Solved

Disabled machine still getting dhcp address?

Posted on 2014-10-03
15
242 Views
Last Modified: 2014-10-21
Good Morning Experts,

I am hoping you can help me with this, I am stuck.

I have a system that was in our active directory that has been turned off and I thought was no longer here (there is a lot of them, a lot of people left and the systems are gone).

Recently this system was turned on and I see it hitting Active Directory tying to authenticate.  I can ping it but can't reach it to do anything, it's been over 90 days so AD isn't letting it.  

DHCP is?   Why and how can I stop it?  I could not figure out why it was getting a address so I created a ipsec policy and blocked that ip, that worked but it renewed last night and was able to obtain another address.

Why on earth would DHCP continue to lease out a ip address if the machine is disabled and how can I stop this?  It's driving me bonkers.  

Thank you,

Karen
0
Comment
Question by:klsphotos
15 Comments
 
LVL 57

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 250 total points
ID: 40359307
DHCP does not require any authentication. That is by design. So it'll hand out an address to any device that asks for one. The device does not even need to be in AD.
0
 

Author Comment

by:klsphotos
ID: 40359319
That is crazy to me...at least I know now you can't, I have been looking.  How can I block this system from our network then?
0
 
LVL 22

Accepted Solution

by:
Joseph Moody earned 250 total points
ID: 40359333
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 9

Expert Comment

by:dlb6597
ID: 40359364
the best thing is to go retrieve the machine and properly retire it. You can user MAC address filtering as suggested above. You can create a bogus DHCP reservation for the MAC of the machine...but there is nothing from preventing someone from hard-coding a valid address. Not sure what type of environment you are in, but this is definitely a security risk having an un-managed workstation connected to your network.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40359381
"That is crazy to me"
DHCP is not a function of Windows, rather it is a service that windows allows you to run on one of its servers. Windows/AD/DHCP are not functionally related to each other.
0
 

Author Comment

by:klsphotos
ID: 40359457
ok, I am on the tech net article and I do not have filters?  I could do a mac address filtering but unless I Need to get more coffee, I  am not seeing Filters anywhere in DHCP?

I am unable to locate this system to do it properly that is why I am really concerned and want to shut it down.  We recently leased out space that we previously used and I am thinking it may have been one left behind and turned on there, or worse.  Going to this business to find out is not a option, I want to do it from within.

Thank you,

Karen
0
 

Author Comment

by:klsphotos
ID: 40359483
ok, apprarently I need the mac filtering call out tool.  I am on Server 2008, not R2.  It's no longer available.  Ugh!
0
 
LVL 9

Expert Comment

by:dlb6597
ID: 40359507
as pointed out before, simply preventing the machine from obtaining an IP address is really not buying you anything from a security point of view. If in fact this machine is in a space that you have leased to another company, that is an even bigger reason to retrieve the machine...unless security in your environment is not important...just my opinion :-)
0
 

Author Comment

by:klsphotos
ID: 40359545
Going over there is not a option.  From what I just saw if I used mac filtering through DHCP and selected all the current systems and added them to the allow, added this one to the deny, wouldn't that resolve the issue?   I want to lock this down for good.
0
 
LVL 9

Expert Comment

by:dlb6597
ID: 40359574
no, that will only prevent the workstation in question from obtaining a valid IP address from your DHCP server. That doesn't prevent someone from manually entering a valid IP address...then they have free reign to run whatever they want. That workstation will be unmanaged (unpatched for vulnerabilities)...if someone happened to plug in an infected USB device or browse to a malicious site...then the malware also has free-reign on your network.  Obviously that is worst-case scenario, but you never know.
0
 

Author Comment

by:klsphotos
ID: 40359726
ok, now I have figure out what to do now.
0
 
LVL 9

Expert Comment

by:dlb6597
ID: 40359946
do you (or someone from your company) manage the network switch that this device is connected to? If so, at minimum I would disable that switch port...but if there are other switch ports in that location that are somehow able to access your environment then you need to address that (in my opinion).
0
 

Author Comment

by:klsphotos
ID: 40359992
Yes it was all set up prior to my arrival here.  I unplugged all the ports at the switch prior to them taking over the space but there were 2 I couldn't find.   I did not have any documentation on any port management and still don't.  I am concerned.
0
 

Expert Comment

by:jwchesley
ID: 40366397
perhaps a few obvious points, but:

 if you have 2 missing ports... can I assume that you mean you see more connected IPs than you can find cables or users??

- have you checked for a rogue wifi network?  maybe this was a laptop that was/is connecting to an AP in a closet or behind a dropped ceiling or somewhere... there are several phone apps that will show signal strength and other info to help track it down without walking around with a laptop.
- there may be an unmanaged switch under someones desk or in a closet (or even sitting hidden in your wire closet ) with an extra cpu connected that no-one is actually using or even thinking about but may have been recently plugged in/turned on by the cleaning crew.
- Do you have any backup log errors?  I suppose the previous admin may have had a separate server that sat powered down except for periodic backups?  
- Or, perhaps there is a dual-NIC file server that had one NIC unplugged and someone saw the loose cable and put it back in... that would probably be a best-case scenario: then you could re-authenticate it and get 2x throughput.

Unauthorized physical access to the network (wired or wireless) is a problem that needs tracking down.  Time to make your own network map and label everything.

Good luck
0
 

Author Comment

by:klsphotos
ID: 40394949
I am really embarrassed to say that this system was a system that was in my office.  I did check that system and it was asleep and I thought it was turned off.  It was a older one I was working on that got away from me.

So embarrassed and sorry for the trouble but I was relieved that I located the source.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question