?
Solved

Disabled machine still getting dhcp address?

Posted on 2014-10-03
15
Medium Priority
?
255 Views
Last Modified: 2014-10-21
Good Morning Experts,

I am hoping you can help me with this, I am stuck.

I have a system that was in our active directory that has been turned off and I thought was no longer here (there is a lot of them, a lot of people left and the systems are gone).

Recently this system was turned on and I see it hitting Active Directory tying to authenticate.  I can ping it but can't reach it to do anything, it's been over 90 days so AD isn't letting it.  

DHCP is?   Why and how can I stop it?  I could not figure out why it was getting a address so I created a ipsec policy and blocked that ip, that worked but it renewed last night and was able to obtain another address.

Why on earth would DHCP continue to lease out a ip address if the machine is disabled and how can I stop this?  It's driving me bonkers.  

Thank you,

Karen
0
Comment
Question by:klsphotos
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
15 Comments
 
LVL 59

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 1000 total points
ID: 40359307
DHCP does not require any authentication. That is by design. So it'll hand out an address to any device that asks for one. The device does not even need to be in AD.
0
 

Author Comment

by:klsphotos
ID: 40359319
That is crazy to me...at least I know now you can't, I have been looking.  How can I block this system from our network then?
0
 
LVL 22

Accepted Solution

by:
Joseph Moody earned 1000 total points
ID: 40359333
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
LVL 9

Expert Comment

by:dlb6597
ID: 40359364
the best thing is to go retrieve the machine and properly retire it. You can user MAC address filtering as suggested above. You can create a bogus DHCP reservation for the MAC of the machine...but there is nothing from preventing someone from hard-coding a valid address. Not sure what type of environment you are in, but this is definitely a security risk having an un-managed workstation connected to your network.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40359381
"That is crazy to me"
DHCP is not a function of Windows, rather it is a service that windows allows you to run on one of its servers. Windows/AD/DHCP are not functionally related to each other.
0
 

Author Comment

by:klsphotos
ID: 40359457
ok, I am on the tech net article and I do not have filters?  I could do a mac address filtering but unless I Need to get more coffee, I  am not seeing Filters anywhere in DHCP?

I am unable to locate this system to do it properly that is why I am really concerned and want to shut it down.  We recently leased out space that we previously used and I am thinking it may have been one left behind and turned on there, or worse.  Going to this business to find out is not a option, I want to do it from within.

Thank you,

Karen
0
 

Author Comment

by:klsphotos
ID: 40359483
ok, apprarently I need the mac filtering call out tool.  I am on Server 2008, not R2.  It's no longer available.  Ugh!
0
 
LVL 9

Expert Comment

by:dlb6597
ID: 40359507
as pointed out before, simply preventing the machine from obtaining an IP address is really not buying you anything from a security point of view. If in fact this machine is in a space that you have leased to another company, that is an even bigger reason to retrieve the machine...unless security in your environment is not important...just my opinion :-)
0
 

Author Comment

by:klsphotos
ID: 40359545
Going over there is not a option.  From what I just saw if I used mac filtering through DHCP and selected all the current systems and added them to the allow, added this one to the deny, wouldn't that resolve the issue?   I want to lock this down for good.
0
 
LVL 9

Expert Comment

by:dlb6597
ID: 40359574
no, that will only prevent the workstation in question from obtaining a valid IP address from your DHCP server. That doesn't prevent someone from manually entering a valid IP address...then they have free reign to run whatever they want. That workstation will be unmanaged (unpatched for vulnerabilities)...if someone happened to plug in an infected USB device or browse to a malicious site...then the malware also has free-reign on your network.  Obviously that is worst-case scenario, but you never know.
0
 

Author Comment

by:klsphotos
ID: 40359726
ok, now I have figure out what to do now.
0
 
LVL 9

Expert Comment

by:dlb6597
ID: 40359946
do you (or someone from your company) manage the network switch that this device is connected to? If so, at minimum I would disable that switch port...but if there are other switch ports in that location that are somehow able to access your environment then you need to address that (in my opinion).
0
 

Author Comment

by:klsphotos
ID: 40359992
Yes it was all set up prior to my arrival here.  I unplugged all the ports at the switch prior to them taking over the space but there were 2 I couldn't find.   I did not have any documentation on any port management and still don't.  I am concerned.
0
 

Expert Comment

by:jwchesley
ID: 40366397
perhaps a few obvious points, but:

 if you have 2 missing ports... can I assume that you mean you see more connected IPs than you can find cables or users??

- have you checked for a rogue wifi network?  maybe this was a laptop that was/is connecting to an AP in a closet or behind a dropped ceiling or somewhere... there are several phone apps that will show signal strength and other info to help track it down without walking around with a laptop.
- there may be an unmanaged switch under someones desk or in a closet (or even sitting hidden in your wire closet ) with an extra cpu connected that no-one is actually using or even thinking about but may have been recently plugged in/turned on by the cleaning crew.
- Do you have any backup log errors?  I suppose the previous admin may have had a separate server that sat powered down except for periodic backups?  
- Or, perhaps there is a dual-NIC file server that had one NIC unplugged and someone saw the loose cable and put it back in... that would probably be a best-case scenario: then you could re-authenticate it and get 2x throughput.

Unauthorized physical access to the network (wired or wireless) is a problem that needs tracking down.  Time to make your own network map and label everything.

Good luck
0
 

Author Comment

by:klsphotos
ID: 40394949
I am really embarrassed to say that this system was a system that was in my office.  I did check that system and it was asleep and I thought it was turned off.  It was a older one I was working on that got away from me.

So embarrassed and sorry for the trouble but I was relieved that I located the source.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question