Wednesday, February 13, 2008

How to prevent DHCP lease to unauthorized computers

via Daniel Petri

The Windows DHCP Server Team has released a DHCP Server Callout DLL that helps administrators filter out DHCP Requests to a DHCP Server based on predefined list of MAC Addresses. The DLL checks if the requesting device MAC address is present in a known list of MAC addresses configured by administrators and performs one of two actions: Allow or Deny DHCP lease.

MAC address based filtering allows network administrators to ensure that only known set of devices in the system are able get IP address from DHCP Server. This DLL will help administrators to enforce additional security into the network. It is compatible with Windows 2003 and Windows 2008 Servers.

The usage is pretty simple and explained in the setup document along with the tool. Both the dll (MacFilterCallout.dll) and the Setup document (SetupDHCPMacFilter.rtf) are copied on to %SystemRoot%\system32 folder after installation. Download it here.

6 comments:

Shay Levy said...

Sorry, I don't know any other solution.

Unknown said...

Hi,

I tried this solution in a test invironment, and it works well. I have one question. Do you know of a MAC address limit? I ask because my company has over 10,000 computers, and probably a hundred different DHCP servers. I'm wondering if all MAC addresses in my company can be in one file, and then have that file replicated across the domain.

I would like to hear your thoughts on this. Thanks for the work on this! It works good.

Shay Levy said...

I have'nt worked with that DLL so I can't tell for sure. In my opinion there shouldn't be a limit. I would ask it in the Windows DHCP Server Team blog.

Unknown said...

The link to the download leads to a 404-error. I found the download at the DHCP Team Blog: http://blogs.technet.com/b/teamdhcp/archive/2007/10/03/dhcp-server-callout-dll-for-mac-address-based-filtering.aspx

Thanks so much for this! Just yesterday we were discussing trying to find a utility like this. Now let's see if it works...

Unknown said...

I do have a question (and I haven't even installed it yet): What if a user realizes he isn't getting an IP address and manually sets his own? What, other than the painful process of allowing only a given MAC on a given switch port, can be done about that?

Shay Levy said...

H

I suggest to ask the question in the DHCP team blog.