How to configure a DHCP server is more secure

Today, a slightly larger enterprise network typically uses a DHCP server to uniformly allocate TCP/IP configuration information to clients. This method not only reduces the maintenance workload of network administrators, but also improves the security of the Enterprise network. However, the security of the DHCP server is not negligible, it once the problem, it will affect the normal operation of the entire network, how to strengthen the management of the DHCP server? In fact, a few simple steps can be achieved.

First, enable DHCP audit logging

What's going on at the DHCP server, and the easiest way for administrators to see the Windows log is by the naked eye, but make sure that the Audit logging feature is enabled for the DHCP server, otherwise you won't be able to find the record in Event Viewer.

The author takes Windows 2000 Server for example, click "Start → program → admin tool →dhcp", pop-up DHCP console window, right click on your server, select "Properties" in the menu, Pop-up Properties Settings dialog box, switch to the "General" tab, make sure to select " Enable DHCP audit logging option, and then click OK.

This enables the DHCP server audit log, whose log files are saved by default in the "C:\WINNT\System32\dhcp" directory. To prevent rogue from malicious deletion of the log, you can modify the storage path of the DHCP log file. Switch to the Advanced tab, click the "Browse" button in the "Audit log path" bar, specify the location of the new log file, and then use the same method to modify the "database path" and finally click "OK". In this way, our DHCP logs are more secure.

Ii. Specifying DHCP management users

In the enterprise network, to strengthen the management of the DHCP server, the network administrator specifies one or more users to administer the DHCP server. If the author wants to specify the account name "CCE" user can manage DHCP, in Windows 2000 Server, Access to "control Panel → Administrative Tools", run the Active Directory Users and Computers tool, in the pop-up window, click the "Users" option, Then locate the "DHCP Administrators" item in the right-hand box, right-click, select Properties, eject the DHCP Administrators Properties dialog box, switch to the Members tab, click the "Add" button, and add the "CCE" User to the list box. Finally click on the "OK" button, so that "CCE" users can manage the DHCP server.

Iii. DHCP Management user restrictions

If a network administrator accidentally does something wrong and adds other users to the DHCP administrative group, those users also have administrative rights to the DHCP server, which can also affect the security of the DHCP server. How do you limit the users of these DHCP management groups? Why not use the domain security policy to add a "double insurance" to the DHCP server.

If the author only allows CCE users of the DHCP management group, the DHCP server has administrative rights, while other users have only read-only permissions. Go to control Panel → Administrative Tools, run the Domain Security Policy tool, eject the Security Policy Console window, expand Windows settings → security → restricted groups, and then right-click in the blank space in the right box, select Add Group, eject the Add Group dialog box, and then type in the column. DHCP Administrators ", click" OK "button.

Then right click on "DHCP Administrators", select "Security", Pop-up Configuration Membership dialog box, then click the "Add" button, add "CCE" user to the member list, finally click "OK".

Through the above three steps, our DHCP server is more secure, interested friends, may wish to try!