DHCP leased addresses to servers on a dedicated server subnet?

Posted on 2009-04-28
Last Modified: 2013-12-04
hi all.

i'm hoping someone can help me out with an answer regarding potential security issues enabling DHCP on a dedicated server subnet, i.e. allowing servers to obtain DHCP leased addresses.

a number of government organizations i have consulted for over the years have often stated that it is a security-based decision not to allow a DHCP server to lease addresses to dedicated server subnets.  yes.  in a LARGE number of cases, why would you even want a server to have a DHCP lease?  just assign a static.  but, in the virtual world, sysprep / cloned machines are becoming more and more common and they require DHCP if you want to automate joining a domain (among numerous other things).  ever tried to assign a static IP address to a sysprep Windows Server 2008 cloned virtual server before the logon box is displayed?  while possible, it's a pain in the 'a'.

anyway, i'm getting off topic.  i'd really just like to know of any security issues you guys might know of other than '...but someone might get access to our server switch which is in a security coded room in a locked cabinet that requires a PIN and swipe card to get the key from the key safe, plug their rogue laptop in to a spare port and get an address' ;-)

thanks for listening.

Question by:stevenski
    LVL 33

    Accepted Solution

    DHCP assignment can be bound to MAC address - so it is little if any less secure than assigning it direct to the hardware, but with the bonus that all your config is in one place (so if you need to renumber or something, there is only one file to change not 50 gui options across 50 hosts)

    you can also get a boot log for free (so detect when something reboots) and so forth.

    cisco has some really nice security options along these lines - J random user can plug in their laptop, get a DHCP address.... and find themselves on a completely different vlan if the dhcp server didn't like the mac it got (or expected a x509 certificate but didn't get one)

    that means it doesn't matter which port which type of device is plugged into - it ends up in the right subnet with the right type of IP, regardless of if it is a server, printer, authorized workstation or visitor's device.
    LVL 32

    Expert Comment

    You can assign permanent IP addresses by MAC address.
    Yes, MAC addresses can be spoofed, and thus gain an IP address.
    But...if you're already on the LAN, why not just assign the IP address manually.  If there is no conflict, you don't even have to worry about someone getting booted and raising a flag.

    If the servers are segregated in their own subnet for security, there should be a firewall controlling access to that subnet.  The rules/flags should be there.

    There shouldn't be the ability to get access directly (public internet) or remotely (VPN) or physically (facility security).

    Author Closing Comment

    thanks for giving me options, dave.  i guess i was hoping for a solid answer as to 'why' as opposed to workarounds.  still, i learnt something.  cheers.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
    When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now