DHCP restriction via MAC...



Steven Sinclair
07-09-2005, 11:51 PM
Windows 2003 Server Enterprise Edition
Windows Built-In DHCP Service

Is there any way to restrict whether or not a client on a local LAN receives
a DHCP address from my server based on MAC address?

Let's say I have a visiting vendor. I do not want that notebook computer to
automatically pick up an IP address from my server as soon as he plugs the
machine into my network. Instead, knowing his MAC address, I'd want the
server not to assign him one.

Thanx.

Steven L Umbach
07-09-2005, 11:51 PM
You could try to create a DHCP scope that has nothing but reservations which
map a mac address to an IP address in the scope. That can be very time
consuming on all but the smallest networks and I have read of users saying
that DHCP still would dish out a reserved IP address to a computer if no
other IP addresses were available and there were reserved IP addresses not
in use.

DHCP reservations can be very useful but they are a poor security safeguard
as a user could simply assign static IP info to his computer that would
allow access and even potentially deny a legitimate computer from receiving
an IP address if the user assigns an IP that is in the DHCP scope already.
Switches that can filter traffic by mac addresses, use 802.1X
authentication, or using ipsec in the domain are other ways to increase
security to prevent access from unauthorized computers. Mac filtering can be
easily spoofed by malicious users, 801.1X takes a lot of planning and
compatible hardware/operating systems, and ipsec can be very effective in a
domain if all the computers are ipsec capable. Ipsec can not however prevent
a computer from using DHCP server since DHCP is broadcast based but it can
prevent a non domain computer from accessing a domain computer with an ipsec
"require" policy with default kerberos computer authentication. --- Steve



"Steven Sinclair" <StevenSinclair@discussions.microsoft.com> wrote in
message news:098C4021-7036-4DBD-8171-8F33AA6ED0B9@microsoft.com...
> Windows 2003 Server Enterprise Edition
> Windows Built-In DHCP Service
>
> Is there any way to restrict whether or not a client on a local LAN
> receives
> a DHCP address from my server based on MAC address?
>
> Let's say I have a visiting vendor. I do not want that notebook computer
> to
> automatically pick up an IP address from my server as soon as he plugs the
> machine into my network. Instead, knowing his MAC address, I'd want the
> server not to assign him one.
>
> Thanx.

Karl Levinson, mvp
07-09-2005, 11:51 PM
Agreed. While DHCP reservations per MAC are generally considered a pain,
especially during initial setup, they aren't that much more of a pain than
enabling port security to do mac address filtering on your switches. This
is something else you could consider. I think it's somewhat more commonly
done than DHCP mac address filtering, since it's more secure. It prevents
people from selecting their own IP address, from collecting data by
eavesdropping / sniffing, prevents use of other protocols besides TCP/IP,
and prevents people from using man in the middle / session hijacking, etc.


"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uWDGpz0WFHA.4036@TK2MSFTNGP10.phx.gbl...
> You could try to create a DHCP scope that has nothing but reservations
which
> map a mac address to an IP address in the scope. That can be very time
> consuming on all but the smallest networks and I have read of users saying
> that DHCP still would dish out a reserved IP address to a computer if no
> other IP addresses were available and there were reserved IP addresses not
> in use.
>
> DHCP reservations can be very useful but they are a poor security
safeguard
> as a user could simply assign static IP info to his computer that would
> allow access and even potentially deny a legitimate computer from
receiving
> an IP address if the user assigns an IP that is in the DHCP scope already.
> Switches that can filter traffic by mac addresses, use 802.1X
> authentication, or using ipsec in the domain are other ways to increase
> security to prevent access from unauthorized computers. Mac filtering can
be
> easily spoofed by malicious users, 801.1X takes a lot of planning and
> compatible hardware/operating systems, and ipsec can be very effective in
a
> domain if all the computers are ipsec capable. Ipsec can not however
prevent
> a computer from using DHCP server since DHCP is broadcast based but it can
> prevent a non domain computer from accessing a domain computer with an
ipsec
> "require" policy with default kerberos computer authentication. ---
Steve
>
>
>
> "Steven Sinclair" <StevenSinclair@discussions.microsoft.com> wrote in
> message news:098C4021-7036-4DBD-8171-8F33AA6ED0B9@microsoft.com...
> > Windows 2003 Server Enterprise Edition
> > Windows Built-In DHCP Service
> >
> > Is there any way to restrict whether or not a client on a local LAN
> > receives
> > a DHCP address from my server based on MAC address?
> >
> > Let's say I have a visiting vendor. I do not want that notebook computer
> > to
> > automatically pick up an IP address from my server as soon as he plugs
the
> > machine into my network. Instead, knowing his MAC address, I'd want the
> > server not to assign him one.
> >
> > Thanx.
>
>

Faisal [MSFT]
07-09-2005, 11:51 PM
I would suggest you going for IPsec, mac filtering is not repliable.

