that causes the DhcpRoot object to be created in addition to creating an entry for the specific DHCP server.
I was unaware that the possibility for this condition existed.
| | | |
| dloder
Posts:149
| | 11/19/2008 8:56 AM |
| Just to close the loop on this. No one has to manage authorizations at all.
The DisableRogueDetection registry value has apparently been around since W2K SP2.
http://support.microsoft.com/kb/297847
Free speech beer DHCP for everyone!
--- On Wed, 11/12/08, David Loder <dloder@yahoo.com> wrote:
From: David Loder <dloder@yahoo.com>
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
To: ActiveDir@mail.activedir.org
Date: Wednesday, November 12, 2008, 9:18 AM
The only saving grace is these are W2K servers. So we're able to read SC with just an authenticated user and see who has the service running. Definitive list created.
The widgetmakers decide who stays and who goes, and our QIP admins have a new job to do to be delegated gatekeepers for the authorization of Windows DHCP servers.
Date: Wed, 12 Nov 2008 08:33:28 -0500
From: amulnick@gmail.com
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
Dude. You've got issues
>From my perspective, the biggest issue is that you have uncontrolled entities that are being relied on for critical functions. My usual take on that is that you need to identify those critical functions that rely on the non-conformist infrastructure. Once you can identify that which is already there, you can then initiate the 2k3 entry and authorize the 2k dhcp servers that are required for widgetmaking. Then you can remove them one by one until you are reliant on approved and supported dhcp servers.
Al
On Wed, Nov 12, 2008 at 8:28 AM, David Loder <dloder@yahoo.com> wrote:
That was my point. How many people are aware this bug exists? I doubt many do. I was convinced they couldn't possibly be running W2K DHCP services until I finally took the time to duplicate it for myself. Rogue DHCP server suppression is broken right out of the box for W2K SP4 member servers until at least the DhcpRoot object has been created.
A patch doesn't do any good, since by definition, rogue DHCP servers are already rogue, and W2K is already into extended support so little incentive for a rouge admin to apply a hotfix / service pack that would have / should have included a fix.
"Here, please install this hotfix. It will disable the service you've been running for the past nine years."
So yes, we're planning on authorizing a W2K3 DHCP server. Only difficulty in that is, who knows what critical infrastructure has been stood up in the past nine years that relies on this bug to continue working. The people who make widgets get mad when they can't make widgetsΏ]. And its actually handheld widget tracking hardware that already relies on the "known" rogue DHCP servers - and their attempts to upgrade that infrastructure from W2K to W2K3 that brought to light they already had unauthorized W2K DHCP servers and they couldn't understand why W2K3 was "broken" (from their point of view).
Ώ]Of course it's even worse when people stop buying the widgets my company makes, as is evidenced by the news on a daily basis lately.
--- On Tue, 11/11/08, Al Mulnick <amulnick@gmail.com> wrote:
From: Al Mulnick <amulnick@gmail.com>
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
To: ActiveDir@mail.activedir.org
Date: Tuesday, November 11, 2008, 5:11 PM
That would be a bug. In W2K. Have you considered a workaround of authorizing a server account and then just destroying the machine? Could be a DC if you're concerned someone might try and take the computer account from you.
You may also want to ping Microsoft support and see if there's a patch for that.
On Thu, Nov 6, 2008 at 4:12 PM, David Loder <dloder@yahoo.com> wrote:
Anyone ever notice this?
I've discovered numerous W2K servers in my forest that are offering Windows DHCP services. We've confirmed they are Windows DHCP servers and not a third party DHCP server.
Since our corporate standard is QIP, we've never authorized a single DHCP server, so our Config - Services - NetServices container is completely empty. Including not containing the CN=DhcpRoot object.
What we've found is that when a W2K DHCP server starts, it queries AD for the DhcpRoot object. AD appropriately returns a not-found response, yet the DHCP server still starts and logs an "authorized" event. We've also verified that Microsoft changed that behavior at some point because a W2K3 DHCP server appropriately logs an "unauthorized" event and does not start successfully.
I'm just wondering if that is everyone else's expectation for how the rogue DHCP protection is supposed to work. That at least for W2K, rogue DHCP protection doesn't work at all until at least one DHCP server has been authorized, because that causes the DhcpRoot object to be created in addition to creating an entry for the specific DHCP server.
I was unaware that the possibility for this condition existed.
| | | |
| amulnick
Posts:169
| | 11/19/2008 9:21 AM |
| Bummer. NAC?
On Wed, Nov 19, 2008 at 8:52 AM, David Loder <dloder@yahoo.com> wrote:
> Just to close the loop on this. No one has to manage authorizations at
> all.
>
> The DisableRogueDetection registry value has apparently been around since
> W2K SP2.
