The increased threat perception has caused security to be instrumented and enabled at various levels in the enterprise IT infrastructure. Network and system administrators are increasingly becoming security conscious and are constantly on the lookout to insulate their systems from any potential threats that may arise from addition of new clients/devices on their networks. The proliferation of IP enabled devices in an enterprise poses security related challenges to a network admin. The administrators would like to have the ability to specifically control as to which clients can avail of enterprise network resources or conversely rogue clients that should be explicitly denied access to the network.
This kind of access control is precisely what MAC address based filtering feature in Windows Server 2008 R2 DHCP Server provides. This feature puts another low level network access control lever in the hands of the administrator. MAC address based filtering provides a mechanism for issuance/denial of DHCP leases and other network configuration, based on MAC addresses. It provides an additional layer of security on the network and allows the administrators to filter incoming DHCP Requests to DHCP Server based on the MAC Address of the DHCP client. Windows Server 2008 R2 DHCP server has an allow and deny list which can be populated with MAC addresses of clients which need to be allowed or denied access, respectively, to IP address leases and other network configuration.
Security: An administrator may have noticed the proliferation of unauthorized low cost Wireless Access Points (WAP) on her network. Further, a drive-by around campus has confirmed, that many of these rogue WAPs, either have poor or no security enabled.
Control of infrastructure: The Chief Security Officer (CSO ) has passed down a security advisory to his IT administrator, which relates to an older version of printers, which should have been phased out from his organization a few years ago. He notices that a few of these printers are still in use, in violation of company policies. The IT administrator, can rectify this problem and prevent further network access to this DHCP client by adding thevendor prefix of the MAC addresses of these network printers into the deny list on his DHCP server.
Standardization: An ISP has enabled DHCP within its datacenter and would like to ensure that only those servers that have been inspected by his team and have been paid for, by the Line of Business (LOB) owner, are online in the data center.
In each of the above scenarios, the DHCP administrator can add the MAC address for each server into the corresponding list on his DHCP server and thereby control the issuance of DHCP services to both compliant and errant devices.
1. Any list of allowed and denied clients is visible and effective only on the server, which they are configured on.
2. This feature is available on Windows Server 2008 R2. However, it does not have any dependency on the client and works fine with legacy clients or clients running non-Windows OS.
3. This feature can be enabled only for IPv4 address management.
4. DHCP operations like DISCOVER, RENEW, REBIND, INFORM will be subjected to the access controls. However, DHCP Server will respond to other DHCP Servers, which send DHCPINFORM packets as a part of Rogue Detection process, irrespective of the fact whether they are absent in Allow list or present in Deny list.
5. The DHCP Server will process both Allow and Deny lists (they are not mutually exclusive) with deny list having precedence
6. Wild card ‘*’ is supported while specifying MAC addresses.
Raunak Pandya
DHCP Server Team