Go Back   TechArena Community > Software > Tips & Tweaks
Become a Member!
Forgot your username/password?
Register Tags Active Topics RSS Search Mark Forums Read

Sponsored Links



Solution to detect non-standard server or workstation on our LAN

Tips & Tweaks


Reply
 
Thread Tools Search this Thread
  #1  
Old 03-06-2008
Member
 
Join Date: May 2008
Posts: 16
Solution to detect non-standard server or workstation on our LAN
  

Hi, I am looking for a solution where we are able to detect any non-standard server or workstation on our LAN which has DHCP enabled. Most of our servers are located in the server farm and such, are fully patched from possible virus attacks. However, some users (frustrated developers) will insist on turning their workstations or other devices as Microsoft servers and use DHCP to receive IP address.

Is there any good scanning tools (non intrusive) out there which will help detect these "rogue" devices and remove their network access ?

Reply With Quote
  #2  
Old 03-06-2008
Member
 
Join Date: May 2008
Posts: 20
This is a built-in function in many Cisco switches (the command on IOS-equipped Cisco switches is "ip dhcp snooping", and on the ports connected to trusted DHCP servers, "ip dhcp snooping trust" and so on). DHCP responses from untrusted servers (or, rather, DHCP responses received on switch ports that don't have "ip dhcp snooping trust" enabled) are dropped.

There are other tools available that will pick up DHCP servers. Fluke Network's OptiView Console software will do it but it can be quite costly. The free network scanning tool nmap will also, I'm pretty sure, pick up DHCP servers.

Off the top of my head I don't know of any tools that will then take that information and automatically shut down the switch port - even the Cisco DHCP snooping command will only drop the packets, not the connection.

You could knock up a script in Perl or Python to do it (take the output from nmap, parse it to see if it has picked up and DHCP servers, get the MAC address for the unwanted server, compare it to your switch's bridge forwarding tables using SNMP to get the port, then use SNMP again to shut the port down). It's not an impossible job, although if you haven't used SNMP before, it can be a bit daunting. It might be safer to just have a script that regularly runs nmap and sends an email to you if it finds an unwanted DHCP server.

Or, you could look at the problem another way. I'm not a Windows expert but I'd be surprised if there wasn't a way, through policies, SMS etc, to disable the DHCP Server service entirely. If your developers complain that they need full and complete access to all potential services on their PCs to do their job (which, to be fair, some developers may well do) then I'd lobby hard to get the funds to build them a private development network. They can then do whatever the hell they want on that, while allowing you to keep the main office network working.

Another thought; I think you can get at the list of running services on a remote box using WMI. Have a look at www.sysinternals.com and, in particular, the PSTools suite. I'm pretty sure there's enough in that suite of tools alone to allow you to find out if a given machine is running a DHCP server service and then to kill that process (provided you've got appropriate rights).

Regards,
Florence
Reply With Quote
  #3  
Old 03-06-2008
Member
 
Join Date: May 2008
Posts: 219
Yes, should be pretty straightforward to do via AD policies. The only issue you have is where someone connects to your network but doesn't log into the domain (assuming you permit such usage - e.g. for visitors) - in which case you need to use tools like those Matthew describes to actively look for servers.

Philip
Reply With Quote
  #4  
Old 03-06-2008
Member
 
Join Date: May 2008
Posts: 20
trying hard not to push Cisco, but their Network Admission Control may be an option. You have to put software on all your 'legal' PCs etc, but it works by interrogating any device that tries to get onto the network to see if it has your corporate AV software, all the right levels and patches etc - if not, the switch port stops all access. So anone with a non-standard device can't get network connectivity.
Reply With Quote
Reply

  TechArena Community > Software > Tips & Tweaks
Tags:



Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads for: "Solution to detect non-standard server or workstation on our LAN"
Thread Thread Starter Forum Replies Last Post
HP Solution Center is unable to detect HP 6380 printer JalB By Hardware Peripherals 5 06-09-2011 11:50 AM
PXE Boot workstation using OSX DHCP Server/Windows PXE Server Svana Operating Systems 3 02-11-2010 11:36 AM
Upgrading from Windows Server 2003 R2 Standard 32bit to Windows Server 2008 Standard 64 bit punchk Windows Server Help 2 28-10-2010 02:56 PM
Can't scan because HP Solution Center cannot detect my HP printer Hecter Hardware Peripherals 6 11-05-2010 11:24 AM
HP Nas server not working - Windows server 2003 Standard Edition prajeethpj1 Windows Software 2 27-09-2009 12:15 PM


All times are GMT +5.5. The time now is 12:23 AM.