>
> http://support.microsoft.com/kb/297847
>
> Free speech beer DHCP for everyone!
>
> --- On *Wed, 11/12/08, David Loder <dloder@yahoo.com>* wrote:
>
> From: David Loder <dloder@yahoo.com>
> Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
> To: ActiveDir@mail.activedir.org
> Date: Wednesday, November 12, 2008, 9:18 AM
>
>
> The only saving grace is these are W2K servers. So we're able to read
> SC with just an authenticated user and see who has the service running.
> Definitive list created.
>
> The widgetmakers decide who stays and who goes, and our QIP admins have a
> new job to do to be delegated gatekeepers for the authorization of Windows
> DHCP servers.
>
> ------------------------------
> Date: Wed, 12 Nov 2008 08:33:28 -0500
> From: amulnick@gmail.com
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
>
> Dude. You've got issues
>
> From my perspective, the biggest issue is that you have uncontrolled
> entities that are being relied on for critical functions. My usual take on
> that is that you need to identify those critical functions that rely on the
> non-conformist infrastructure. Once you can identify that which is already
> there, you can then initiate the 2k3 entry and authorize the 2k dhcp servers
> that are required for widgetmaking. Then you can remove them one by one
> until you are reliant on approved and supported dhcp servers.
>
> Al
>
> On Wed, Nov 12, 2008 at 8:28 AM, David Loder <dloder@yahoo.com> wrote:
>
> That was my point. How many people are aware this bug exists? I doubt
> many do. I was convinced they couldn't possibly be running W2K DHCP
> services until I finally took the time to duplicate it for myself. Rogue
> DHCP server suppression is broken right out of the box for W2K SP4 member
> servers until at least the DhcpRoot object has been created.
>
> A patch doesn't do any good, since by definition, rogue DHCP servers are
> already rogue, and W2K is already into extended support so little incentive
> for a rouge admin to apply a hotfix / service pack that would have / should
> have included a fix.
>
> "Here, please install this hotfix. It will disable the service you've been
> running for the past nine years."
>
> So yes, we're planning on authorizing a W2K3 DHCP server. Only difficulty
> in that is, who knows what critical infrastructure has been stood up in the
> past nine years that relies on this bug to continue working. The people who
> make widgets get mad when they can't make widgetsΏ]. And its actually
> handheld widget tracking hardware that already relies on the "known" rogue
> DHCP servers - and their attempts to upgrade that infrastructure from W2K to
> W2K3 that brought to light they already had unauthorized W2K DHCP servers
> and they couldn't understand why W2K3 was "broken" (from their point of
> view).
>
> Ώ]Of course it's even worse when people stop buying the widgets my company
> makes, as is evidenced by the news on a daily basis lately.
>
>
>
> --- On *Tue, 11/11/08, Al Mulnick <amulnick@gmail.com>* wrote:
>
> From: Al Mulnick <amulnick@gmail.com>
> Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
> To: ActiveDir@mail.activedir.org
> Date: Tuesday, November 11, 2008, 5:11 PM
>
>
> That would be a bug. In W2K. Have you considered a workaround of
> authorizing a server account and then just destroying the machine? Could be
> a DC if you're concerned someone might try and take the computer account
> from you.
>
> You may also want to ping Microsoft support and see if there's a patch for
> that.
>
> On Thu, Nov 6, 2008 at 4:12 PM, David Loder <dloder@yahoo.com> wrote:
>
> Anyone ever notice this?
>
> I've discovered numerous W2K servers in my forest that are offering Windows
> DHCP services. We've confirmed they are Windows DHCP servers and not a
> third party DHCP server.
>
> Since our corporate standard is QIP, we've never authorized a single DHCP
> server, so our Config - Services - NetServices container is completely
> empty. Including not containing the CN=DhcpRoot object.
>
> What we've found is that when a W2K DHCP server starts, it queries AD for
> the DhcpRoot object. AD appropriately returns a not-found response, yet the
> DHCP server still starts and logs an "authorized" event. We've also
> verified that Microsoft changed that behavior at some point because a W2K3
> DHCP server appropriately logs an "unauthorized" event and does not start
> successfully.
>
> I'm just wondering if that is everyone else's expectation for how the rogue
> DHCP protection is supposed to work. That at least for W2K, rogue DHCP
> protection doesn't work at all until at least one DHCP server has been
> authorized, because that causes the DhcpRoot object to be created in
> addition to creating an entry for the specific DHCP server.
>
> I was unaware that the possibility for this condition existed.
>
>
>
>
>
>
>
| | | |
| dloder
Posts:149
| | 11/19/2008 10:03 AM |
| I'm sure we'll get there at some point this century.
