Solved

Disabled machine still getting dhcp address?

Posted on 2014-10-03
15
238 Views
Last Modified: 2014-10-21
Good Morning Experts,

I am hoping you can help me with this, I am stuck.

I have a system that was in our active directory that has been turned off and I thought was no longer here (there is a lot of them, a lot of people left and the systems are gone).

Recently this system was turned on and I see it hitting Active Directory tying to authenticate.  I can ping it but can't reach it to do anything, it's been over 90 days so AD isn't letting it.  

DHCP is?   Why and how can I stop it?  I could not figure out why it was getting a address so I created a ipsec policy and blocked that ip, that worked but it renewed last night and was able to obtain another address.

Why on earth would DHCP continue to lease out a ip address if the machine is disabled and how can I stop this?  It's driving me bonkers.  

Thank you,

Karen
0
Comment
Question by:klsphotos
15 Comments
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 250 total points
Comment Utility
DHCP does not require any authentication. That is by design. So it'll hand out an address to any device that asks for one. The device does not even need to be in AD.
0
 

Author Comment

by:klsphotos
Comment Utility
That is crazy to me...at least I know now you can't, I have been looking.  How can I block this system from our network then?
0
 
LVL 21

Accepted Solution

by:
Joseph Moody earned 250 total points
Comment Utility
0
 
LVL 9

Expert Comment

by:dlb6597
Comment Utility
the best thing is to go retrieve the machine and properly retire it. You can user MAC address filtering as suggested above. You can create a bogus DHCP reservation for the MAC of the machine...but there is nothing from preventing someone from hard-coding a valid address. Not sure what type of environment you are in, but this is definitely a security risk having an un-managed workstation connected to your network.
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
"That is crazy to me"
DHCP is not a function of Windows, rather it is a service that windows allows you to run on one of its servers. Windows/AD/DHCP are not functionally related to each other.
0
 

Author Comment

by:klsphotos
Comment Utility
ok, I am on the tech net article and I do not have filters?  I could do a mac address filtering but unless I Need to get more coffee, I  am not seeing Filters anywhere in DHCP?

I am unable to locate this system to do it properly that is why I am really concerned and want to shut it down.  We recently leased out space that we previously used and I am thinking it may have been one left behind and turned on there, or worse.  Going to this business to find out is not a option, I want to do it from within.

Thank you,

Karen
0
 

Author Comment

by:klsphotos
Comment Utility
ok, apprarently I need the mac filtering call out tool.  I am on Server 2008, not R2.  It's no longer available.  Ugh!
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 9

Expert Comment

by:dlb6597
Comment Utility
as pointed out before, simply preventing the machine from obtaining an IP address is really not buying you anything from a security point of view. If in fact this machine is in a space that you have leased to another company, that is an even bigger reason to retrieve the machine...unless security in your environment is not important...just my opinion :-)
0
 

Author Comment

by:klsphotos
Comment Utility
Going over there is not a option.  From what I just saw if I used mac filtering through DHCP and selected all the current systems and added them to the allow, added this one to the deny, wouldn't that resolve the issue?   I want to lock this down for good.
0
 
LVL 9

Expert Comment

by:dlb6597
Comment Utility
no, that will only prevent the workstation in question from obtaining a valid IP address from your DHCP server. That doesn't prevent someone from manually entering a valid IP address...then they have free reign to run whatever they want. That workstation will be unmanaged (unpatched for vulnerabilities)...if someone happened to plug in an infected USB device or browse to a malicious site...then the malware also has free-reign on your network.  Obviously that is worst-case scenario, but you never know.
0
 

Author Comment

by:klsphotos
Comment Utility
ok, now I have figure out what to do now.
0
 
LVL 9

Expert Comment

by:dlb6597
Comment Utility
do you (or someone from your company) manage the network switch that this device is connected to? If so, at minimum I would disable that switch port...but if there are other switch ports in that location that are somehow able to access your environment then you need to address that (in my opinion).
0
 

Author Comment

by:klsphotos
Comment Utility
Yes it was all set up prior to my arrival here.  I unplugged all the ports at the switch prior to them taking over the space but there were 2 I couldn't find.   I did not have any documentation on any port management and still don't.  I am concerned.
0
 

Expert Comment

by:jwchesley
Comment Utility
perhaps a few obvious points, but:

 if you have 2 missing ports... can I assume that you mean you see more connected IPs than you can find cables or users??

- have you checked for a rogue wifi network?  maybe this was a laptop that was/is connecting to an AP in a closet or behind a dropped ceiling or somewhere... there are several phone apps that will show signal strength and other info to help track it down without walking around with a laptop.
- there may be an unmanaged switch under someones desk or in a closet (or even sitting hidden in your wire closet ) with an extra cpu connected that no-one is actually using or even thinking about but may have been recently plugged in/turned on by the cleaning crew.
- Do you have any backup log errors?  I suppose the previous admin may have had a separate server that sat powered down except for periodic backups?  
- Or, perhaps there is a dual-NIC file server that had one NIC unplugged and someone saw the loose cable and put it back in... that would probably be a best-case scenario: then you could re-authenticate it and get 2x throughput.

Unauthorized physical access to the network (wired or wireless) is a problem that needs tracking down.  Time to make your own network map and label everything.

Good luck
0
 

Author Comment

by:klsphotos
Comment Utility
I am really embarrassed to say that this system was a system that was in my office.  I did check that system and it was asleep and I thought it was turned off.  It was a older one I was working on that got away from me.

So embarrassed and sorry for the trouble but I was relieved that I located the source.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now