From Microsoft

Jul 6, 2009 08:59 GMT  ·  By

Network administrators looking to guarantee that the components of their server infrastructure are running under normal parameters and under their control can now access a new tool from Microsoft designed to sniff out rogue DHCP servers. With the rogue detection solution, admins have a tool complete with graphical user interface at their disposal, which can be deployed in an IT environment and used to detect rogue DHCP servers in the local subnet. According to Subhash Badri, from the DHCP Server Team, the tool will make no difference between erroneously configured rogue and malicious DHCP servers.

“Rogue DHCP servers are those DHCP servers that are misconfigured or unauthorized unknowingly or those that are configured with a malicious intent for network attacks. Either be the case the impact on clients that are serviced by the rogue DHCP servers is critical,” Badri explained.

The rogue DHCP server detection tool can be used in order to manually scan an environment, while also offering administrators the possibility of scheduling scans. In addition the solution “can be run on a specified interface by selecting one of the discovered interfaces. Retrieves all the authorized DHCP servers in the forest and displays them. [Offers the] ability to validate (not Authorize in AD) a DHCP server which is not rogue and persist this information.”

Minimizing the tool virtually makes it invisible. Still, admins will be able to access it via a tray icon that will provide updates on the solution's status. Among the first signs of trouble associated with a rogue DHCP server is the fact that client computers in the environment start experiencing network access problems. The issues are related to the incorrect process of leasing IP addresses and erroneous options to the client, by the rogue DHCP server.

Security threats are caused when malicious users with rogue DHCP server can spread bad network parameters and thereby sniff the traffic sent by the clients. There are also certain Trojans like DNS-changing that use a compromised machine in the network to pollute the network by installing rogue DHCP servers on the machine.

The Rogue DHCP Server Detection Tool is available for download here.