Wednesday, February 13, 2008

How to prevent DHCP lease to unauthorized computers

via Daniel Petri

The Windows DHCP Server Team has released a DHCP Server Callout DLL that helps administrators filter out DHCP Requests to a DHCP Server based on predefined list of MAC Addresses. The DLL checks if the requesting device MAC address is present in a known list of MAC addresses configured by administrators and performs one of two actions: Allow or Deny DHCP lease.

MAC address based filtering allows network administrators to ensure that only known set of devices in the system are able get IP address from DHCP Server. This DLL will help administrators to enforce additional security into the network. It is compatible with Windows 2003 and Windows 2008 Servers.

The usage is pretty simple and explained in the setup document along with the tool. Both the dll (MacFilterCallout.dll) and the Setup document (SetupDHCPMacFilter.rtf) are copied on to %SystemRoot%\system32 folder after installation. Download it here.

8 comments:

Alex Casanova said...
This comment has been removed by the author.
Alex Casanova said...

Hi

First of all, thks a lot for the information, its a pretty solution for DHCP server.

I´m in a enterprise, i we would script a solution for detect and deny dhcp leases from computers that no are from enterprise.

The solution of this DLL, its pretty good, but this solution only have one "black List or white list" and the DLL only reads the list when the service starts.

Do you know other solution to do this?

Thks for your time
Best regards

Alex Casanova
_____________
www.bicubik.net

$hay@Israel said...

Sorry, I don't know any other solution.

Padraig said...

Hi,

I tried this solution in a test invironment, and it works well. I have one question. Do you know of a MAC address limit? I ask because my company has over 10,000 computers, and probably a hundred different DHCP servers. I'm wondering if all MAC addresses in my company can be in one file, and then have that file replicated across the domain.

I would like to hear your thoughts on this. Thanks for the work on this! It works good.

$hay@Israel said...

I have'nt worked with that DLL so I can't tell for sure. In my opinion there shouldn't be a limit. I would ask it in the Windows DHCP Server Team blog.

H said...

The link to the download leads to a 404-error. I found the download at the DHCP Team Blog: http://blogs.technet.com/b/teamdhcp/archive/2007/10/03/dhcp-server-callout-dll-for-mac-address-based-filtering.aspx

Thanks so much for this! Just yesterday we were discussing trying to find a utility like this. Now let's see if it works...

H said...

I do have a question (and I haven't even installed it yet): What if a user realizes he isn't getting an IP address and manually sets his own? What, other than the painful process of allowing only a given MAC on a given switch port, can be done about that?

$hay@Israel said...

H

I suggest to ask the question in the DHCP team blog.