Details

Disable the Dynamic Host Configuration Protocol (DHCP) server and relay agent features on your router.

Rationale:

The DHCP server supplies automatic configuration parameters, such as dynamic IP address, to requesting systems. A dedicated server located in a secured management zone should be used to provide DHCP services instead. Attackers can potentially be used for denial-of-service (DoS) attacks.

Impact:

To reduce the risk of unauthorized access, organizations should implement a security policy restricting network protocols and explicitly require disabling all insecure or unnecessary protocols such as the Dynamic Host Configuration Protocol (DHCP).

Solution

Disable the DHCP server.

hostname(config)#no service dhcp

Default Value:

Enabled by default, but also requires a DHCP pool to be set to activate the DHCP server.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3160https://workbench.cisecurity.org/files/3160

This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Cisco.

References

• 800-53|SI-4
• CSCv6|9.1
• CSCv7|9.2

Source

• Tenable.com/audits