There are shortcuts to managing DHCP servers

Through this period of study, we should have some knowledge about the content of the DHCP server. In addition to understanding some of its concepts and configuration content, we also need to have some knowledge about its management. We all know that IP addresses are the basis for communication between enterprise LAN hosts. If the host does not have an IP address, the host cannot access the Internet. DHCP servers are responsible for managing the IP addresses of Enterprise LAN hosts. If security vulnerabilities occur, the attack on the entire enterprise LAN is fatal, resulting in paralysis of the entire enterprise network.

Therefore, when deploying a DHCP server, the network administrator also needs to pay attention to the security issues of the DHCP server. Specifically, we can start from the following aspects to manage the security of DHCP servers.

Step 1: Manage the administrator account.

The first step in DHCP server security design is to take security measures for administrator accounts. If hackers, Trojans, or viruses do not have administrator permissions, the damage is also very limited. Therefore, the network administrator's first step is to check how to protect this administrator account.

Therefore, different DHCP server roles have different protection measures.

If we use the DHCP service on the vro, we can use IP addresses and other restrictions. For vrouters, we generally manage DHCP servers remotely, such as remotely connecting to the server through TELENT or SSH. Therefore, we can specify a host. Only this host can be connected to the vro for DHCP server management. To this end, we can configure the firewall on the router to allow only a host with a certain IP address or MAC address to be connected for DHCP service management. In this way, the security of the Administrator account can be better guaranteed by adding the user's password. In this way, attackers are not allowed to take advantage of the security and stability of the DHCP server.

For example, if the DHCP server is deployed on Microsoft's operating system and in the domain environment, the management is more convenient. For example, you can create a user in the Active Directory user and computer to manage the DHCP server. After a user is created, the user can be assigned the administrator role to manage the DHCP server. In general, I suggest using different administrator accounts for each server. This is mainly to prevent the leakage of an administrator account and password, which only affects a specific service and does not affect other services. In addition, DHCP servers built on Microsoft operating systems can also be remotely managed. To this end, we can also use the security policies provided by the Microsoft operating system to specify which hosts can be connected to the DHCP server for related management actions.

In short, if an attacker wants to attack an enterprise's DHCP server, the first step is to collect relevant information and analyze it. The second step is to obtain the account and password with administrator privileges. If we can protect the Administrator's account and password, illegal attackers will not be able to take it.

Step 2: Understand the running status of the DHCP server.

After the Administrator's account security measures are taken, the network administrator should learn about the running status of the DHCP server and what happened before the DHCP fault occurs, or exceptions. The best way to do this is to view the DHCP server logs. However, some DHCP servers do not enable audit records of DHCP servers by default. To enable this function, you must manually enable it. Otherwise, some running information of the DHCP server, including some exception information, cannot be recorded by server logs.

Next, I will take the DHCP service provided by the Microsoft operating system as an example to talk about how to enable this "Review Record" function.

In management tools, find the DHCP Server Manager, open the DHCP server console window, right-click our server, and select Properties. In the displayed dialog box, switch to the "General" tab to see if the "enable DHCP Review" option is selected. If selected, some running information of the DHCP server will be saved in the system log. Otherwise, the running status of the DHCP server will not be recorded, and we will not be able to know what happened to the DHCP server.

However, when hackers visit the DHCP server, they often try to hide their traces. One of the measures is to modify or delete log files. To prevent unauthorized attackers from modifying the log file, we need to change the default path of the log file. In the same dialog box, we can see a "database path" option. The following content is the default log storage location. The network administrator can select an appropriate log storage path based on the actual situation.

In addition, this log is an important basic data for us to troubleshoot the DHCP server in the future. Therefore, we also need to back up the log file. Otherwise, when this log is accidentally lost, we will find out the fault of the DHCP server. In addition, it is best to back up this log remotely. In this case, even if the DHCP server is paralyzed, we can also see what actions the DHCP server last performs from the remote backup log, will cause this server fault.

Step 3: Set the Administrator group.

In a large network, there are usually more than one network administrator. Each Network Administrator is responsible for the division of labor. Therefore, our network administrator does not want other associates, such as firewall administrators, to manage DHCP servers that should not be managed by them. That is to say, we need to set the administrator of the DHCP server to the minimum range.

In actual work, some network administrators may prefer to be lazy, but they do not specifically differentiate the work scope of each administrator. They do not have the permissions to distinguish accounts from each other. For example, in the domain environment, some network administrators directly set an Administrator group. All users in this Administrator Group have administrative permissions on all network devices and servers. The author believes that such a big pot meal is not suitable, and there are great risks. Next I will take Microsoft's domain environment as an example to talk about how to distinguish the administrator role of the DHCP server from other administrator roles.

First, find the "Domain Security Policy" management tool in the management tool, and double-click to open the tool. In the displayed dialog box, enable the Windos settings, security settings, and restricted groups. Then add a new group. In the displayed dialog box, enter DHCP Administrators. Then, click OK to save. In this case, only the users in this group have administrative permissions on the DHCP server. Users in other groups cannot manage the DHCP service even if they have the management permissions of other servers.

The next step is to create an administrator user and add it to the DHCP Administrator group. In the DHCP Administrators Group, select "security". In the displayed dialog box, select "add" and add the user we just created to the group. In this case, we can minimize the number of DHCP server administrators. Our goal is that the enterprise network may have multiple administrators, but the DHCP server only has one administrator. This design is very helpful for the security and stability of DHCP.

Step 4: Back up DHCP server settings.

In the DHCP server, we need to back up some related configurations. Such as which addresses can be allocated in the address pool and which IP addresses cannot be allocated, such as the lease term, and whether the IP address is bound to the MAC address. Back up the content in time and rewrite the content as the DHCP server adjusts. In this case, when the DHCP server fails, we can establish a new DHCP server in a short time to reduce the adverse impact of DHCP server failure on the enterprise network.

In addition, some enterprises also set up a redundant DHCP server for the network. If the DHCP server fails, another DHCP server may take over immediately. Of course, this redundant DHCP server is synchronized with the master server. The configuration changes of the master server will be promptly reflected on the redundant server. In fact, this is also a hot backup of the DHCP server. However, do enterprises need to establish a redundant DHCP server? This is mainly determined based on the actual situation of the enterprise. Due to the concept of the lease, the lease has not expired. In fact, short-term faults occur on the DHCP server, which has little impact. This is different from other servers, such as the application service period. When these servers fail, most services will not run. Therefore, these applications must be able to run securely and stably within working days during the service period. Therefore, a short-term fault occurs on the DHCP server, which generally does not have a fatal impact on the enterprise network. However, there is a premise that in the short term. If the network administrator can repair or reconstruct the DHCP server in a short time, it is not necessary to create a redundant DHCP server. Of course, this is my personal opinion.

In short, as enterprise DHCP servers become more and more widely used, intelligent control can also be performed on DHCP services, such as binding IP addresses to MAC addresses. Therefore, DHCP servers are gradually becoming the target of hackers and other illegal attackers. To this end, the network administrator should also begin to design the security of the DHCP server. The above are some of my experiences in DHCP server management. It may not be comprehensive enough, but the sentence is all about Jin yuliangyan, and it is about experience.