thnx
"Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
news:%23aVJSB1WFHA.2684@TK2MSFTNGP09.phx.gbl...
> Agreed. While DHCP reservations per MAC are generally considered a pain,
> especially during initial setup, they aren't that much more of a pain than
> enabling port security to do mac address filtering on your switches. This
> is something else you could consider. I think it's somewhat more commonly
> done than DHCP mac address filtering, since it's more secure. It prevents
> people from selecting their own IP address, from collecting data by
> eavesdropping / sniffing, prevents use of other protocols besides TCP/IP,
> and prevents people from using man in the middle / session hijacking, etc.
>
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:uWDGpz0WFHA.4036@TK2MSFTNGP10.phx.gbl...
>> You could try to create a DHCP scope that has nothing but reservations
> which
>> map a mac address to an IP address in the scope. That can be very time
>> consuming on all but the smallest networks and I have read of users
>> saying
>> that DHCP still would dish out a reserved IP address to a computer if no
>> other IP addresses were available and there were reserved IP addresses
>> not
>> in use.
>>
>> DHCP reservations can be very useful but they are a poor security
> safeguard
>> as a user could simply assign static IP info to his computer that would
>> allow access and even potentially deny a legitimate computer from
> receiving
>> an IP address if the user assigns an IP that is in the DHCP scope
>> already.
>> Switches that can filter traffic by mac addresses, use 802.1X
>> authentication, or using ipsec in the domain are other ways to increase
>> security to prevent access from unauthorized computers. Mac filtering can
> be
>> easily spoofed by malicious users, 801.1X takes a lot of planning and
>> compatible hardware/operating systems, and ipsec can be very effective in
> a
>> domain if all the computers are ipsec capable. Ipsec can not however
> prevent
>> a computer from using DHCP server since DHCP is broadcast based but it
>> can
>> prevent a non domain computer from accessing a domain computer with an
> ipsec
>> "require" policy with default kerberos computer authentication. ---
> Steve
>>
>>
>>
>> "Steven Sinclair" <StevenSinclair@discussions.microsoft.com> wrote in
>> message news:098C4021-7036-4DBD-8171-8F33AA6ED0B9@microsoft.com...
>> > Windows 2003 Server Enterprise Edition
>> > Windows Built-In DHCP Service
>> >
>> > Is there any way to restrict whether or not a client on a local LAN
>> > receives
>> > a DHCP address from my server based on MAC address?
>> >
>> > Let's say I have a visiting vendor. I do not want that notebook
>> > computer
>> > to
>> > automatically pick up an IP address from my server as soon as he plugs
> the
>> > machine into my network. Instead, knowing his MAC address, I'd want the
>> > server not to assign him one.
>> >
>> > Thanx.
>>
>>
>
>

Karl Levinson [x y], mvp
07-09-2005, 11:51 PM
Agreed. MAC address filtering just raises the bar by preventing rogue
devices from being accidentally connected to your network. An inside
attacker can take a valid network card or spoof the MAC address to bypass any
kind of MAC-address filtering. [Although arguably an attacker with physical
access to your internal windows systems already has access to the TCP/IP
protocol, so MAC address filtering schemes can still play a role depending on
what threats you are trying to secure against.]



"Faisal [MSFT]" wrote:

> I would suggest you going for IPsec, mac filtering is not repliable.
>
> thnx
> "Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
> news:%23aVJSB1WFHA.2684@TK2MSFTNGP09.phx.gbl...
> > Agreed. While DHCP reservations per MAC are generally considered a pain,
> > especially during initial setup, they aren't that much more of a pain than
> > enabling port security to do mac address filtering on your switches. This
> > is something else you could consider. I think it's somewhat more commonly
> > done than DHCP mac address filtering, since it's more secure. It prevents
> > people from selecting their own IP address, from collecting data by
> > eavesdropping / sniffing, prevents use of other protocols besides TCP/IP,
> > and prevents people from using man in the middle / session hijacking, etc.
> >
> >
> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> > news:uWDGpz0WFHA.4036@TK2MSFTNGP10.phx.gbl...
> >> You could try to create a DHCP scope that has nothing but reservations
> > which
> >> map a mac address to an IP address in the scope. That can be very time
> >> consuming on all but the smallest networks and I have read of users
> >> saying
> >> that DHCP still would dish out a reserved IP address to a computer if no
> >> other IP addresses were available and there were reserved IP addresses
> >> not
> >> in use.
> >>
> >> DHCP reservations can be very useful but they are a poor security
> > safeguard
> >> as a user could simply assign static IP info to his computer that would
> >> allow access and even potentially deny a legitimate computer from
> > receiving
> >> an IP address if the user assigns an IP that is in the DHCP scope
> >> already.
> >> Switches that can filter traffic by mac addresses, use 802.1X
> >> authentication, or using ipsec in the domain are other ways to increase
> >> security to prevent access from unauthorized computers. Mac filtering can
> > be
> >> easily spoofed by malicious users, 801.1X takes a lot of planning and
> >> compatible hardware/operating systems, and ipsec can be very effective in
> > a
> >> domain if all the computers are ipsec capable. Ipsec can not however
> > prevent
> >> a computer from using DHCP server since DHCP is broadcast based but it
> >> can
> >> prevent a non domain computer from accessing a domain computer with an
> > ipsec
> >> "require" policy with default kerberos computer authentication. ---
> > Steve
> >>
> >>
> >>
> >> "Steven Sinclair" <StevenSinclair@discussions.microsoft.com> wrote in
> >> message news:098C4021-7036-4DBD-8171-8F33AA6ED0B9@microsoft.com...
> >> > Windows 2003 Server Enterprise Edition
> >> > Windows Built-In DHCP Service
> >> >
> >> > Is there any way to restrict whether or not a client on a local LAN
> >> > receives
> >> > a DHCP address from my server based on MAC address?
> >> >
> >> > Let's say I have a visiting vendor. I do not want that notebook
> >> > computer
> >> > to
> >> > automatically pick up an IP address from my server as soon as he plugs
> > the
> >> > machine into my network. Instead, knowing his MAC address, I'd want the
> >> > server not to assign him one.
> >> >
> >> > Thanx.
> >>
> >>
> >
> >
>
>
>