--- On Wed, 11/19/08, Al Mulnick <amulnick@gmail.com> wrote:
From: Al Mulnick <amulnick@gmail.com>
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
To: ActiveDir@mail.activedir.org
Date: Wednesday, November 19, 2008, 9:17 AM
Bummer. NAC?
On Wed, Nov 19, 2008 at 8:52 AM, David Loder <dloder@yahoo.com> wrote:
Just to close the loop on this. No one has to manage authorizations at all.
The DisableRogueDetection registry value has apparently been around since W2K SP2.
http://support.microsoft.com/kb/297847
Free speech beer DHCP for everyone!
--- On Wed, 11/12/08, David Loder <dloder@yahoo.com> wrote:
From: David Loder <dloder@yahoo.com>
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
To: ActiveDir@mail.activedir.org
Date: Wednesday, November 12, 2008, 9:18 AM
The only saving grace is these are W2K servers. So we're able to read SC with just an authenticated user and see who has the service running. Definitive list created.
The widgetmakers decide who stays and who goes, and our QIP admins have a new job to do to be delegated gatekeepers for the authorization of Windows DHCP servers.
Date: Wed, 12 Nov 2008 08:33:28 -0500
From: amulnick@gmail.com
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
Dude. You've got issues
>From my perspective, the biggest issue is that you have uncontrolled entities that are being relied on for critical functions. My usual take on that is that you need to identify those critical functions that rely on the non-conformist infrastructure. Once you can identify that which is already there, you can then initiate the 2k3 entry and authorize the 2k dhcp servers that are required for widgetmaking. Then you can remove them one by one until you are reliant on approved and supported dhcp servers.
Al
On Wed, Nov 12, 2008 at 8:28 AM, David Loder <dloder@yahoo.com> wrote:
That was my point. How many people are aware this bug exists? I doubt many do. I was convinced they couldn't possibly be running W2K DHCP services until I finally took the time to duplicate it for myself. Rogue DHCP server suppression is broken right out of the box for W2K SP4 member servers until at least the DhcpRoot object has been created.
A patch doesn't do any good, since by definition, rogue DHCP servers are already rogue, and W2K is already into extended support so little incentive for a rouge admin to apply a hotfix / service pack that would have / should have included a fix.
"Here, please install this hotfix. It will disable the service you've been running for the past nine years."
So yes, we're planning on authorizing a W2K3 DHCP server. Only difficulty in that is, who knows what critical infrastructure has been stood up in the past nine years that relies on this bug to continue working. The people who make widgets get mad when they can't make widgetsΏ]. And its actually handheld widget tracking hardware that already relies on the "known" rogue DHCP servers - and their attempts to upgrade that infrastructure from W2K to W2K3 that brought to light they already had unauthorized W2K DHCP servers and they couldn't understand why W2K3 was "broken" (from their point of view).
Ώ]Of course it's even worse when people stop buying the widgets my company makes, as is evidenced by the news on a daily basis lately.
--- On Tue, 11/11/08, Al Mulnick <amulnick@gmail.com> wrote:
From: Al Mulnick <amulnick@gmail.com>
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
To: ActiveDir@mail.activedir.org
Date: Tuesday, November 11, 2008, 5:11 PM
That would be a bug. In W2K. Have you considered a workaround of authorizing a server account and then just destroying the machine? Could be a DC if you're concerned someone might try and take the computer account from you.
You may also want to ping Microsoft support and see if there's a patch for that.
On Thu, Nov 6, 2008 at 4:12 PM, David Loder <dloder@yahoo.com> wrote:
Anyone ever notice this?
I've discovered numerous W2K servers in my forest that are offering Windows DHCP services. We've confirmed they are Windows DHCP servers and not a third party DHCP server.
Since our corporate standard is QIP, we've never authorized a single DHCP server, so our Config - Services - NetServices container is completely empty. Including not containing the CN=DhcpRoot object.
What we've found is that when a W2K DHCP server starts, it queries AD for the DhcpRoot object. AD appropriately returns a not-found response, yet the DHCP server still starts and logs an "authorized" event. We've also verified that Microsoft changed that behavior at some point because a W2K3 DHCP server appropriately logs an "unauthorized" event and does not start successfully.
I'm just wondering if that is everyone else's expectation for how the rogue DHCP protection is supposed to work. That at least for W2K, rogue DHCP protection doesn't work at all until at least one DHCP server has been authorized, because that causes the DhcpRoot object to be created in addition to creating an entry for the specific DHCP server.
I was unaware that the possibility for this condition existed.
| | | |
| listmail
Posts:831
| | 11/19/2008 11:04 AM |
| Just deploy dhcploc out to the sites and keep a handy set of unpatched
Windows 2000 vulns handy so when you find those machines you can hack them
and drop them in their tracks...
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Wednesday, November 19, 2008 10:00 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
I'm sure we'll get there at some point this century.
