Solution to detect non-standard server or workstation on our LAN

[Irene]

Hi, I am looking for a solution where we are able to detect any non-standard server or workstation on our LAN which has DHCP enabled. Most of our servers are located in the server farm and such, are fully patched from possible virus attacks. However, some users (frustrated developers) will insist on turning their workstations or other devices as Microsoft servers and use DHCP to receive IP address.

Is there any good scanning tools (non intrusive) out there which will help detect these "rogue" devices and remove their network access ?

[Florence]

This is a built-in function in many Cisco switches (the command on IOS-equipped Cisco switches is "ip dhcp snooping", and on the ports connected to trusted DHCP servers, "ip dhcp snooping trust" and so on). DHCP responses from untrusted servers (or, rather, DHCP responses received on switch ports that don't have "ip dhcp snooping trust" enabled) are dropped.

There are other tools available that will pick up DHCP servers. Fluke Network's OptiView Console software will do it but it can be quite costly. The free network scanning tool nmap will also, I'm pretty sure, pick up DHCP servers.

Off the top of my head I don't know of any tools that will then take that information and automatically shut down the switch port - even the Cisco DHCP snooping command will only drop the packets, not the connection.

You could knock up a script in Perl or Python to do it (take the output from nmap, parse it to see if it has picked up and DHCP servers, get the MAC address for the unwanted server, compare it to your switch's bridge forwarding tables using SNMP to get the port, then use SNMP again to shut the port down). It's not an impossible job, although if you haven't used SNMP before, it can be a bit daunting. It might be safer to just have a script that regularly runs nmap and sends an email to you if it finds an unwanted DHCP server.

Or, you could look at the problem another way. I'm not a Windows expert but I'd be surprised if there wasn't a way, through policies, SMS etc, to disable the DHCP Server service entirely. If your developers complain that they need full and complete access to all potential services on their PCs to do their job (which, to be fair, some developers may well do) then I'd lobby hard to get the funds to build them a private development network. They can then do whatever the hell they want on that, while allowing you to keep the main office network working.

Another thought; I think you can get at the list of running services on a remote box using WMI. Have a look at www.sysinternals.com and, in particular, the PSTools suite. I'm pretty sure there's enough in that suite of tools alone to allow you to find out if a given machine is running a DHCP server service and then to kill that process (provided you've got appropriate rights).

Regards,
Florence

[Philip21]

Yes, should be pretty straightforward to do via AD policies. The only issue you have is where someone connects to your network but doesn't log into the domain (assuming you permit such usage - e.g. for visitors) - in which case you need to use tools like those Matthew describes to actively look for servers.

Philip

[Bozena]

trying hard not to push Cisco, but their Network Admission Control may be an option. You have to put software on all your 'legal' PCs etc, but it works by interrogating any device that tries to get onto the network to see if it has your corporate AV software, all the right levels and patches etc - if not, the switch port stops all access. So anone with a non-standard device can't get network connectivity.