Steven L Umbach
07-09-2005, 11:51 PM
I agree with Karl and why not use both if available for defense in depth??
Mac filtering does raise the bar to entrance and could prevent unauthorized
computers from obtaining DHCP leases [unlike ipsec] which could lead to a
denial of service attack to legitimate computers if the DHCP scope is used
up by unauthorized computers. Just because a security mechanism has
weaknesses does not mean it should not be used, particularly if cost to
implement and manage is minimal. I lock my doors at night with a dead bolt.
That is not very secure is it?? A determined burglar could still gain access
but that does not mean I will not do it. In thirty years of home ownership I
have never been burglarized. --- Steve


"Karl Levinson [x y], mvp" <levinson_k@despammed.com> wrote in message
news:BE7F002E-41C1-45B6-8D11-FD5A8FE9EC27@microsoft.com...
> Agreed. MAC address filtering just raises the bar by preventing rogue
> devices from being accidentally connected to your network. An inside
> attacker can take a valid network card or spoof the MAC address to bypass
> any
> kind of MAC-address filtering. [Although arguably an attacker with
> physical
> access to your internal windows systems already has access to the TCP/IP
> protocol, so MAC address filtering schemes can still play a role depending
> on
> what threats you are trying to secure against.]
>
>
>
> "Faisal [MSFT]" wrote:
>
>> I would suggest you going for IPsec, mac filtering is not repliable.
>>
>> thnx
>> "Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
>> news:%23aVJSB1WFHA.2684@TK2MSFTNGP09.phx.gbl...
>> > Agreed. While DHCP reservations per MAC are generally considered a
>> > pain,
>> > especially during initial setup, they aren't that much more of a pain
>> > than
>> > enabling port security to do mac address filtering on your switches.
>> > This
>> > is something else you could consider. I think it's somewhat more
>> > commonly
>> > done than DHCP mac address filtering, since it's more secure. It
>> > prevents
>> > people from selecting their own IP address, from collecting data by
>> > eavesdropping / sniffing, prevents use of other protocols besides
>> > TCP/IP,
>> > and prevents people from using man in the middle / session hijacking,
>> > etc.
>> >
>> >
>> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> > news:uWDGpz0WFHA.4036@TK2MSFTNGP10.phx.gbl...
>> >> You could try to create a DHCP scope that has nothing but reservations
>> > which
>> >> map a mac address to an IP address in the scope. That can be very time
>> >> consuming on all but the smallest networks and I have read of users
>> >> saying
>> >> that DHCP still would dish out a reserved IP address to a computer if
>> >> no
>> >> other IP addresses were available and there were reserved IP addresses
>> >> not
>> >> in use.
>> >>
>> >> DHCP reservations can be very useful but they are a poor security
>> > safeguard
>> >> as a user could simply assign static IP info to his computer that
>> >> would
>> >> allow access and even potentially deny a legitimate computer from
>> > receiving
>> >> an IP address if the user assigns an IP that is in the DHCP scope
>> >> already.
>> >> Switches that can filter traffic by mac addresses, use 802.1X
>> >> authentication, or using ipsec in the domain are other ways to
>> >> increase
>> >> security to prevent access from unauthorized computers. Mac filtering
>> >> can
>> > be
>> >> easily spoofed by malicious users, 801.1X takes a lot of planning and
>> >> compatible hardware/operating systems, and ipsec can be very effective
>> >> in
>> > a
>> >> domain if all the computers are ipsec capable. Ipsec can not however
>> > prevent
>> >> a computer from using DHCP server since DHCP is broadcast based but it
>> >> can
>> >> prevent a non domain computer from accessing a domain computer with an
>> > ipsec
>> >> "require" policy with default kerberos computer authentication. ---
>> > Steve
>> >>
>> >>
>> >>
>> >> "Steven Sinclair" <StevenSinclair@discussions.microsoft.com> wrote in
>> >> message news:098C4021-7036-4DBD-8171-8F33AA6ED0B9@microsoft.com...
>> >> > Windows 2003 Server Enterprise Edition
>> >> > Windows Built-In DHCP Service
>> >> >
>> >> > Is there any way to restrict whether or not a client on a local LAN
>> >> > receives
>> >> > a DHCP address from my server based on MAC address?
>> >> >
>> >> > Let's say I have a visiting vendor. I do not want that notebook
>> >> > computer
>> >> > to
>> >> > automatically pick up an IP address from my server as soon as he
>> >> > plugs
>> > the
>> >> > machine into my network. Instead, knowing his MAC address, I'd want
>> >> > the
>> >> > server not to assign him one.
>> >> >
>> >> > Thanx.
>> >>
>> >>
>> >
>> >
>>
>>
>>

Karl Levinson, mvp
07-09-2005, 11:51 PM
Also, unless I'm mistaken, to do this with IPSec, you would either have to
use static pre-shared keys, stand up a certificate server, or use Kerberos.
All three of those have pros and cons and may or may not play well with
non-Windows systems or may present implementation challenges in certain
environments.


