Server Monkey is looking for tutorial writers to join our staff. Interested applicants can send a quick introduction of themselves to apply@server-monkey.com


Hello everyone! One thing I wanted to post about today was mac address filtering using DHCP on Windows Server 2003. The Microsoft DHCP team has a utility just for this called the Mac Filter Callout. It is essentially a DLL file, a .txt file and some registry settings that allow you to administer the DHCP filtering on your server. While MAC addresses can be spoofed – I think this is a good first step or even a good step depending on your environment (personally I am a fan of RADIUS authentication).

The tool is downloadable here http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-02-09-83-36/MacFilterCalloutInstaller.zip It will install several files in the following locations MacFilterCallout.dll and SetupDHCPMacFilter.rtf to %SystemRoot\%system32 on a 32bit system and %SystemRoot%\SysWOW64 on a 64bit system.

Make the following registry changes:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters

Key Name Key Type Description
CalloutDlls REG_MULTI_SZ The location of the MacFilterCallout.dll
CalloutEnabled DWORD 0 = Disable MacFilterCallout
1 = Enable MacFilterCallout
CalloutErrorLogFile REG_MULTI_SZ Log path. If this registry key is not specified, callout dll will output errors %WINDIR%\System32\Log.txt
CalloutInfoLogFile REG_MULTI_SZ Info log path. If this key is not present, no information messages will be logged.
CalloutMACAddressListFile REG_MULTI_SZ This is the name and location of the MAC filtering list you’re going to be creating next.

 

Mac Address List format:

#MACList.txt

MAC_ACTION = {ALLOW / DENY}

#List of MAC Addresses:

000a0c0d1254     #lab-server1

000d0c4a6723     #lab-server2

  • File supports comments. Comments can be entered following a ‘#’ sign. Any text followed by ‘#’ till the end of line is treated as a comment.
  • First line in the file (excluding comments) should specify the action. Action can be either ALLOW or DENY
    • When action is specified as ALLOW, all requests from MAC address present in this list will be served by DHCP servers. All requests originating from MAC address not present in this list will be ignored.
    • When action is specified as DENY, all request from MAC address present in the list will be ignored by DHCP servers. All requests from MAC addresses not present in this list will be severed by DHCP server.
    • Only one action out of ALLOW or DENY can be specified in MAC Address List File
  • MAC address should be specified in format XXXXXXXXXXXX (where X can be hex digit 0 – F).There should not any delimiter such as -, : in MAC address. Each MAC address should be specified in separate line.
  • If there is any error in MAC Address List File, it will be logged into CalloutErrorLogFile or default error log file. Following is expected behavior of dll in cases of errors
    • If the action is not specified correctly, then DHCP server will function as if there is no callout dll i.e. none of the requests will be ignored.
    • If one or more MAC addresses are not specified correctly, then in this case those MAC address entries will be ignored. Error for the same will be logged in error log file.

Once you are ready to start using the Mac Address filtering and you have your registry changes and Mac Address List filled out the way you like go ahead and perform the following:

Stop the DHCP Servive

Start the DHCP service. When DHCP server is started, event 1033 will be logged if Callout DLL is loaded correctly by the DHCP server.

Categories: Windows


Leave a Reply

You must be logged in to post a comment.