[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 631
  • Last Modified:

DHCP security..

I'm trying to monitor DHCP requests for security purposes. I set DHCP server up to write out logs, but I need it to be listed in the event viewer.  I have a program that can monitor pretty much anything, except read log files. Does anyone know how this can be changed so I can know when someone plugs into my network and an IP is assigned to them.

 
0
Joeteck
Asked:
Joeteck
  • 3
  • 2
1 Solution
 
stefmahoneyCommented:
Depending on the size of your network and the level of security you need you may want to consider setting all DHCP addresses to be reserved by MAC address.  Then only machines with a MAC address listed will be assigned an IP address.  (I've done this for a 16k node network before.)

MAC address spoofing is possible, but that issue depends on the complexity of attack that you need to worry about.

Overall it sound like you might want to look into a IDS.
0
 
JoeteckAuthor Commented:
I have only 50 computers, as the MAC address idea sounds good, but more inconvenient for me when setting up new workstations.

So what you're saying that my request is not possible...

I want to know when the IP address is being leased again, and any new ones if there should be.

I find it very silly of microsoft not to have that as an event viewer event.

They have everything else writing to the thing...
0
 
r-kCommented:
I don't know of a way to write dhcp requests to the Event Logs, but you might be able to use LogParser to analyze the dhcp logs, which are just comma delimited text files. See:

 http://www.microsoft.com/technet/community/columns/profwin/pw0505.mspx
 http://articles.techrepublic.com.com/5100-6350_11-6105922.html
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
JoeteckAuthor Commented:
I found this vb script, but it does not seem to work... I have it setup as a scheduled event.


'**** DHCP Server Log Checking Script (Version 2.0)
'**** Copyright © 2005 Chris Pratt
'**** You may use this script free of charge but may not make any changes except to the variables to meet your needs
'**** without the permission of the author.
'****
'****
'**** The script is best set-up to run as a scheduled task. It can check for any event ID in the DHCP Server logs.
'**** It does not need to run on the DHCP server but you will need the full UNC path and the user that the script
'**** is set to run as will need rights to the servers log file areas.
'****
'**** The interval is configurable and your scheduled task running time should be set to match that so areas of the
'**** logs don't go unchecked.
'****
'**** Version 2.0 - Now for Windows Server 2003 DHCP (Use version 1.0 for 2000)
'****
'****
'On Error resume next
'Variables

strOSversion = "2000" ' Choose 2000 or 2003 to match your version of Windows Server - This is your DHCP Server version
strDHCPServer = "appserver" ' Change to the name of your DHCP server

strfindtime = dateadd("n", -10, Time)           ' Change this figure (-30) to set interval between checking (in minutes)
intfindtime = 10 ' Change this value to match the one above
strtoday = (WeekdayName(Weekday(Date),true))

if strOSversion = "2003" then
            strlogfile = "\\" & strDHCPServer & "\c$\windows\system32\dhcp\dhcpsrvlog-" & strtoday & ".log"
      else
            strlogfile = "\\" & strDHCPServer & "\c$\winnt\system32\dhcp\DhcpSrvlog." & strtoday
      End if

streventid = "10"    ' Change to meet what event you want to check for - See the beginning of a log to see a definition list of the Event ID's

Dim strTo, strSubject, strBody, i
Dim objCDOMail
strTo = "user@domain.com" ' Who the e-mail goes to
strSubject = "DHCP IP Alert" 'subject of the e-mail
set objCDOMail = CreateObject("CDONTS.NewMail")
objCDOMail.From = "admin@domain.com" ' who the e-mail is from
objCDOMail.From    =  "SYSTEM <Administrator@domain.com>" ' who the e-mail is from
foundentry = 0
strBody = ""
const forreading = 1
set objfso = createobject("Scripting.filesystemobject")
set objtextfile = objfso.opentextfile(strlogfile, forreading)
do while objtextfile.atendofstream <> True
ceventid = ""
posfind = 0
      
strline = objtextfile.readline

if instr(strline, "ID Date,Time,Description,IP Address,Host Name,MAC Address") then
            strline = objtextfile.readline
      else

      end if

if instr(strline, ",") then
            arrdhcprecord = split(strline, ",", 7)
            ceventid = arrdhcprecord(0)
            ceventdte = arrdhcprecord(1)
            ceventtime = arrdhcprecord(2)
            ceventdesc = arrdhcprecord(3)
            ceventip = arrdhcprecord(4)
            ceventhost = arrdhcprecord(5)
            ceventmac = arrdhcprecord(6)
      else

      End if
      i=i+1

findtime = datediff("n", ceventtime, strfindtime)

if findtime < intfindtime then
            posfind = posfind + 1
      else

      end if

if ceventid = streventid then
            posfind = posfind + 1
else

end if

if findtime > 0 then
            posfind = posfind + 1
      else

      end if

if posfind = 3 then
            strBody = strBody & "===================" & vbCrLf
            strBody = strBody & " DHCP Server Alert" & vbCrLf
            strBody = strBody & "===================" & vbCrLf
            strBody = strBody & vbCrLf
            strBody = strBody & "Event ID: " & ceventid & vbCrLf
            strBody = strBody & "Date: " & ceventdte & vbCrLf
            strBody = strBody & "Time: " & ceventtime & vbCrLf
            strBody = strBody & "Desc: " & ceventdesc & vbCrLf
            strBody = strBody & "IP: " & ceventip & vbCrLf
            strBody = strBody & "Host: " & ceventhost & vbCrLf
            strBody = strBody & "Mac: " & ceventmac & vbCrLf
            strBody = strBody & "FindTime: " & findtime & vbCrLf
            strBody = strBody & vbCrLf
            foundentry = 1
      else

      end if

loop

if foundentry = 1 then
objCDOMail.To      = strTo
objCDOMail.Subject = strSubject
objCDOMail.Body    = strBody
objCDOMail.Send
Set objCDOMail = Nothing
else

end if

objtextfile.close
0
 
JoeteckAuthor Commented:
Cllose this question please, and give back my points
0
 
r-kCommented:
You can post a 0-point question in the support area (link at upper-right corner of this page) and ask them to close the question.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now