"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:%23JwA4s8WFHA.2076@TK2MSFTNGP15.phx.gbl...
> I agree with Karl and why not use both if available for defense in depth??
> Mac filtering does raise the bar to entrance and could prevent
unauthorized
> computers from obtaining DHCP leases [unlike ipsec] which could lead to a
> denial of service attack to legitimate computers if the DHCP scope is used
> up by unauthorized computers. Just because a security mechanism has
> weaknesses does not mean it should not be used, particularly if cost to
> implement and manage is minimal. I lock my doors at night with a dead
bolt.
> That is not very secure is it?? A determined burglar could still gain
access
> but that does not mean I will not do it. In thirty years of home ownership
I
> have never been burglarized. --- Steve
>
>
> "Karl Levinson [x y], mvp" <levinson_k@despammed.com> wrote in message
> news:BE7F002E-41C1-45B6-8D11-FD5A8FE9EC27@microsoft.com...
> > Agreed. MAC address filtering just raises the bar by preventing rogue
> > devices from being accidentally connected to your network. An inside
> > attacker can take a valid network card or spoof the MAC address to
bypass
> > any
> > kind of MAC-address filtering. [Although arguably an attacker with
> > physical
> > access to your internal windows systems already has access to the TCP/IP
> > protocol, so MAC address filtering schemes can still play a role
depending
> > on
> > what threats you are trying to secure against.]
> >
> >
> >
> > "Faisal [MSFT]" wrote:
> >
> >> I would suggest you going for IPsec, mac filtering is not repliable.
> >>
> >> thnx
> >> "Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
> >> news:%23aVJSB1WFHA.2684@TK2MSFTNGP09.phx.gbl...
> >> > Agreed. While DHCP reservations per MAC are generally considered a
> >> > pain,
> >> > especially during initial setup, they aren't that much more of a pain
> >> > than
> >> > enabling port security to do mac address filtering on your switches.
> >> > This
> >> > is something else you could consider. I think it's somewhat more
> >> > commonly
> >> > done than DHCP mac address filtering, since it's more secure. It
> >> > prevents
> >> > people from selecting their own IP address, from collecting data by
> >> > eavesdropping / sniffing, prevents use of other protocols besides
> >> > TCP/IP,
> >> > and prevents people from using man in the middle / session hijacking,
> >> > etc.
> >> >
> >> >
> >> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> >> > news:uWDGpz0WFHA.4036@TK2MSFTNGP10.phx.gbl...
> >> >> You could try to create a DHCP scope that has nothing but
reservations
> >> > which
> >> >> map a mac address to an IP address in the scope. That can be very
time
> >> >> consuming on all but the smallest networks and I have read of users
> >> >> saying
> >> >> that DHCP still would dish out a reserved IP address to a computer
if
> >> >> no
> >> >> other IP addresses were available and there were reserved IP
addresses
> >> >> not
> >> >> in use.
> >> >>
> >> >> DHCP reservations can be very useful but they are a poor security
> >> > safeguard
> >> >> as a user could simply assign static IP info to his computer that
> >> >> would
> >> >> allow access and even potentially deny a legitimate computer from
> >> > receiving
> >> >> an IP address if the user assigns an IP that is in the DHCP scope
> >> >> already.
> >> >> Switches that can filter traffic by mac addresses, use 802.1X
> >> >> authentication, or using ipsec in the domain are other ways to
> >> >> increase
> >> >> security to prevent access from unauthorized computers. Mac
filtering
> >> >> can
> >> > be
> >> >> easily spoofed by malicious users, 801.1X takes a lot of planning
and
> >> >> compatible hardware/operating systems, and ipsec can be very
effective
> >> >> in
> >> > a
> >> >> domain if all the computers are ipsec capable. Ipsec can not however
> >> > prevent
> >> >> a computer from using DHCP server since DHCP is broadcast based but
it
> >> >> can
> >> >> prevent a non domain computer from accessing a domain computer with
an
> >> > ipsec
> >> >> "require" policy with default kerberos computer
thentication. ---
> >> > Steve
> >> >>
> >> >>
> >> >>
> >> >> "Steven Sinclair" <StevenSinclair@discussions.microsoft.com> wrote
in
> >> >> message news:098C4021-7036-4DBD-8171-8F33AA6ED0B9@microsoft.com...
> >> >> > Windows 2003 Server Enterprise Edition
> >> >> > Windows Built-In DHCP Service
> >> >> >
> >> >> > Is there any way to restrict whether or not a client on a local
LAN
> >> >> > receives
> >> >> > a DHCP address from my server based on MAC address?
> >> >> >
> >> >> > Let's say I have a visiting vendor. I do not want that notebook
> >> >> > computer
> >> >> > to
> >> >> > automatically pick up an IP address from my server as soon as he
> >> >> > plugs
> >> > the
> >> >> > machine into my network. Instead, knowing his MAC address, I'd
want
> >> >> > the
> >> >> > server not to assign him one.
> >> >> >
> >> >> > Thanx.
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >>
>
>

Ray
07-09-2005, 11:51 PM
Look at www.metainfo.com . Not free but does precisely what you want and a
whole lot more.

