Like most companies, we use DHCP to manage most of our IP addresses for workstations and servers. Many of our logs, including our domain controllers' (DCs') Security logs, identify computers by their current IP address. We need to be able to track IP addresses back to their physical computers, but we often review activity that's several days old. How can we determine which workstation or server had a given IP address at a given time?
Being able to make the connection between a physical machine and the IP address it had at a particular time is indeed important. For example, when reviewing the Windows Security log on a DC, you might encounter event ID 675 with failure code 24, which indicates that someone tried to log on with a valid domain account name but entered a bad password. If you encounter repeated event ID 675s for the same account or at odd times of the day, you might have detected an attack on that account. One of the logical next questions is, where is the attack originating from? If it originates from the account holder's personal workstation, it might indicate that the user was just having a hard time remembering his or her password. If the attack originates at another computer, it might indicate that someone was trying to break into the account.
Like many other events in the Security log, event ID 675 provides the client IP address. How can you use that IP address to identify the physical system? The answer is, through your DHCP server's log.
First, enable logging on your DHCP server. On Windows Server 2003 or Windows 2000 Server, open the Microsoft Management Console (MMC) DHCP snap-in. Right-click the DHCP server and select Properties. On the General tab, select the Enable DHCP audit logging check box.
The DHCP server log, which is in %windir%\System32\Dhcp by default, is a simple comma-delimited text file that you can view by using any text editor or Microsoft Excel. Windows maintains a different log file for each day of the week. All the logs are named DhcpSrvLog and have a three-letter extension that specifies the day of the week (e.g., Monday's log is named DhcpSrvLog.Mon). At 12:00 a.m. each day, Windows closes the previous day's log file and opens the next log file. Windows overwrites existing log files, so you can review only the past 7 days of activity unless you archive the log files before they are overwritten.
Figure 1 shows a sample DHCP server log. The header information lists each event ID that the log tracks and the event's meaning. Each event that appears in the log starts with one of the listed event IDs. For our purposes, we're interested in event ID 10 (A new IP address was leased to a client) and event ID 11 (A lease was renewed by a client).
In the body of the log, the fields that follow the event ID contain the date, time, action (Assign or Renew), the IP address leased, the DNS name of the computer that leased the address, and the lessee's media access control (MAC) address. To determine which computer held an IP address that appears in your Windows Security log, open the DHCP log for the corresponding day and search for that IP address. Look for the event whose date and time most closely precedes the Security log event's date and time. If you can't find an event ID 10 or event ID 11 for that IP address in the corresponding day's log, look in the previous day's log and continue to work backward until you find it—the computer might have leased the address several days ago, depending on the lease duration configured for the DHCP scope. If you can't find any event ID 10 or event ID 11 records for the IP address that precede the event that's recorded in your Security log, try looking for event ID 11s (renewals) that occurred later in time for that IP address.
After you find a renewal or previous assignment record for the IP address you're interested in, you can use the DNS name or MAC address to identify the computer. The first part of the lessee's DNS name typically corresponds to the name that's configured on the Computer Name tab of the lessee's Control Panel System applet. The MAC address corresponds to the MAC address of the lessee's network card. Every network card has a hard-coded MAC address that's unique for the region of the world where it was sold. Depending on your computer- naming standards and record keeping, the computer name might be sufficient to identify the physical computer. Otherwise, you can use the MAC address to track down the system. However, MAC address tracing can be quite tedious, depending on the size of your network and the types of switches used on the network.