DHCP leased addresses to servers on a dedicated server subnet?
Posted on 2009-04-28
i'm hoping someone can help me out with an answer regarding potential security issues enabling DHCP on a dedicated server subnet, i.e. allowing servers to obtain DHCP leased addresses.
a number of government organizations i have consulted for over the years have often stated that it is a security-based decision not to allow a DHCP server to lease addresses to dedicated server subnets. yes. in a LARGE number of cases, why would you even want a server to have a DHCP lease? just assign a static. but, in the virtual world, sysprep / cloned machines are becoming more and more common and they require DHCP if you want to automate joining a domain (among numerous other things). ever tried to assign a static IP address to a sysprep Windows Server 2008 cloned virtual server before the logon box is displayed? while possible, it's a pain in the 'a'.
anyway, i'm getting off topic. i'd really just like to know of any security issues you guys might know of other than '...but someone might get access to our server switch which is in a security coded room in a locked cabinet that requires a PIN and swipe card to get the key from the key safe, plug their rogue laptop in to a spare port and get an address' ;-)
thanks for listening.