Ray

"Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
news:eYuqcm$WFHA.2520@TK2MSFTNGP09.phx.gbl...
> Also, unless I'm mistaken, to do this with IPSec, you would either have to
> use static pre-shared keys, stand up a certificate server, or use
Kerberos.
> All three of those have pros and cons and may or may not play well with
> non-Windows systems or may present implementation challenges in certain
> environments.
>
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:%23JwA4s8WFHA.2076@TK2MSFTNGP15.phx.gbl...
> > I agree with Karl and why not use both if available for defense in
depth??
> > Mac filtering does raise the bar to entrance and could prevent
> unauthorized
> > computers from obtaining DHCP leases [unlike ipsec] which could lead to
a
> > denial of service attack to legitimate computers if the DHCP scope is
used
> > up by unauthorized computers. Just because a security mechanism has
> > weaknesses does not mean it should not be used, particularly if cost to
> > implement and manage is minimal. I lock my doors at night with a dead
> bolt.
> > That is not very secure is it?? A determined burglar could still gain
> access
> > but that does not mean I will not do it. In thirty years of home
ownership
> I
> > have never been burglarized. --- Steve
> >
> >
> > "Karl Levinson [x y], mvp" <levinson_k@despammed.com> wrote in message
> > news:BE7F002E-41C1-45B6-8D11-FD5A8FE9EC27@microsoft.com...
> > > Agreed. MAC address filtering just raises the bar by preventing rogue
> > > devices from being accidentally connected to your network. An inside
> > > attacker can take a valid network card or spoof the MAC address to
> bypass
> > > any
> > > kind of MAC-address filtering. [Although arguably an attacker with
> > > physical
> > > access to your internal windows systems already has access to the
TCP/IP
> > > protocol, so MAC address filtering schemes can still play a role
> depending
> > > on
> > > what threats you are trying to secure against.]
> > >
> > >
> > >
> > > "Faisal [MSFT]" wrote:
> > >
> > >> I would suggest you going for IPsec, mac filtering is not repliable.
> > >>
> > >> thnx
> > >> "Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
> > >> news:%23aVJSB1WFHA.2684@TK2MSFTNGP09.phx.gbl...
> > >> > Agreed. While DHCP reservations per MAC are generally considered a
> > >> > pain,
> > >> > especially during initial setup, they aren't that much more of a
pain
> > >> > than
> > >> > enabling port security to do mac address filtering on your
switches.
> > >> > This
> > >> > is something else you could consider. I think it's somewhat more
> > >> > commonly
> > >> > done than DHCP mac address filtering, since it's more secure. It
> > >> > prevents
> > >> > people from selecting their own IP address, from collecting data by
> > >> > eavesdropping / sniffing, prevents use of other protocols besides
> > >> > TCP/IP,
> > >> > and prevents people from using man in the middle / session
hijacking,
> > >> > etc.
> > >> >
> > >> >
> > >> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> > >> > news:uWDGpz0WFHA.4036@TK2MSFTNGP10.phx.gbl...
> > >> >> You could try to create a DHCP scope that has nothing but
> reservations
> > >> > which
> > >> >> map a mac address to an IP address in the scope. That can be very
> time
> > >> >> consuming on all but the smallest networks and I have read of
users
> > >> >> saying
> > >> >> that DHCP still would dish out a reserved IP address to a computer
> if
> > >> >> no
> > >> >> other IP addresses were available and there were reserved IP
> addresses
> > >> >> not
> > >> >> in use.
> > >> >>
> > >> >> DHCP reservations can be very useful but they are a poor security
> > >> > safeguard
> > >> >> as a user could simply assign static IP info to his computer that
> > >> >> would
> > >> >> allow access and even potentially deny a legitimate computer from
> > >> > receiving
> > >> >> an IP address if the user assigns an IP that is in the DHCP scope
> > >> >> already.
> > >> >> Switches that can filter traffic by mac addresses, use 802.1X
> > >> >> authentication, or using ipsec in the domain are other ways to
> > >> >> increase
> > >> >> security to prevent access from unauthorized computers. Mac
> filtering
> > >> >> can
> > >> > be
> > >> >> easily spoofed by malicious users, 801.1X takes a lot of planning
> and
> > >> >> compatible hardware/operating systems, and ipsec can be very
> effective
> > >> >> in
> > >> > a
> > >> >> domain if all the computers are ipsec capable. Ipsec can not
however
> > >> > prevent
> > >> >> a computer from using DHCP server since DHCP is broadcast based
but
> it
> > >> >> can
> > >> >> prevent a non domain computer from accessing a domain computer
with
> an
> > >> > ipsec
> > >> >> "require" policy with default kerberos computer
> thentication. ---
> > >> > Steve
> > >> >>
> > >> >>
> > >> >>
> > >> >> "Steven Sinclair" <StevenSinclair@discussions.microsoft.com> wrote
> in
> > >> >> message news:098C4021-7036-4DBD-8171-8F33AA6ED0B9@microsoft.com...
> > >> >> > Windows 2003 Server Enterprise Edition
> > >> >> > Windows Built-In DHCP Service
> > >> >> >
> > >> >> > Is there any way to restrict whether or not a client on a local
> LAN
> > >> >> > receives
> > >> >> > a DHCP address from my server based on MAC address?
> > >> >> >
> > >> >> > Let's say I have a visiting vendor. I do not want that notebook
> > >> >> > computer
> > >> >> > to
> > >> >> > automatically pick up an IP address from my server as soon as he
> > >> >> > plugs
> > >> > the
> > >> >> > machine into my network. Instead, knowing his MAC address, I'd
> want
> > >> >> > the
> > >> >> > server not to assign him one.
> > >> >> >
> > >> >> > Thanx.
> > >> >>
> > >> >>
> > >> >
> > >> >
> > >>
> > >>
> > >>
> >
> >
>
>