--- On Wed, 11/19/08, Al Mulnick <amulnick@gmail.com> wrote:
From: Al Mulnick <amulnick@gmail.com>
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
To: ActiveDir@mail.activedir.org
Date: Wednesday, November 19, 2008, 9:17 AM
Bummer. NAC?
On Wed, Nov 19, 2008 at 8:52 AM, David Loder <dloder@yahoo.com> wrote:
Just to close the loop on this. No one has to manage authorizations at all.
The DisableRogueDetection registry value has apparently been around since
W2K SP2.
http://support.microsoft.com/kb/297847
Free speech beer DHCP for everyone!
--- On Wed, 11/12/08, David Loder <dloder@yahoo.com> wrote:
From: David Loder <dloder@yahoo.com>
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
To: ActiveDir@mail.activedir.org
Date: Wednesday, November 12, 2008, 9:18 AM
The only saving grace is these are W2K servers. So we're able to read SC
with just an authenticated user and see who has the service running.
Definitive list created.
The widgetmakers decide who stays and who goes, and our QIP admins have a
new job to do to be delegated gatekeepers for the authorization of Windows
DHCP servers.
_____
Date: Wed, 12 Nov 2008 08:33:28 -0500
From: amulnick@gmail.com
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
Dude. You've got issues
>From my perspective, the biggest issue is that you have uncontrolled
entities that are being relied on for critical functions. My usual take on
that is that you need to identify those critical functions that rely on the
non-conformist infrastructure. Once you can identify that which is already
there, you can then initiate the 2k3 entry and authorize the 2k dhcp servers
that are required for widgetmaking. Then you can remove them one by one
until you are reliant on approved and supported dhcp servers.
Al
On Wed, Nov 12, 2008 at 8:28 AM, David Loder <dloder@yahoo.com> wrote:
That was my point. How many people are aware this bug exists? I doubt many
do. I was convinced they couldn't possibly be running W2K DHCP services
until I finally took the time to duplicate it for myself. Rogue DHCP server
suppression is broken right out of the box for W2K SP4 member servers until
at least the DhcpRoot object has been created.
A patch doesn't do any good, since by definition, rogue DHCP servers are
already rogue, and W2K is already into extended support so little incentive
for a rouge admin to apply a hotfix / service pack that would have / should
have included a fix.
"Here, please install this hotfix. It will disable the service you've been
running for the past nine years."
So yes, we're planning on authorizing a W2K3 DHCP server. Only difficulty
in that is, who knows what critical infrastructure has been stood up in the
past nine years that relies on this bug to continue working. The people who
make widgets get mad when they can't make widgetsΏ]. And its actually
handheld widget tracking hardware that already relies on the "known" rogue
DHCP servers - and their attempts to upgrade that infrastructure from W2K to
W2K3 that brought to light they already had unauthorized W2K DHCP servers
and they couldn't understand why W2K3 was "broken" (from their point of
view).
Ώ]Of course it's even worse when people stop buying the widgets my company
makes, as is evidenced by the news on a daily basis lately.
--- On Tue, 11/11/08, Al Mulnick <amulnick@gmail.com> wrote:
From: Al Mulnick <amulnick@gmail.com>
Subject: Re: [ActiveDir] Unauthorized W2K DHCP services still start
To: ActiveDir@mail.activedir.org
Date: Tuesday, November 11, 2008, 5:11 PM
That would be a bug. In W2K. Have you considered a workaround of
authorizing a server account and then just destroying the machine? Could be
a DC if you're concerned someone might try and take the computer account
from you.
You may also want to ping Microsoft support and see if there's a patch for
that.
On Thu, Nov 6, 2008 at 4:12 PM, David Loder <dloder@yahoo.com> wrote:
Anyone ever notice this?
I've discovered numerous W2K servers in my forest that are offering Windows
DHCP services. We've confirmed they are Windows DHCP servers and not a
third party DHCP server.
Since our corporate standard is QIP, we've never authorized a single DHCP
server, so our Config - Services - NetServices container is completely
empty. Including not containing the CN=DhcpRoot object.
What we've found is that when a W2K DHCP server starts, it queries AD for
the DhcpRoot object. AD appropriately returns a not-found response, yet the
DHCP server still starts and logs an "authorized" event. We've also
verified that Microsoft changed that behavior at some point because a W2K3
DHCP server appropriately logs an "unauthorized" event and does not start
successfully.
I'm just wondering if that is everyone else's expectation for how the rogue
DHCP protection is supposed to work. That at least for W2K, rogue DHCP
protection doesn't work at all until at least one DHCP server has been
authorized, because that causes the DhcpRoot object to be created in
addition to creating an entry for the specific DHCP server.
I was unaware that the possibility for this condition existed.
| | | |
|
|