As we all know, DHCP Servers are used to assign IP Addresses and other configuration information to client computers running almost any sort of operating system, ranging from regular desktop computers, through laptop computers, up to thin clients and mobile devices. All these require a DHCP server in order to get their TCP/IP configuration settings (unless you manually configure them). One of the major headaches around using DHCP servers was the fact that the moment a computer is connected to your network, it will ask for, and receive, an IP Address from any available DHCP. This will happen to both trusted and un-trusted computers, causing us, the administrators, a potential security risk.
Didn‘t you ever wish you could use your Windows-based DHCP server to filter out unwanted MAC Addresses? Up to this point, the only option you had was either to labor through the process of configuring manual reservation for all your known DHCP clients, or use 3rd-Party filtering hardware.
Well, now you can!
Published a while ago by Raunak Pandya from the DHCP Server Team, a DLL that you can install on your Windows Server 2003 and Windows Server 2008 DHCP servers, and which helps administrators to filter out DHCP Requests to DHCP Server based on MAC Address. This DLL is called the “DHCP Server Callout DLL”.
Note: A MAC Address, or Media Access Control Address is the unique hardware identifier of a network interface card (or NIC), and comes in the format of 02-00-54-55-4E-01.
How does it work?
When a device or computer tries to connect to network, it will first try to obtain an IP Address from any available DHCP Server. When installed, the DHCP Server Callout DLL checks if this device MAC Address is present in known list of MAC addresses configured by administrators. If it is present, the device will be allowed to obtain an IP Address from the DHCP. Otherwise, the device requests will be ignored based on the action configured by administrator.
MAC address based filtering will allow the network administrator to ensure that only a known set of devices in the system are able to obtain an IP Address from the DHCP. This DLL will help administrators enforce additional security into their network.
Issues solved by using the DHCP Server Callout DLL
The DHCP Server Callout DLL will help the network administrators to solve either of the following problems:
- Allow only a specific set of known MAC addresses to obtain an IP Address from the DHCP server. This list can be easily compiled by using your server/client computer documentation, by using a good monitoring software such as SMS 2003, or by using WMI-based scripts.
- Deny Machines belonging to set of MAC addresses from obtaining an IP Address from the DHCP server.
Unfortunately, DHCP Server Callout DLL can currently only perform one action. Either allow, or deny, specific MAC Addresses. It cannot do both.
The DHCP Server Callout DLL works on both Windows Server 2003 and Windows Server 2008 DHCP servers.
When installing, both the dll (MacFilterCallout.dll) and the Setup document (SetupDHCPMacFilter.rtf) are copied to the %SystemRoot\%system32 folder. On 64-bit operating systems, the location for installation is %SystemRoot%\SysWOW64.
Make sure you read the documentation before using the tool. As noted above, the documentation‘s filename is SetupDHCPMacFilter.rtf, and you can find it in the %SystemRoot%\system32 folder.
You can download the MacFilterCallout application from MacFilterCallout.zip.
For another article on this topic, you can take a look at Microsoft Windows DHCP Team Blog : DHCP Server Callout DLL for MAC Address based filtering.