Faisal [MSFT]
07-09-2005, 11:52 PM
I wouldnt use MAC filtering, its usleless
IPSec , you will have a catch-22. Its based on IP so server would expect the
client to have an IP.
This leaves you with a last choice : 802.1x authentication.

both for Windows/non windows.

HTH

Faisal
"Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
news:eYuqcm$WFHA.2520@TK2MSFTNGP09.phx.gbl...
> Also, unless I'm mistaken, to do this with IPSec, you would either have to
> use static pre-shared keys, stand up a certificate server, or use
> Kerberos.
> All three of those have pros and cons and may or may not play well with
> non-Windows systems or may present implementation challenges in certain
> environments.
>
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:%23JwA4s8WFHA.2076@TK2MSFTNGP15.phx.gbl...
>> I agree with Karl and why not use both if available for defense in
>> depth??
>> Mac filtering does raise the bar to entrance and could prevent
> unauthorized
>> computers from obtaining DHCP leases [unlike ipsec] which could lead to a
>> denial of service attack to legitimate computers if the DHCP scope is
>> used
>> up by unauthorized computers. Just because a security mechanism has
>> weaknesses does not mean it should not be used, particularly if cost to
>> implement and manage is minimal. I lock my doors at night with a dead
> bolt.
>> That is not very secure is it?? A determined burglar could still gain
> access
>> but that does not mean I will not do it. In thirty years of home
>> ownership
> I
>> have never been burglarized. --- Steve
>>
>>
>> "Karl Levinson [x y], mvp" <levinson_k@despammed.com> wrote in message
>> news:BE7F002E-41C1-45B6-8D11-FD5A8FE9EC27@microsoft.com...
>> > Agreed. MAC address filtering just raises the bar by preventing rogue
>> > devices from being accidentally connected to your network. An inside
>> > attacker can take a valid network card or spoof the MAC address to
> bypass
>> > any
>> > kind of MAC-address filtering. [Although arguably an attacker with
>> > physical
>> > access to your internal windows systems already has access to the
>> > TCP/IP
>> > protocol, so MAC address filtering schemes can still play a role
> depending
>> > on
>> > what threats you are trying to secure against.]
>> >
>> >
>> >
>> > "Faisal [MSFT]" wrote:
>> >
>> >> I would suggest you going for IPsec, mac filtering is not repliable.
>> >>
>> >> thnx
>> >> "Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
>> >> news:%23aVJSB1WFHA.2684@TK2MSFTNGP09.phx.gbl...
>> >> > Agreed. While DHCP reservations per MAC are generally considered a
>> >> > pain,
>> >> > especially during initial setup, they aren't that much more of a
>> >> > pain
>> >> > than
>> >> > enabling port security to do mac address filtering on your switches.
>> >> > This
>> >> > is something else you could consider. I think it's somewhat more
>> >> > commonly
>> >> > done than DHCP mac address filtering, since it's more secure. It
>> >> > prevents
>> >> > people from selecting their own IP address, from collecting data by
>> >> > eavesdropping / sniffing, prevents use of other protocols besides
>> >> > TCP/IP,
>> >> > and prevents people from using man in the middle / session
>> >> > hijacking,
>> >> > etc.
>> >> >
>> >> >
>> >> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> >> > news:uWDGpz0WFHA.4036@TK2MSFTNGP10.phx.gbl...
>> >> >> You could try to create a DHCP scope that has nothing but
> reservations
>> >> > which
>> >> >> map a mac address to an IP address in the scope. That can be very
> time
>> >> >> consuming on all but the smallest networks and I have read of users
>> >> >> saying
>> >> >> that DHCP still would dish out a reserved IP address to a computer
> if
>> >> >> no
>> >> >> other IP addresses were available and there were reserved IP
> addresses
>> >> >> not
>> >> >> in use.
>> >> >>
>> >> >> DHCP reservations can be very useful but they are a poor security
>> >> > safeguard
>> >> >> as a user could simply assign static IP info to his computer that
>> >> >> would
>> >> >> allow access and even potentially deny a legitimate computer from
>> >> > receiving
>> >> >> an IP address if the user assigns an IP that is in the DHCP scope
>> >> >> already.
>> >> >> Switches that can filter traffic by mac addresses, use 802.1X
>> >> >> authentication, or using ipsec in the domain are other ways to
>> >> >> increase
>> >> >> security to prevent access from unauthorized computers. Mac
> filtering
>> >> >> can
>> >> > be
>> >> >> easily spoofed by malicious users, 801.1X takes a lot of planning
> and
>> >> >> compatible hardware/operating systems, and ipsec can be very
> effective
>> >> >> in
>> >> > a
>> >> >> domain if all the computers are ipsec capable. Ipsec can not
>> >> >> however
>> >> > prevent
>> >> >> a computer from using DHCP server since DHCP is broadcast based but
> it
>> >> >> can
>> >> >> prevent a non domain computer from accessing a domain computer with
> an
>> >> > ipsec
>> >> >> "require" policy with default kerberos computer
> thentication. ---
>> >> > Steve
>> >> >>
>> >> >>
>> >> >>
>> >> >> "Steven Sinclair" <StevenSinclair@discussions.microsoft.com> wrote
> in
>> >> >> message news:098C4021-7036-4DBD-8171-8F33AA6ED0B9@microsoft.com...
>> >> >> > Windows 2003 Server Enterprise Edition
>> >> >> > Windows Built-In DHCP Service
>> >> >> >
>> >> >> > Is there any way to restrict whether or not a client on a local
> LAN
>> >> >> > receives
>> >> >> > a DHCP address from my server based on MAC address?
>> >> >> >
>> >> >> > Let's say I have a visiting vendor. I do not want that notebook
>> >> >> > computer
>> >> >> > to
>> >> >> > automatically pick up an IP address from my server as soon as he
>> >> >> > plugs
>> >> > the
>> >> >> > machine into my network. Instead, knowing his MAC address, I'd
> want
>> >> >> > the
>> >> >> > server not to assign him one.
>> >> >> >
>> >> >> > Thanx.
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >>
>> >>
>> >>
>>
>>
>
>

