Unauthorized W2K DHCP services still start

  • Last Post 19 November 2008
dloder posted this 06 November 2008

Anyone ever notice this?
I've discovered numerous W2K servers in my forest that are offering Windows DHCP services.  We've confirmed they are Windows DHCP servers and not a third party DHCP server.
Since our corporate standard is QIP, we've never authorized a single DHCP server, so our Config - Services - NetServices container is completely empty.  Including not containing the CN=DhcpRoot object.
What we've found is that when a W2K DHCP server starts, it queries AD for the DhcpRoot object.  AD appropriately returns a not-found response, yet the DHCP server still starts and logs an "authorized" event.  We've also verified that Microsoft changed that behavior at some point because a W2K3 DHCP server appropriately logs an "unauthorized" event and does not start successfully.
I'm just wondering if that is everyone else's expectation for how the rogue DHCP protection is supposed to work.  That at least for W2K, rogue DHCP protection doesn't work at all until at least one DHCP server has been authorized, because that causes the DhcpRoot object to be created in addition to creating an entry for the specific DHCP server.
I was unaware that the possibility for this condition existed.


Order By: Standard | Newest | Votes
Gil posted this 06 November 2008

Are the DHCP services running on member servers or DCs? I seem to recall some difference in the authorization behavior in the case they were on DCs.



TG posted this 06 November 2008

If it runs on DC it is automatically authorized.

Thank you, Tony.

Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
Hewitt Associates | 100 Half Day Road | Lincolnshire, IL 60069 |
Tel 847.295.5000 x50526 | Fax 847.554.1574
tony dot gordon at hewitt dot com | www.hewitt.com


dloder posted this 10 November 2008

These are regular member servers.

--- On Thu, 11/6/08, Tony Gordon <Tony.Gordon@hewitt.com> wrote:


amulnick posted this 11 November 2008

That would be a bug. In W2K. Have you considered a workaround of
authorizing a server account and then just destroying the machine? Could be
a DC if you're concerned someone might try and take the computer account
from you.

You may also want to ping Microsoft support and see if there's a patch for


dloder posted this 12 November 2008

That was my point.  How many people are aware this bug exists?  I doubt many do.  I was convinced they couldn't possibly be running W2K DHCP services until I finally took the time to duplicate it for myself.  Rogue DHCP server suppression is broken right out of the box for W2K SP4 member servers until at least the DhcpRoot object has been created.
A patch doesn't do any good, since by definition, rogue DHCP servers are already rogue, and W2K is already into extended support so little incentive for a rouge admin to apply a hotfix / service pack that would have / should have included a fix.
"Here, please install this hotfix.  It will disable the service you've been running for the past nine years."
So yes, we're planning on authorizing a W2K3 DHCP server.  Only difficulty in that is, who knows what critical infrastructure has been stood up in the past nine years that relies on this bug to continue working.  The people who make widgets get mad when they can't make widgets[1].  And its actually handheld widget tracking hardware that already relies on the "known" rogue DHCP servers - and their attempts to upgrade that infrastructure from W2K to W2K3 that brought to light they already had unauthorized W2K DHCP servers and they couldn't understand why W2K3 was "broken" (from their point of view).
[1]Of course it's even worse when people stop buying the widgets my company makes, as is evidenced by the news on a daily basis lately.

--- On Tue, 11/11/08, Al Mulnick <amulnick@gmail.com> wrote:


amulnick posted this 12 November 2008

Dude. You've got issues :)

>From my perspective, the biggest issue is that you have uncontrolled
entities that are being relied on for critical functions. My usual take on
that is that you need to identify those critical functions that rely on the
non-conformist infrastructure. Once you can identify that which is already
there, you can then initiate the 2k3 entry and authorize the 2k dhcp servers
that are required for widgetmaking. Then you can remove them one by one
until you are reliant on approved and supported dhcp servers.



dloder posted this 12 November 2008

The only saving grace is these are W2K servers.  So we're able to read SC with just an authenticated user and see who has the service running.  Definitive list created.
The widgetmakers decide who stays and who goes, and our QIP admins have a new job to do to be delegated gatekeepers for the authorization of Windows DHCP servers.

Date: Wed, 12 Nov 2008 08:33:28 -0500


dloder posted this 19 November 2008

Just to close the loop on this.  No one has to manage authorizations at all.
The DisableRogueDetection registry value has apparently been around since W2K SP2.
Free speech beer DHCP for everyone!

--- On Wed, 11/12/08, David Loder <dloder@yahoo.com> wrote:


amulnick posted this 19 November 2008

Bummer. NAC? :)


dloder posted this 19 November 2008

I'm sure we'll get there at some point this century.

--- On Wed, 11/19/08, Al Mulnick <amulnick@gmail.com> wrote:


listmail posted this 19 November 2008

Just deploy dhcploc out to the sites and keep a handy set of unpatched
Windows 2000 vulns handy so when you find those machines you can hack them
and drop them in their tracks...

O'Reilly Active Directory Third Edition -