unable to pick up an address

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

That would depend on how the available resources have been locked down. For example giving full control to the *everyone group* would allow these unauthenticated users access. That is one reason why you should control access to resources such as shares using *authenticated users* or something more specific than just everyone (all and sundry).

 

Well it wouldn't prevent me from connecting, as one only needs to configure their laptop to respond to IPSec requirements when required. Bobs your uncle, all it does is encrypt the data on the wire. Hence sniffers can't read the traffic but as soon as it gets to the server or other client acting as a server it's unencrypted and back to normal.

No reason why a static IP can't be used, but it would need to be correctly configured - ie not one already in use and with the correct subnet mask etc. A good reason not to chose a common range like 192.168.0.x

 

Getting back to this, it's probably a good idea to have a separate subnet with no routes configured to your main LAN - maybe in a DMZ with it's own DHCP scope that serves Ethernet outlets in cupboards or boardrooms, for guests to use. That way you could configure it to allow say web access but be able to keep them away from your corporate LAN servers etc.

 

Would an unauthenticated user be given access to any resources? Surely they would need an account in AD (as would the machine they are plugging into the hijacked ethernet port)?

 

NTFS and Share permissions are still the same, it's the defaults which have changed. So if someone configures things and changes the default settings you will be in the same boat.

 

It seems it all depends on how the server is configured. A new install of Server 2003 would not include the anonymous users group in the everyone group as Windows 2000 did, but the person installing Server 2003 may have upgraded windows 2000 and chose to make permissions backwards compatible. In this case it would be included. So you need to be aware of this..

Note; I think they meant Server 2003 not XP ;)

From here.. http://support.microsoft.com/kb/278259

 

Boyce,

According to the RFC for DHCP, there is nothing stopping an unauthorized computer from obtaining an IP address and other IP configurations. This is why network security through counting exactly how many ports a certain room needs for the authorized computers and designing a proper switched and routed network to maintain security at the physical level is important.

 

Yup, it's hard to keep up, things are changing as we are learning. That is the game, otherwise known as IT

 

@Pete & Sparky,

Thanks for clearing that up.

 

great thread. thanks for all the input

Si

 

One important thing to remember - if anyone has access to an open switchport on your network, and the network infrastructure is not well planned and configured, they will have access to your network, regardless of how you set up your dhcp server.

Simply sit and listen on the switchport and you will quickly find out the addressing used on the network. Even if the dhcp server doesn't hand out addresses freely, I would find an unused address and use that, very simple to do. And anyway, you don't even need a valid address for many kinds of exploits and mischief. Besides, anybody up to mischief would want as little trace left behind as possible, so getting an address from the dhcp server would often be avoided.

Turn the switch into a hub and sniff for logins and interesting traffic, dead easy to do, no address needed, and it gives the hacker want he needs to crack the servers.

The place to secure your dhcp addressing (and your internal network) is on the switch, not the server. Unfortunately, it is a rare company that has a proper, secure network infrastructure. Good infrastructure costs money, and IT budgets are always limited.

A few things that should be done:
- Unused switch ports should always be disabled, or at the very least segregated into a seperate, untrusted network.

- Control the switchports. Control access through them, and make sure ports are locked down. There are many options available on quality switches to control the ports. 802.1x is a great tool, an excellent way of managing network access. Acl's (MAC and/or IP), storm control, etc. are also very important, and QoS as well. Rate limiting through CIR and policers can be valuable. Marking inbound traffic (eg DSCP) is essential for QoS, and useful for security as well.

- Manage the switch topology. Use features like BPDU guard, root guard, etc. to help prevent accidental or malicious topology changes.

- Monitor your switches. If you don't know what your switches are doing, you have no way of knowing what someone is doing to your switches.

Some things to consider to secure switches:
- Dynamic ARP inspection to help prevent arp exploits.
- DHCP snooping to prevent poisoning the DHCP binding database on the server, and to rate limit the dhcp traffic entering the port.
- IP source guard to prevent someone spoofing another address on the network.
- MAC address notification to let you know when something new connects to a port.
- IGMP filtering to help control multicast joins.

Sorry for a bit of a off-topic post on switches in a DHCP thread, but I've had clients wonder why they should purchase a $2000 switch for their server farm when they can buy a 24 port rack mount switch for $100 along with clients that want DHCP "secured" without actually securing the switches. I usually explain that securing DHCP is fine, but unless network access is controlled, it really won't matter much if DHCP is secure.

Spice_Weasel

 

Yes, having all unused sockets disconnected at the patch panel. Of course this doesn't stop anyone from pulling the plug out from one that is connected though.