Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 197
  • Last Modified:

DHCP server open to all

I have 17 DHCP servers in my environment.  We have some sites that need to be self sufficient, that's why we have such a large number.

I have 4 servers which anyone can administer.  Both my DHCP groups are empty and there are no obvious permission settings that says anyone can administer the server(s).  I and my co workers are at a loss here.  3 of these servers are R/O and one is a GC.

I need some other ideas thrown at me to look at this issue.
0
insyncguy
Asked:
insyncguy
  • 9
  • 8
  • 3
  • +1
1 Solution
 
arnoldCommented:
It is not clear what you are asking here for.  DHCP servers are setup once and really do not need further administration.
RO presumably refers to a DC (RODC)
Properly subdividing the IP segment, using super scopes, etc.
I.e. Setting up a segment with an excluded block that allows for static IP use usually for servers.

You need to post a question or provide some detail on what you are needing assistance with.
0
 
KwoofCommented:
Holy Cow! I can't picture the network configuration you have done to need 17 DHCP servers!

I ran a school with 20 classrooms that were all on their own subnet, but still had 1 main DHCP.

Anyway, I cannot grasp what you are asking for either?
0
 
arnoldCommented:
I believe it is not a single locale. I can see the possibility but not the question.

Is there a designated group/user to administer.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
KwoofCommented:
Now I am catching up!  We have too many meanings for our English words!  My mind had interpreted sites as websites, since I am in the middle of company project where they have about 30 different intranet websites at a single physical location!  I was not thinking multiple physical locations where each would need their own DHCP.
0
 
tliottaCommented:
I believe the question is "How can I control who can administer my DHCP servers?" But that's close to a random guess.

Tom
0
 
arnoldCommented:
The difficulty on that is that the "I have 4 servers which anyone can administer" ....

If everyone is a member of the domain admin, enterprise admin or server operators group they will have access.

Here are the default server roles.
http://technet.microsoft.com/en-us/library/cc756898%28v=WS.10%29.aspx

DHCP is usually a one time setup, unless you are looking at using DHCP allocated static IPS. (reserved IPs).
0
 
insyncguyAuthor Commented:
I know guys that is why this is so weird.  We are in charge of many locations in Alaska.  These many locations need to be independent, hence the large number of DHCP servers and our transportations sites are included too.
Of all the DHCP servers we have, these 4 are able to be administered by anyone.  the user can create a reservation, change IP ranges and of course, delete a scope, (gasp!)  Why, since it's a one time setup?  And why just these 4?
Not Everyone is a member of the Domain Admins, Enterprise Admins or Server admins group.  I do know what I need to know on how to control who administrates.  The two DHCP AD groups are empty of members.  All DHCP servers are on DC's... but none of those DC's allow Everyone or Authenticated users to admin the server.  If that was the case then all the servers could be administered and not just these 4.  Like you say it's a one time setup for DHCP server...
DHCP servers are setup once and really do not need further administration.  I agree Arnold.  That is why I need to see how these 4 are different...
let me know what further assistance you need...thanks
0
 
KwoofCommented:
I think I am beginning to see the question...

why are these 4 server able to be administered by anyone, even though the users are not in any of the admin groups.

Are all the servers on a single domain over a WAN, or are they all independent?
Are the users allowed to logon to the server?
Are the users logging in with domain accounts, or their own local machine accounts?
0
 
arnoldCommented:
There might be a DACL delegation of authority via GPO security.

usually, only administrative users can login into the DC as you know.  If anyone can login, that suggests that the Default Domain controller GPO has been modified removing the restriction.

User rights assignment.

Using GPMC on one of the four and see what settings and from which GPO these settings are set.

You could also have a loopback policy that reasserts the users settings on logon to these server and thus grants them this access.

There are several possibilities, and unfortunately, other than looking at the users/system settings.
0
 
insyncguyAuthor Commented:
KWOOF,
Are all the servers on a single domain over a WAN, or are they all independent? Single domain over MPLS connection
Are the users allowed to logon to the server?  My regular account is able to log in to one of the servers.  (I have two accounts, one Domain Admin, one not)
Are the users logging in with domain accounts, or their own local machine accounts?  domain accounts.  We have very few local accounts and those would be service accounts.
ARNOLD,
I will look at the GPO and see what might be up.  I have already looked at the local security settings but didn't see anything obvious.
0
 
arnoldCommented:
In a single domain structure, you presumably have the different locations defined as their own OUs (computers/users) see whether the computers OUs have a delegation of control to "domain users" etc.

http://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions.aspx
0
 
insyncguyAuthor Commented:
ARNOLD
I downloaded LIZA and did a search for "domain users" nor any other broad group, but alas only domain admins and enterprise admins.  I did see one group with full permissions to computer with plain users in it, but that group is in an OU were the DHCP server cannot be administered by anyone...so that's not it.

thanks

Now did find a couple of groups that included both my regular and DA account.  Hurray!! I will keep this open until we decide how to proceed.  Thanks Arnold.
0
 
insyncguyAuthor Commented:
Nope. took out he permission and still our regular non domain accounts have access to 4 of our 17 DHCP servers
0
 
arnoldCommented:
Access to servers meaning they can login onto the server console/remotely?

Or they can make changes to the DHCP servers' configuration?

Check the local groups to see whether domain groups have been added in.
0
 
insyncguyAuthor Commented:
ARNOLD, thanks.
Our regular users cannot access the server.  We here in IT have two logons, one Domain Admin, one not.  Our regular, non domain admin, ID can in fact log onto these 4 servers and make DHCP server config changes.
All local groups are empty...the DHCP ones...
0
 
arnoldCommented:
Non domain means, local user? what rights does the local user have on the local system?
There must be a GPO/rights assignment that grants this non-admin user rights.
0
 
insyncguyAuthor Commented:
non domain means, domain user.  We don't have local users on the servers.  And man, I have been looking through GPO/rights assignments and have yet to find anyting.  (gurr)
0
 
arnoldCommented:
Try the following.
Using GPMC on one of the DC.  Run a Group Policy Results wizard against one of these servers and the local user. The rights is either granted via a GPO or it is granted locally on the server.

Login locally and run gpresults /v /user this_username | more


One way to stop the "treasure hunt" Create a new local user for non-admin admin use.
Check to make sure it has the requisite rights that you need.  Then deactivate the old non-admin admin user.
0
 
insyncguyAuthor Commented:
Thanks ARNOLD,
We found the issue, AD property of the DC, there is the Managed By tab, these servers contained a group which contained both our regular accounts and our Domain Admin accounts.  I removed the AD group from this proptery and the access was removed.

thanks for your assistance.
0
 
insyncguyAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for insyncguy's comment #a39896394

for the following reason:

ARNOLD stayed with me through this issue.
0
 
arnoldCommented:
I'm sure you  were thinking of selecting some of my comments as helping you resolve this issue.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 9
  • 8
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now