Mac OS X: Configure Directory Access to Protect Your Mac From a Malicious DHCP Server

Important: Download and install Security Update 12-19-03 to address this issue. You can get this update using Software Update preferences or from Apple Downloads (http://www.info.apple.com/support/downloads.html).

In many cases, your Mac is protected from this kind of exploit because the malicious DHCP server has to be part of your local network, or "subnet". If your computers are on your local network and you have a broadband connection (DSL or cable service) with a Network Address Translation device--such as an AirPort Base Station--this exploit is not possible unless you allow untrusted systems to connect to your local network. The attack is not possible on the public side of a Network Address Translation device and requires the malicious system to be on your local subnet.

If there is a chance that someone has put a malicious DHCP server on your subnet, or if your computer is using an untrusted network, there are two ways to protect your computer depending on if you use a directory service or not. If you don't know if your computer uses a directory service, ask your network administrator or Internet service provider.

You don't use a directory service

1. Click the Finder icon in the Dock.
   
2. From the Go menu, choose Applications.
   
3. Find the Utilities folder and double-click to open it.
   
4. Open the Directory Access utility.
   
5. Click the lock button, type your password, and click OK to authenticate.
   
6. Select the LDAP service and click Configure.
   
7. Deselect the "Use DHCP-supplied LDAP Server" option. See Figure 1.
   
8. Click OK. Your computer is no longer susceptible to this exploit.

Figure 1 Deselect the "Use DHCP-supplied LDAP Server" option

You use a directory service

If your Mac is configured to use a directory service, consult with your network administrator before changing any settings. Your network administrator will need to change the default setting from "automatic" to "custom" search policy in the Directory Access authentication tab and specify the correct LDAP server.

Additional information

A DHCP or "Dynamic Host Configuration Protocol" server can automatically make the settings in Network preferences that your computer needs to access the Internet. This greatly simplifies the steps to connect to the Internet because the software does all of the network administration. Many Internet service providers and network administrators depend on DHCP servers to assign your computer an IP or Internet address.