Karl Levinson, mvp
07-09-2005, 11:52 PM
As I said, MAC filtering is not useless. You just have to know what it is
intended to block against and make sure the gain is worth the cost. For
example, MAC filtering ensures that a rogue device cannot just be
accidentally plugged into your network. If there is a rogue device on your
network, you know that someone [usually an insider] intentionally took
action to bypass your security, and you can take punitive action against
that person. MAC filtering is not intended to keep hackers off your
network, so you shouldn't expect it to do that, but that's only one of the
goals of a total enterprise security plan that uses multiple layers of
defense-in-depth.

IPSec requiring an IP address isn't really a catch-22. There are many
security schemes such as Windows 2003 Server Quarantine Server and the
related Cisco solution that first give you an IP address, and then use that
connectivity to ask your machine whether it meets your security policy.
This is all often done in an isolated vlan subnet. However, these
quarantine solutions are also not really intended to keep out hackers either
but to prevent legitimate users from putting unpatched machines on the
network.


"Faisal [MSFT]" <faisal@online.microsoft.com> wrote in message
news:ONrxRnfXFHA.1556@TK2MSFTNGP10.phx.gbl...[color=blue]
> I wouldnt use MAC filtering, its usleless
> IPSec , you will have a catch-22. Its based on IP so server would expect[/color]
the[color=blue]
> client to have an IP.
> This leaves you with a last choice : 802.1x authentication.
>
> both for Windows/non windows.
>
> HTH
>
> Faisal
> "Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
> news:eYuqcm$WFHA.2520@TK2MSFTNGP09.phx.gbl...[color=green]
> > Also, unless I'm mistaken, to do this with IPSec, you would either have[/color][/color]
to[color=blue][color=green]
> > use static pre-shared keys, stand up a certificate server, or use
> > Kerberos.
> > All three of those have pros and cons and may or may not play well with
> > non-Windows systems or may present implementation challenges in certain
> > environments.
> >
> >
> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> > news:%23JwA4s8WFHA.2076@TK2MSFTNGP15.phx.gbl...[color=darkred]
> >> I agree with Karl and why not use both if available for defense in
> >> depth??
> >> Mac filtering does raise the bar to entrance and could prevent[/color]
> > unauthorized[color=darkred]
> >> computers from obtaining DHCP leases [unlike ipsec] which could lead to[/color][/color][/color]
a[color=blue][color=green][color=darkred]
> >> denial of service attack to legitimate computers if the DHCP scope is
> >> used
> >> up by unauthorized computers. Just because a security mechanism has
> >> weaknesses does not mean it should not be used, particularly if cost to
> >> implement and manage is minimal. I lock my doors at night with a dead[/color]
> > bolt.[color=darkred]
> >> That is not very secure is it?? A determined burglar could still gain[/color]
> > access[color=darkred]
> >> but that does not mean I will not do it. In thirty years of home
> >> ownership[/color]
> > I[color=darkred]
> >> have never been burglarized. --- Steve
> >>
> >>
> >> "Karl Levinson [x y], mvp" <levinson_k@despammed.com> wrote in message
> >> news:BE7F002E-41C1-45B6-8D11-FD5A8FE9EC27@microsoft.com...
> >> > Agreed. MAC address filtering just raises the bar by preventing[/color][/color][/color]
rogue[color=blue][color=green][color=darkred]
> >> > devices from being accidentally connected to your network. An inside
> >> > attacker can take a valid network card or spoof the MAC address to[/color]
> > bypass[color=darkred]
> >> > any
> >> > kind of MAC-address filtering. [Although arguably an attacker with
> >> > physical
> >> > access to your internal windows systems already has access to the
> >> > TCP/IP
> >> > protocol, so MAC address filtering schemes can still play a role[/color]
> > depending[color=darkred]
> >> > on
> >> > what threats you are trying to secure against.]
