Currently, large enterprise networks generally use DHCP servers to uniformly allocate TCP/IP configuration information to clients. This method not only reduces the maintenance workload of network administrators, but also improves the security of enterprise networks. However, the security problem of the DHCP server cannot be ignored. Once a problem occurs, the normal operation of the entire network will be affected. How can we strengthen the management of the DHCP server? In fact, it can be implemented in a few simple steps. 1. enable DHCP audit records
What happened to the DHCP server? The administrator cannot detect it with the naked eye alone. The simplest way is to view Windows logs, however, make sure that the "Review Record" function of the DHCP server is enabled. Otherwise, the corresponding records cannot be found in the event viewer.
Take the Windows 2000 Server as an example. Click Start> program> Administrative Tools> DHCP. The DHCP Console window is displayed. Right-click your server and choose Properties from the menu ", in the pop-up attribute Setting dialog box, switch to the "General" tab (1), make sure to select the "enable DHCP Review" option, and click "OK.
Figure 1 launch DHCP Review records
In this way, the audit record of the DHCP server is enabled, and its log files are stored in the "C: WINNTSystem32dhcp" directory by default. To prevent unauthorized users from maliciously deleting logs, you can modify the path where DHCP log files are stored. Switch to the "advanced" tab (2), click the "Browse" button in the "Audit Log Path" column, specify the location where new log files are stored, and then use the same method, modify "database path" and click "OK ". In this way, our DHCP logs are more secure.
Figure 2 modify the DHCP log storage path
Ii. Specifying DHCP management users
In enterprise networks, to enhance the management of DHCP servers, the network administrator must specify one or more users to manage DHCP servers. For example, if you want to specify a user named "CCE" to manage DHCP, go to "Control Panel> Management Tools" on the Windows 2000 server ", run the "Active Directory Users and computers" tool. In the displayed window, click the "Users" option, find the "DHCP Administrators" option in the right-side box, right-click, select "properties". The "DHCP Administrators attributes" dialog box is displayed. Switch to the "members" tab and click "add" to add the "CCE" user to the list box, click "OK" to manage the DHCP server.
Iii. Limits on DHCP management users
If the network administrator accidentally fails to add other users to the DHCP Management Group, these users will also have management permissions on the DHCP server, which also affects the security of the DHCP server. How can we restrict these DHCP management group users? Why not use the domain security policy to add "double insurance" to the DHCP server ".
For example, the author only allows CCE users in the DHCP management group to have management permissions on the DHCP server, while other users only have "read-only" permissions. Go to "Control Panel> Administrative Tools", run the "Domain Security Policy" tool, pop up the Security Policy console window, and expand "Windows Settings> Security Settings> Restricted Groups" in sequence ", right-click the blank area in the right frame and select "add group". The "add group" dialog box is displayed. Enter "DHCP Administrators" in the column and click "OK.
Right-click "DHCP Administrators" and choose "security". The "Configure member identity" dialog box is displayed. Then, click "add" to add the "CCE" user to the member list, click "OK ".
After the above three steps, our DHCP server will be more secure. If you are interested, try it!