Your point about crippling a DHCP server is kind of moot. A user-mode
application could simply send unicast DHCP requests without the need to be
running as administrator. Most DHCP client implementations will send from
source port 68, but it is not a requirement that they do as per the RFC.
As far as the local system denial of service, I agree that there are
security concerns involved with regards to server machines. These machines
should be locked down, and the release/renew functionality SHOULD only be
accessable to administrators. However, my response was geared toward the
common case. The common case is that which involves employee workstations
and home computers where a user will not necessarily have administrative
access, but still need to be in control, to some extent, of their network
connection. There is no security issue in the common case that I can think
of with regards to allowing a user to release/renew their IP address on any
given adapter.
The bottom line is this:
It is bad to allow users to release/renew in a server environment.
It is perfectly fine to allow users to do this in a client environment.
Denial of Service against the DHCP server is irrelevant in my opinion as per
my first statement.
In the end, though, it really goes back to what the original poster is
looking to do. 
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Roddy, Mark
Sent: Monday, July 28, 2003 12:49 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Why I can’t call IPHelp API IpRenewAddress withou t
Administrator rights under Windows 2000?
There are lots of ways to cripple a system that you have physical access to,
and last I heard you have to be physically present (in some sense,) to pull
the network cable.
You are allowing a possible attack against the network dhcp server. You are
allowing an interruption in network access on the local system - so other
programs running on the system may experience a loss of network
connectivity. Renew might be relatively harmless but try releasing your dhcp
lease in a loop and get back to me about how safe this is on a multi-user
system running networked applications. I’ve seen corporate networks crippled
by inadvertant thrashing of the dhcp server. Consider a virus that
propagates dhcp release loops on many systems within a network.
Oh the answer is both network and system denial of service.
=====================
Mark Roddy
Hollis Technology Solutions
www.hollistech.com
xxxxx@hollistech.com
-----Original Message-----
From: Matt Miller [mailto:xxxxx@positivenetworks.net]
Sent: Monday, July 28, 2003 11:47 AM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Why I can’t call IPHelp API IpRenewAddress without
Administrator rights under Windows 2000?
How? By allowing a user to call IpRenewAddress? Are you talking in terms
of a network level denial of service or system level? Assuming you’re
talking denial of service against the DHCP server, I could emulate this same
denial of service attack without administrative privs by constantly
unplugging/replugging in the ethernet cable to my NIC, assuming auto DHCP on
link-up is enabled (which it is by default in 2K/XP). As far as system
level denial of service, there are far worse things you could do to a system
with user privs than calling IpRenewAddress/IpReleaseAddress a bunch of
times
Can you clarify what you mean?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Roddy, Mark
Sent: Monday, July 28, 2003 10:32 AM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Why I can’t call IPHelp API IpRenewAddress withou t
Administrator rights under Windows 2000?
Actually I think that you do not want anyone except administrators doing
this as it will leave your system vulernable to what amounts to a denial of
service attack.
=====================
Mark Roddy
-----Original Message-----
From: Matt Miller [mailto:xxxxx@positivenetworks.net]
Sent: Monday, July 28, 2003 10:58 AM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Why I can’t call IPHelp API IpRenewAddress without
Administrator rights under Windows 2000?
If your requirement is that normal users be able to call
IpRe[new/lease]Address then the only solution I’m aware of is to create an
NT service and proxy the requests via a named pipe or some other mechanism.
In all the cases I can think of, allowing a user to call Renew/Release is
acceptable. The webserver point is kind of a corner case as most of the
time a webserver would have a static IP, or, the DHCP server would be
configured to always issue the same address to a given mac.
There might be some cases that I missed, but in general I think it’s okay to
allow normal users to call Renew/Release (even if not directly possible).
Thoughts?
Matt
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S. Shatskih
Sent: Monday, July 28, 2003 7:13 AM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Why I can’t call IPHelp API IpRenewAddress without
Administrator rights under Windows 2000?
Because you do not want the users of your hosting web server to change
its IP addresses
Some things do require Administrator rights. Seeking the ways of
bypassing this is a bit strange.
Max
----- Original Message -----
From: “Crasher Guo”
To: “Windows System Software Developers Interest List”
Sent: Monday, July 28, 2003 12:00 AM
Subject: [ntdev] Why I can’t call IPHelp API IpRenewAddress without
Administrator rights under Windows 2000?
> Hi,all
> Why I can’t call IPHelp API IpRenewAddress without Administrator
> rights
under
Windows 2000?
>
>
> Thanks for you time.
> Thanks for you help.
>
> Crasher Guo
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@positivenetworks.net To
unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@stratus.com To
unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@positivenetworks.net To
unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@stratus.com To
unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@positivenetworks.net
To unsubscribe send a blank email to xxxxx@lists.osr.com