Step 3: Build a DHCP server

We have been in touch with the DHCP protocol for some time. Next, we will mainly explain the three steps to build a DHCP server. DHCP is short for Dynamic Host Configuration Protocol. It is a type of TCP/IP Protocol cluster and is mainly used to assign Dynamic IP addresses to network clients. These allocated IP addresses are a set of IP addresses reserved by the DHCP server in advance, and they are generally consecutive IP addresses.

Currently, most enterprise networks use DHCP servers to uniformly allocate TCP/IP configuration information to clients. This method not only reduces the daily maintenance workload of network administrators, but also improves the security of enterprise networks. However, the security problem of the DHCP server cannot be ignored. Once a problem occurs, it will affect the normal operation of the entire network. How can we strengthen the management of the DHCP server to ensure its security? In fact, it can be implemented in a few simple steps.

Step 1: Build a DHCP server and enable DHCP Review records

What happened to the DHCP server? The administrator cannot detect it with the naked eye alone. The simplest way is to view Windows logs, however, make sure that the "Review Record" function of the DHCP server is enabled. Otherwise, the corresponding records cannot be found in the event viewer.

Take the Windows 2000 Server as an example. Click Start> program> Administrative Tools> DHCP. The DHCP Console window is displayed. Right-click your server and choose Properties from the menu ", in the pop-up attribute Setting dialog box, switch to the "General" tab (1), make sure to select the "enable DHCP Review" option, and click "OK.

Figure 1 launch DHCP Review records

In this way, the audit record of the DHCP server is enabled, and its log files are stored in the "C: \ WINNT \ System32 \ dhcp" directory by default. To prevent unauthorized users from maliciously deleting logs, you can modify the path where DHCP log files are stored. Switch to the "advanced" tab (2), click the "Browse" button in the "Audit Log Path" column, specify the location where new log files are stored, and then use the same method, modify "database path" and click "OK ". In this way, our DHCP logs are more secure.

Figure 2 modify the DHCP log storage path

Step 2: Create a DHCP server and specify the DHCP Management User

In enterprise networks, to enhance the management of DHCP servers, the network administrator must specify one or more users to manage DHCP servers. For example, if you want to specify a user named "CCE" to manage DHCP, go to "Control Panel> Management Tools" on the Windows 2000 server ", run the "Active Directory Users and computers" tool. In the displayed window, click the "Users" option, find the "DHCP Administrators" option in the right-side box, right-click, select "properties". The "DHCP Administrators attributes" dialog box is displayed. Switch to the "members" tab and click "add" to add the "CCE" user to the list box, click "OK" to manage the DHCP server.

Step 3: Create a DHCP server and restrict DHCP management users

If the network administrator accidentally fails to add other users to the DHCP Management Group, these users will also have management permissions on the DHCP server, which also affects the security of the DHCP server. How can we restrict these DHCP management group users? Why not use the domain security policy to add "double insurance" to the DHCP server ".

For example, the author only allows CCE users in the DHCP management group to have management permissions on the DHCP server, while other users only have "read-only" permissions. Go to "Control Panel> Administrative Tools", run the "Domain Security Policy" tool, pop up the Security Policy console window, and expand "Windows Settings> Security Settings> Restricted Groups" in sequence ", right-click the blank area in the right frame and select "add group". The "add group" dialog box is displayed. Enter "DHCP Administrators" in the column and click "OK.

Right-click "DHCP Administrators" and choose "security". The "Configure member identity" dialog box is displayed. Then, click "add" to add the "CCE" user to the member list, click "OK ".

After the above three steps, the DHCP server will be more secure. If you are interested, please try again.