Windows Server 2008 RC0

[mrforgetful]

So I downlaoded it and installed loads of roles to have a look at including;
IIS
DHCP (some random IP range not like the one we use)
DNS
File Server
Print Server
DC

Obviouslty I didn't add it to the domain, but it did have a network cable plugged into the wall that was patched in.

Next day, half a room couldn't log in.

After half an hour of puzzlement looking at the ipconfig on one of the broken machines it hit me like a light bulb, that's the range the 2008 server can allocate!

Promptly turned the 2008 server off, rebooted the PCs and all is well again.

What strikes me as odd though, it that a server that's not part of the domain was able to allocate IP addresses to my PCs.

Thoughts?

[webman]

It doesn't matter if it's part of the domain or not.

http://en.wikipedia.org/wiki/Dhcp_server#DHCP_discovery

[mrforgetful]

So basically I could walk into any network in any place with a DHCP Server on my laptop, plug into a working point and break their entire network?

[dave.81]

The way i've always understood it is anything running DHCP will assign an IP to anything that asks regardless of domain. We have this issue in our boarding house's when kids bring in their broadband routers and plug in rather than a normal switch.

[Simcfc73]

Could it have something to do with the lovely new feature in 2008 called 'Network Access Protection'

I'm quite interested in this but haven't had time to mess with it yet, there seems to be quite a few products coming out using similar stuff including Sophos.

DHCP Enforcement
DHCP Enforcement comprises a DHCP NAP ES component and a DHCP NAP EC component. Using DHCP Enforcement, DHCP servers can enforce health policy requirements any time a computer attempts to lease or renew an IP address configuration on the network. DHCP Enforcement is the easiest enforcement to deploy because all DHCP client computers must lease IP addresses. Because DHCP Enforcement relies on entries in the IP routing table, it is the weakest form of limited network access in Network Access Protection.

Might be wrong but I HOPE this is what it does.

[mrforgetful]

I wouldn't have thought so.

Basically that is just when a computer does request an address, it is tested for settings to see if it meets requirements for AV, Firewall, Spyware etc etc.
It is then either quarantined, or given access to updates to pass the tests etc.

It's like what you can do with VPNs but on your network.

I would say that's seperate to my issue of IPs being dished out from servers which aren't part of my domain.

[Slartibartfast]

A DHCP server with free addresses will offer an IP address to any network adapter that requests one. The domain is irrelevant. The client sends a broadcast to discover DHCP servers; from the looks of it your 2008 server was the first to respond with an address offer.

[mrforgetful]

Ok so I now understand that it's possible.

Is there not a way to stop it? Is it only me who is slightly disturbed that anyone could come and screw up your entire system logging on with just a laptop?

[vorex]

not even a laptop, any sort of tiny consumer router...we have a problem with students bringing down half the network accidentally way more often then it should.

[FN-GM]

You could use static IP addresses or reserved IP addresses for all devices & have no DHCP server. This would also reduce the risk of outsiders gaining access to the network.

[mattx]

I can't remember the order of the top of my head, but when a client is joining or logging on to a network, there is an order of events it does whilst doing so - example - checks Netbios name, then DNS, then DHCP, then WINs etc - there is more to it than that - I used to have a silly saying in my head to make me remember - all MS clients do it [ I think, well they did up to NT4 or 2000 ] - so if a client sees anything giving out IP addresses then it will go for it unless configured otherwise.
If only I could remember the daft saying that used to remind me what the order was !!!

[ajbritton]

Ok so I now understand that it's possible.

Is there not a way to stop it? Is it only me who is slightly disturbed that anyone could come and screw up your entire system logging on with just a laptop?

If you really want to prevent this, one way would be to use switches that lock themselves to the MAC address of the connected device.

Any ports that are not connected are deactivated automatically.

If a student brought in a laptop and plugged it into an empty port, they would not be able to access the network (and therefore DHCP server would not be able to hand out IP addresses).

If they unplugged a PC and plugged the laptop in, the switch would lock the port out as soon as it detected the new MAC address.

In theory, the only way around this would be the the laptop to spoof the MAC address of the PC that was plugged in. Perfectly possible of course.