Unknown DHCP Leases

Posted on 2008-11-10
Last Modified: 2012-05-05

Every morning I open up the DHCP console to looking for unknown computers connecting to our network. I know that every device that is part of our domain list the computer name as When a computer shows up with a DHCP lease without the part of the name I look to see if what device it is and if it is authorized to connect to our network. I know that device is not a member of our domain. We do have a Linksys AP that is secured using WEP. I know WEP is not the greatest. Also, we use Microsoft ISA 2004 server as our firewall. Now the Linksys AP is connected directly to our switch. Is that bypassing ISA? Can a computer get an IP lease from DHCP without being a domain member? Does the server require Authentication before assigning a DHCP lease?
Question by:Penflex
    LVL 8

    Assisted Solution

    DHCP has no authentication method built in, so anyone whose broadcasts could be seen by your dhcp server can/will get a lease.

    You access point inside your switch most likely does bypass your Microsoft server's firewall function.

    Using a microsoft server as a fierwall is a security incident waiting to happen, use a Cisco ASA5500 series. They range from $350 - $150,000 so there will be one in your price/performance range.
    LVL 6

    Accepted Solution

    You do not need to be part of the domain to get a lease from DHCP.  I would lock your wireless down ASAP.  If you only have WEP enabled then I would shut the wireless down or create a totally separate network for wireless use and require users to VPN into the network from the wireless.  There are other things you could do like set static IP leases and whatnot that inevitably someone here will say but they will still have access to your network and be able to sniff traffic.  I would shut it down until I could get at least a WPA2 AP installed.
    LVL 77

    Assisted Solution

    by:Rob Williams
    >>"Linksys AP is connected directly to our switch. Is that bypassing ISA?"
    Yes, and anyone can obtain a DHCP lease. That does not necessarily mean they have gained access to any network resources, they still have to authenticate to AD for that.
    A much more secure method would be to place the Wireless access point on the public/WAN side of the ISA server, enable DHCP on the wireless, and set up a VPN, within ISA, to allow users access to the LAN. This way the wireless users are treated securely the same as if they were in an Internet café, but can still gain access to LAN resources.
    LVL 8

    Expert Comment

    Have you got the answers you were after, Penflex?
    LVL 1

    Author Closing Comment

    Thank you....
    I will lock down my wireless with WAP2 and move it from the switch.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Forefront is the brand name for Microsoft's major security product. Forefront covers a number of specific security areas and has 'swallowed' a number of applications under this umbrella including Antigen, ISA Server, the Integrated Access Gateway (t…
    So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    This video discusses moving either the default database or any database to a new volume.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now