How can you filter DHCP requests in Windows so only “approved” clients get a network address? This is actually native to Linux after tweaking the dhcpd.conf file but hasn’t been a Windows feature until recently and is now native to Server 2008 R2. My layer 2 switch doesn’t do NAC so I had considered rolling out a Linux DHCP server to meet my needs. I personally think that Linux DHCP servers are much stronger than Windows DHCP however, this is a nice stop gap measure until I can implement a Linux DHCP server or if it works well I might forgo implementing the Linux server.
I ran into this article on a site I’ve used as a resource before, PETRI IT Knowledge base –> Link to article. So to get this going download the “Mac Filter Installer” –> here or from my site –> here (just in case they took the download off the M$ blog site). The PETRI site doesn’t explain how to implement DHCP MAC filtering and the M$ blog doesn’t either although the comments from others do help. I thought I’d fill you in on how to implement Windows DHCP MAC Filtering from start to finish (here’s the link to the M$ blog that also hosts the download –> here)!
- Extract the zip file
- Double click the installer for your architecture, x32 or x64 (the “manual” gets put into %systemroot%\system32\SetupDHCPMacFilter.rtf but the “config” stuff is put into %systemroot%\system32\dhcp”)
- Navigate to: %systemroot%\system32\dhcp (click start > run > copy and past that into the dialog box and click OK to get there or just use explorer to get there)
- Edit MACList.txt file, that’s where you want to put your filter of “allowed” addresses but note you can also do a “DENY” in place of the “ALLOW” to “deny” particular addresses but by default it’s set to allow only the MAC addresses in the list and is how I’ve got it configured and running.
My example config:
00E941007661 # My Cool Comment Here!!!
# You can also just make a comment
# Each one of these –># is “ignored” just like a Linux config file :P
Once you edit your file, and you put all your approved MAC addresses in the MACList.txt restart DHCP: start > run > cmd > OK > type in:
net stop dhcp
net start dhcp
- Open: %systemroot%\system32\dhcp\MacFilterCalloutErrorLog.txt <– Check for errors!
If you see no errors (I had errors because I was using a MAC address like 00-00-00-00-00, it doesn’t like the “-“) then you’re golden. Also note that an easy way to get MAC addresses into your MACList.txt file is to export your current list from DHCP. Open the DHCP mmc snap in and navigate: DHCP > Your server.domain > Scope > Address Leases; right click “Address Leases” and then click “Export List”. Drag that text file into an Excel program, sort the list, copy it and past it into your MACList.txt file. Restart DHCP and you’re DONE!
This is an additional layer of security to keep honest people honest. If you can implement switch layer NAC you’re much better off since people could still set a static IP address that matches your IP network and successfully get onto your network however; using this method of DHCP MAC filtering you’re much better off than not having it since most people won’t know you can do that. I’d expect anyone with an ounce of IT in them to try a static IP and find one they can use but again; you’re better off implementing this than not implementing it!