Can Windows NT DHCP be un-authenicated in AD?

RZetlin

I am looking this practice question where it ask that Windows NT domains are being upgraded to Active Directory on Windows 2003. It ask to how to remove or disable the DHCP servers running on Windows NT?

One option is to un-authenicate the Window NT DHCP server in Active Directory.

Can this option be done?

Danman32

NT knows nothing about AD, so it can't be authorized or unauthorized as DHCP service on a W2K or W2K3, which is why I find that a joke. How is that going to prevent someone adding a $50 broadband router that has a built-in DHCP service, or a Linux box?

What's the remaining possible answers?

sprkymrk

Danman32 wrote:

NT knows nothing about AD, so it can't be authorized or unauthorized as DHCP service on a W2K or W2K3, which is why I find that a joke. How is that going to prevent someone adding a $50 broadband router that has a built-in DHCP service, or a Linux box?

It was never intended to stop that from happening. It was to address a problem of system admins misconfiguring a server and accidentally handing out IP addresses.

You need to use layered security measures such as policies, IDS, mac security on switches and physical security to stop the other issues you mentioned.

RZetlin

Here are my options:

a) Un-authenticate DHCP servers running on Windows NT in AD
b) Filter out ports 67 and 68
c) Change DHCP IP address for each client from NT DHCP server to Windows 2003 DHCP server
d) Manually have to track down each Windows NT DHCP server and remove it from the network.

Option C is possible but if you're dealing with 1000 clients it becomes an impossible job. So no.

Option B might work if all you're doing is disabling the Windows NT DHCP servers but this will cause issue with Windows 2003 DHCP Servers.

Option D seems the only logical choice.

sprkymrk

RZetlin wrote:

Here are my options:

a) Un-authenticate DHCP servers running on Windows NT in AD
b) Filter out ports 67 and 68
c) Change DHCP IP address for each client from NT DHCP server to Windows 2003 DHCP server
d) Manually have to track down each Windows NT DHCP server and remove it from the network.

Option C is possible but if you're dealing with 1000 clients it becomes an impossible job. So no.

Option B might work if all you're doing is disabling the Windows NT DHCP servers but this will cause issue with Windows 2003 DHCP Servers.

Option D seems the only logical choice.

a) Not an option for NT4 DHCP.
b) Only works if clients are crossing a filtering device such as a router or firewall to get their ip's - not likely as most default to not passing DHCP broadcasts anyway.
c) Won't work - DHCP request (DHCPDISCOVER) is broadcast to all DHCP servers listening. First response wins.
d) Correct. Pain in the butt, but correct.

Danman32

Think of DHCP this way:

A bar gets a phone call. It is jim's wife. Bartender shouts in the bar 'I have a phone call for Jim. Is there a Jim who will take the call?' If there is a jim, he will take the call. If there are a few people in the bar named jim, the first one to get his hands on the phone will take the call.

The bartender does not go around tapping everyone's shoulder, asking if their name is Jim, nor was he given a list of which guys had the name Jim before he took the call.

You can't stop someone who is not Jim from falsely answering the call or at least attempting to (you could check his ID once he responds, but not prevent the response), nor can you prevent the wrong Jim from responding.

jasonboche

Danman32 wrote:

Think of DHCP this way:

A bar gets a phone call. It is jim's wife.

Boo

Hiss

It would be a much better analogy if the person who called the bar and asked for Amanda Hugginkiss

Bartender: "Is there Amanda Hugginkiss here? Anyone? I need Amanda Hugginkiss..."

Danman32

Yes, I thought of that, but that would simulate having no DHCP server at all, as there is no such person as Amanda Hugginkiss.

The analogy needed an ACK response from a DHCP server.

I know, I get too serious at times.