Solved

Disabled machine still getting dhcp address?

Posted on 2014-10-03
15
247 Views
Last Modified: 2014-10-21
Good Morning Experts,

I am hoping you can help me with this, I am stuck.

I have a system that was in our active directory that has been turned off and I thought was no longer here (there is a lot of them, a lot of people left and the systems are gone).

Recently this system was turned on and I see it hitting Active Directory tying to authenticate.  I can ping it but can't reach it to do anything, it's been over 90 days so AD isn't letting it.  

DHCP is?   Why and how can I stop it?  I could not figure out why it was getting a address so I created a ipsec policy and blocked that ip, that worked but it renewed last night and was able to obtain another address.

Why on earth would DHCP continue to lease out a ip address if the machine is disabled and how can I stop this?  It's driving me bonkers.  

Thank you,

Karen
0
Comment
Question by:klsphotos
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
15 Comments
 
LVL 58

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 250 total points
ID: 40359307
DHCP does not require any authentication. That is by design. So it'll hand out an address to any device that asks for one. The device does not even need to be in AD.
0
 

Author Comment

by:klsphotos
ID: 40359319
That is crazy to me...at least I know now you can't, I have been looking.  How can I block this system from our network then?
0
 
LVL 22

Accepted Solution

by:
Joseph Moody earned 250 total points
ID: 40359333
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 9

Expert Comment

by:dlb6597
ID: 40359364
the best thing is to go retrieve the machine and properly retire it. You can user MAC address filtering as suggested above. You can create a bogus DHCP reservation for the MAC of the machine...but there is nothing from preventing someone from hard-coding a valid address. Not sure what type of environment you are in, but this is definitely a security risk having an un-managed workstation connected to your network.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40359381
"That is crazy to me"
DHCP is not a function of Windows, rather it is a service that windows allows you to run on one of its servers. Windows/AD/DHCP are not functionally related to each other.
0
 

Author Comment

by:klsphotos
ID: 40359457
ok, I am on the tech net article and I do not have filters?  I could do a mac address filtering but unless I Need to get more coffee, I  am not seeing Filters anywhere in DHCP?

I am unable to locate this system to do it properly that is why I am really concerned and want to shut it down.  We recently leased out space that we previously used and I am thinking it may have been one left behind and turned on there, or worse.  Going to this business to find out is not a option, I want to do it from within.

Thank you,

Karen
0
 

Author Comment

by:klsphotos
ID: 40359483
ok, apprarently I need the mac filtering call out tool.  I am on Server 2008, not R2.  It's no longer available.  Ugh!
0
 
LVL 9

Expert Comment

by:dlb6597
ID: 40359507
as pointed out before, simply preventing the machine from obtaining an IP address is really not buying you anything from a security point of view. If in fact this machine is in a space that you have leased to another company, that is an even bigger reason to retrieve the machine...unless security in your environment is not important...just my opinion :-)
0
 

Author Comment

by:klsphotos
ID: 40359545
Going over there is not a option.  From what I just saw if I used mac filtering through DHCP and selected all the current systems and added them to the allow, added this one to the deny, wouldn't that resolve the issue?   I want to lock this down for good.
0
 
LVL 9

Expert Comment

by:dlb6597
ID: 40359574
no, that will only prevent the workstation in question from obtaining a valid IP address from your DHCP server. That doesn't prevent someone from manually entering a valid IP address...then they have free reign to run whatever they want. That workstation will be unmanaged (unpatched for vulnerabilities)...if someone happened to plug in an infected USB device or browse to a malicious site...then the malware also has free-reign on your network.  Obviously that is worst-case scenario, but you never know.
0
 

Author Comment

by:klsphotos
ID: 40359726
ok, now I have figure out what to do now.
0
 
LVL 9

Expert Comment

by:dlb6597
ID: 40359946
do you (or someone from your company) manage the network switch that this device is connected to? If so, at minimum I would disable that switch port...but if there are other switch ports in that location that are somehow able to access your environment then you need to address that (in my opinion).
0
 

Author Comment

by:klsphotos
ID: 40359992
Yes it was all set up prior to my arrival here.  I unplugged all the ports at the switch prior to them taking over the space but there were 2 I couldn't find.   I did not have any documentation on any port management and still don't.  I am concerned.
0
 

Expert Comment

by:jwchesley
ID: 40366397
perhaps a few obvious points, but:

 if you have 2 missing ports... can I assume that you mean you see more connected IPs than you can find cables or users??

- have you checked for a rogue wifi network?  maybe this was a laptop that was/is connecting to an AP in a closet or behind a dropped ceiling or somewhere... there are several phone apps that will show signal strength and other info to help track it down without walking around with a laptop.
- there may be an unmanaged switch under someones desk or in a closet (or even sitting hidden in your wire closet ) with an extra cpu connected that no-one is actually using or even thinking about but may have been recently plugged in/turned on by the cleaning crew.
- Do you have any backup log errors?  I suppose the previous admin may have had a separate server that sat powered down except for periodic backups?  
- Or, perhaps there is a dual-NIC file server that had one NIC unplugged and someone saw the loose cable and put it back in... that would probably be a best-case scenario: then you could re-authenticate it and get 2x throughput.

Unauthorized physical access to the network (wired or wireless) is a problem that needs tracking down.  Time to make your own network map and label everything.

Good luck
0
 

Author Comment

by:klsphotos
ID: 40394949
I am really embarrassed to say that this system was a system that was in my office.  I did check that system and it was asleep and I thought it was turned off.  It was a older one I was working on that got away from me.

So embarrassed and sorry for the trouble but I was relieved that I located the source.
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question