How to Detect Who Deleted a DHCP Reservation


Native Auditing vs. Netwrix Auditor for Windows Server

Native Auditing Netwrix Auditor for Windows Server
Steps
  1. Open the DHCP Microsoft Management Console (MMC) snap-in.
  2. In the console tree, click the DHCP server you want to configure → choose IPv4 or IPv6.
  3. Call menu by right clicking a DHCP instance → Go to Properties → On the “General” tab, select “Enable DHCP audit logging” → Click “OK”.
  4. Run evenvwr.msc → Navigate to “Application and Services Logs” → Go to “Microsoft” → Click “Windows” → Select “DHCP-Server” → Click “Microsoft-Windows-DHCP Server Events/Operational”.
  5. Look for the Event ID 107 in order to find out who deleted a DHCP Reservation.
    Whenever someone deletes a DHCP Reservation, you will receive a similar notification:

DHCP-Server event: DHCP Reservation deleted

In order to create an alert triggered each time whenever someone deletes a DHCP Reservation:

  1. Run Netwrix Auditor Event Log Manager → Click "Edit" → Click "Add" → Fill out the "Computer name" field and click "OK" → Specify the account which will be used to collect data → Click "Save".
  2. Click the "Configure" button located next to "Alerts" → Click "Add" → Specify the new alert’s name and other details → Click the "Add" button to open the "Event Filters" window.
  3. Switch to the "Event Fields" tab → Check the "Event ID" box and set its value to "107" → Check the "Category" box and set its value to "0" → Click "OK".


Whenever someone deletes a DHCP Reservation, you will receive a similar alert:

Netwrix Auditor Alert: DHCP Reservation Deleted

Monitor Deletions of DHCP Reservations to Avoid System Unavailability

The deletion of a DHCP reservation can cause IT services to be unavailable. For instance, users can experience problems accessing e-mail, file servers, SharePoint, etc. And because users won’t be able to access files on corporate shared resources or use their mailboxes, the IT helpdesk will see a significant increase in ticket volume. To minimize the risk of system unavailability and the resulting failed access attempts, IT administrators need to keep an eye on DHCP reservations and spot any deletions as soon as possible.

Netwrix Auditor for Windows Server provides visibility into Windows Server activity and delivers actionable information about all Windows Server access events and changes, including the deletion of DHCP reservations. Then, by using the Interactive Search feature, IT staff can generate an easy-to-read report showing all the details about a deleted DHCP reservation, including who deleted it, when and where the deletion occurred, and other details. The solution also notifies IT administrators about deleted reserved IP addresses by sending them email alerts in order to further help prevent system unavailability.