Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to block MAC addresses using DHCP or other software

Posted on 2011-03-22
13
Medium Priority
?
2,187 Views
Last Modified: 2012-05-11
Hi guys
How can I block specific MAC addresses connecting to our network using DHCP (Win Server 2008 R2) or other free software?
Cheers
Troy
0
Comment
Question by:P3admin
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35194119
check this article out:

Windows Server 2008 R2: Enable and Configure MAC Address Filtering

http://technet.microsoft.com/en-us/magazine/ff521761.aspx
0
 
LVL 4

Accepted Solution

by:
m_walker earned 1336 total points
ID: 35194200
depending on the size of you network and number of hosts you support, you switchs could support mac filtering (or port level mac lists).  

DHCP wont help alot.  While you could add a static mapping for every host in your network, the other computer could simply set their own ip in your range.

Keep in mind that if you servers are on different "routed" networks/vlans to your computers, then the mac address of the remote computer want make it to the server, so server/host level mac filters will only work if all computers are on the same network (layer2) segment.
0
 

Author Comment

by:P3admin
ID: 35194283
We only have around 100 computers so its not a huge network
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:P3admin
ID: 35194340
Hi m_Walker.

Have gone to your link and followed the instructions but cannot find the filter tab as per step 2. This applies to 2008 R2?

Cheers
Troy
0
 
LVL 4

Assisted Solution

by:m_walker
m_walker earned 1336 total points
ID: 35194357
If you can so it at the switch level, then it should only check as the port comes up (once) then keep the port open unitl the port goes down.  this way the overhead should have less impact on performance.  If done at the server level, each packet would need to be checked so whould have a bigger impact (that you may or may not notice).

Depending on the switchs in play, you could also look at 802.1x and the use of a radius server.  It is more work to setup and understand, but can work.
In an 802.1x network you setup a certificate server on your windows server.  the server will then issue computer certificates (ssl) to each client computer that is in the domain.  (so new computers should be setup on a trusted port with no 802.1x.)  On the switch each port in your untrusted areas, is set to only open when a valid certificate is provided from the client computer.  With the correct setup on the client computer the computer will open the port prior to getting the user to log on to the domain.

Just an optio, but is harder to setup and get right and can cause issues with things like ghost.
0
 
LVL 4

Assisted Solution

by:m_walker
m_walker earned 1336 total points
ID: 35194365
The link was from ActiveDirectoryman: not me.  So make sure the credits go the right way :)
0
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35194760

Check this out sir:


Distribute DHCP Leases Based on MAC Address  -This does appy to 2008 r2

http://technet.microsoft.com/en-us/library/dd759190.aspx
0
 

Author Comment

by:P3admin
ID: 35195838
Guys your gonna wanna kill me but it is a 2003 DHCP server.... :S
0
 
LVL 47

Assisted Solution

by:Craig Beck
Craig Beck earned 332 total points
ID: 35198978
Server 2003 does not have this kind of native functionality.

The best way to do this would be with a MAC ACL on your switches if they support this.  Otherwise you're pretty much stuck!
0
 
LVL 8

Assisted Solution

by:ActiveDirectoryman
ActiveDirectoryman earned 332 total points
ID: 35227415

Actually there is a way to enable it on server 2003.

check out this article:

mac address filtering server 2003 and 2008
http://www.petri.co.il/filter-mac-address-windows-server-2008-dhcp-server-callout-dll.htm

mac address filtering on server 2003 and 2008
http://blogs.technet.com/b/teamdhcp/archive/2007/10/03/dhcp-server-callout-dll-for-mac-address-based-filtering.aspx
0
 
LVL 4

Assisted Solution

by:m_walker
m_walker earned 1336 total points
ID: 35228119
While not an answer to your question as such, your request contained
"...block specific MAC addresses connecting to our network using DHCP..."
I can think of how DHCP would Block access to your network.  While it may not give a computer an IP Address, whats stopping the computer setting a static IP Address.  All the need to do is run a sniffer and look at the arp requests to get an idea of your ip range, then port/ping scan to see whats free and off they go...

What do you really want to achieve ?
0
 

Author Comment

by:P3admin
ID: 35228154
Just trying to block a few computers that are bought into the building from connecting to resources. Nothing to incidous :)
I found a good link for the DHCPservercallout that had a live link to the downloadable executable
http://blogs.technet.com/b/teamdhcp/archive/2007/10/03/dhcp-server-callout-dll-for-mac-address-based-filtering.aspx
Thanks all for your help on this :)
0
 
LVL 4

Expert Comment

by:m_walker
ID: 35228165
OK. No probs.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question