Microsoft Windows DHCP Team Blog

The world's most deployed DHCP Server! Deploy and discuss about your fav. server, here!

Link Layer Based Filtering?

Link Layer Based Filtering?

  • Comments 10
  • Likes

Overview

The increased threat perception has caused security to be instrumented and enabled at various levels in the enterprise IT infrastructure. Network and system administrators are increasingly becoming security conscious and are constantly on the lookout to insulate their systems from any  potential threats that may arise from addition of new clients/devices on their networks. The proliferation of IP enabled devices in an enterprise poses security related challenges to a network admin. The administrators would like to have the ability to specifically control as to which clients can avail of enterprise network resources or conversely rogue clients that should be explicitly denied access to the network.

This kind of access control is precisely what MAC address based filtering feature in Windows Server 2008 R2 DHCP Server provides. This feature puts another low level network access control lever in the hands of the administrator. MAC address based filtering  provides a mechanism for issuance/denial of DHCP leases and other network configuration, based on MAC addresses. It provides an additional layer of security on the network and allows the administrators to filter incoming DHCP Requests to DHCP Server based on the MAC Address of the DHCP client.  Windows Server 2008 R2 DHCP server has an allow and deny list which can be populated with MAC addresses of clients which need to be allowed or denied access, respectively, to IP address leases and other network configuration.

Sample Scenarios

Security: An administrator may have noticed the proliferation of unauthorized low cost Wireless Access Points (WAP) on her network. Further, a drive-by around campus has confirmed, that many of these rogue WAPs, either have poor or no security enabled.

 

Control of infrastructure:  The Chief Security Officer (CSO ) has passed down a security advisory to his IT administrator, which relates to an older version of printers, which should have been phased out from his organization a few years ago.    He notices that a few of these printers are still in use, in violation of company policies.   The IT administrator, can rectify this problem and prevent further network access to this DHCP client by adding thevendor prefix of the MAC addresses of these network printers into the deny list on his DHCP server.

 

Standardization: An ISP has enabled DHCP within its datacenter and would like to ensure that only those servers that have been inspected by his team and have been paid for, by the Line of Business (LOB) owner, are online in the data center.

In each of the above scenarios, the DHCP administrator can add the MAC address for each server into the corresponding list on his DHCP server and thereby control the issuance of DHCP services to both compliant and errant devices.

Scope

1.       Any list of allowed and denied clients is visible and effective only on the server, which they are configured on.

2.       This feature is available on Windows Server 2008 R2. However, it does not have any dependency on the client and works fine with legacy clients or clients running non-Windows OS.

3.       This feature can be enabled only for IPv4 address management.

4.       DHCP operations like DISCOVER, RENEW, REBIND, INFORM will be subjected to the access controls. However, DHCP Server will respond to other DHCP Servers, which send DHCPINFORM packets as a part of Rogue Detection process, irrespective of the fact whether they are absent in Allow list or present in Deny list.

5.       The DHCP Server will process both Allow and Deny lists (they are not mutually exclusive) with deny list having precedence

6.       Wild card ‘*’ is supported while specifying MAC addresses.

 

Raunak Pandya

DHCP Server Team

Comments
  • Hello Everybody, Thanks for all those who tried the MacFilterCallout dll . As you all must have checked

  • Is there a way of importing a list of MAC addresses into the 2008 R2 DHCP server. I cannot find the MAClist file that there was on the Windows 2003 server version and I have about 800 addresses to be added to the ALLOWED list.

    Thanks

    Pete

  • Hey Pete,

    In case you were using the MacFilterCallout dll and you have the Maclist.txt file with you, you can use the following tool to import the entries in WS08 R2 DHCP Server:

    http://blogs.technet.com/teamdhcp/archive/2009/02/16/mac-filter-import-tool.aspx

    Or else,

    the DHCP MMC in WS08 R2 also supports converting active lease to filters.

    Hopefully this would make your job easier.

    Thanks

    Raunak Pandya

    DHCP Server Team

  • This tool can be used by DHCP Administrators to view all the events generated by Windows DHCP Server

  • DHCP Server team is excited to announce that the much appreciated and loved feature, MAC Address based

  • I have not seen the DHCP Security change feature yet and was wondering if there is a download for the DHCP module so that it can be used on all of the Windows 2000, 2003 and 2008 Non-R2 servers.  If you have a small business you may not have the budget to upgrade the entire server platform to 2008R2, so what is Microsoft doing to help these types of customers?  It would seem Microsoft should provide this to help follow the Presidents lead on Cybersecurity http://www.whitehouse.gov/the_press_office/Statement-by-the-President-on-the-White-House-Organization-for-Homeland-Security-and-Counterterrorism/

    Can anyone tell me if there is a DHCP update for these other platforms that allows an Administrator a way to control which MAC addresses get on your network?   I would hope it has a MAC request window to allow the network administrator to see all of the requesting MAC ID’s in a simple window which would have an option to provide a Security ADMIN to allow Once or Allow Permanent Access, Decline Access by the requesting MAC ID selected in the window by an Admin.

  • Hello Bruce,

    If I understand your concern correctly, you need to have link layer filtering or MAC based filtering in previous version of Windows OS.

    We had been supporting this through our callout dll, please check the following link if it suffices your requirements.

    http://blogs.technet.com/teamdhcp/archive/2007/10/03/dhcp-server-callout-dll-for-mac-address-based-filtering.aspx

    Thanks,

    Subhash Badri

  • We have had questions asked of us on the impact of the link layer filtering (aka MAC address based filtering)on the DHCP server performance.

    Based on the testing conducted for measuring impact of MAC address based filtering on performance, we have found negligible performance drop with MAC address based filtering configured.

    With 100,000 MAC addresses configured (50,000 each in allow and deny list), the drop in average response time was to the order of 1-2% across multiple test runs.

    Prasad

  • You say the deny list takes precedence? I want to deny all mac addresses except for those I explicitly allow.  I thought this would be accomplished by adding * to the deny list and adding the individual addresses to the allow list, but if the deny list takes precedence then it would seem that even the allowed devices would be blocked.  Obviously I'm not understanding something here. Help?

  • Nevermind! Found my answer: technet.microsoft.com/.../ff521761.aspx

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment