DHCP authorize

What is the benefit of authorizing DHCP servers?

In the MS press book it mentions that if you have two or more DHCP servers and one of them is authorized, the non-authorized will stop providing addresses.

What if all your DHCP servers are non-authorized???

What is the benefit of having authorized DHCP servers?

Thanks in advance

Find more posts tagged with

Comments

royal

If I remember correctly, if you have a non-authorized DHCP server, if it's Windows Server 2003, if it detects another authorized DHCP server is handing out IP Addresses, it will halt handing out IPs. So authorizing a DHCP server allows it to authoritatively hand out IP Addresses. Of course you could run a VM, have your own domain, authorize your DHCP server, have that VM bridged to the external network, and have it hand out IPs as a rogue DHCP server, but that's a no-no.

Goldmember

Thanks for the tip.

I did some research and it also helps with security. If you have a list of authorized servers, then only servers in the domain can dole out IP addresses. If the servers are all stand alone DHCP I guess security doesn't matter as much.

What if somebody joins your domain with Windows machine and tries to become DHCP server? You can stop him by using authorized DHCP servers.

I'm not sure how this would help if somebody with a Linux box decides to become a DHCP server on your Windows network. I think the Linux box might decide who gets what, depending on who responds to the client request for address first.

That would be a good way to spoof somebody.

dynamik

This technet article covers DHCP authorization pretty well: http://technet2.microsoft.com/windowsserver/en/library/9a4157c4-3c2f-4871-9ffe-7d405781f2cf1033.mspx?mfr=true

sprkymrk

As far as security, you're right - it only stops other Windows machines from handing out IP addresses. If someone throws a DLINK cable router (or anything else that can hand out IP's) you're still going to have a mess.

Mishra

Does anyone know how much, if any, DHCP traffic you get on your outside interface?

sprkymrk

Shouldn't get any as far as I know. Unless of course you're on a dynamic assignment from your ISP maybe. By default the routers won't pass DHCP (or any) broadcasts.

Mishra

sprkymrk wrote:

Shouldn't get any as far as I know. Unless of course you're on a dynamic assignment from your ISP maybe. By default the routers won't pass DHCP (or any) broadcasts.

Yeah they shouldn't, but I was just wondering if sometimes they trickle down maybe due to some DHCP hacking.