> >> >
> >> >
> >> >
> >> > "Faisal [MSFT]" wrote:
> >> >
> >> >> I would suggest you going for IPsec, mac filtering is not repliable.
> >> >>
> >> >> thnx
> >> >> "Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
> >> >> news:%23aVJSB1WFHA.2684@TK2MSFTNGP09.phx.gbl...
> >> >> > Agreed. While DHCP reservations per MAC are generally considered[/color][/color][/color]
a[color=blue][color=green][color=darkred]
> >> >> > pain,
> >> >> > especially during initial setup, they aren't that much more of a
> >> >> > pain
> >> >> > than
> >> >> > enabling port security to do mac address filtering on your[/color][/color][/color]
switches.[color=blue][color=green][color=darkred]
> >> >> > This
> >> >> > is something else you could consider. I think it's somewhat more
> >> >> > commonly
> >> >> > done than DHCP mac address filtering, since it's more secure. It
> >> >> > prevents
> >> >> > people from selecting their own IP address, from collecting data[/color][/color][/color]
by[color=blue][color=green][color=darkred]
> >> >> > eavesdropping / sniffing, prevents use of other protocols besides
> >> >> > TCP/IP,
> >> >> > and prevents people from using man in the middle / session
> >> >> > hijacking,
> >> >> > etc.
> >> >> >
> >> >> >
> >> >> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> >> >> > news:uWDGpz0WFHA.4036@TK2MSFTNGP10.phx.gbl...
> >> >> >> You could try to create a DHCP scope that has nothing but[/color]
> > reservations[color=darkred]
> >> >> > which
> >> >> >> map a mac address to an IP address in the scope. That can be very[/color]
> > time[color=darkred]
> >> >> >> consuming on all but the smallest networks and I have read of[/color][/color][/color]
users[color=blue][color=green][color=darkred]
> >> >> >> saying
> >> >> >> that DHCP still would dish out a reserved IP address to a[/color][/color][/color]
computer[color=blue][color=green]
> > if[color=darkred]
> >> >> >> no
> >> >> >> other IP addresses were available and there were reserved IP[/color]
> > addresses[color=darkred]
> >> >> >> not
> >> >> >> in use.
> >> >> >>
> >> >> >> DHCP reservations can be very useful but they are a poor security
> >> >> > safeguard
> >> >> >> as a user could simply assign static IP info to his computer that
> >> >> >> would
> >> >> >> allow access and even potentially deny a legitimate computer from
> >> >> > receiving
> >> >> >> an IP address if the user assigns an IP that is in the DHCP scope
> >> >> >> already.
> >> >> >> Switches that can filter traffic by mac addresses, use 802.1X
> >> >> >> authentication, or using ipsec in the domain are other ways to
> >> >> >> increase
> >> >> >> security to prevent access from unauthorized computers. Mac[/color]
> > filtering[color=darkred]
> >> >> >> can
> >> >> > be
> >> >> >> easily spoofed by malicious users, 801.1X takes a lot of planning[/color]
> > and[color=darkred]
> >> >> >> compatible hardware/operating systems, and ipsec can be very[/color]
> > effective[color=darkred]
> >> >> >> in
> >> >> > a
> >> >> >> domain if all the computers are ipsec capable. Ipsec can not
> >> >> >> however
> >> >> > prevent
> >> >> >> a computer from using DHCP server since DHCP is broadcast based[/color][/color][/color]
but[color=blue][color=green]
> > it[color=darkred]
> >> >> >> can
> >> >> >> prevent a non domain computer from accessing a domain computer[/color][/color][/color]
with[color=blue][color=green]
> > an[color=darkred]
> >> >> > ipsec
> >> >> >> "require" policy with default kerberos computer[/color]
> > thentication. ---[color=darkred]
> >> >> > Steve
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> "Steven Sinclair" <StevenSinclair@discussions.microsoft.com>[/color][/color][/color]
wrote[color=blue][color=green]
> > in[color=darkred]
> >> >> >> message[/color][/color][/color]
news:098C4021-7036-4DBD-8171-8F33AA6ED0B9@microsoft.com...[color=blue][color=green][color=darkred]
> >> >> >> > Windows 2003 Server Enterprise Edition
> >> >> >> > Windows Built-In DHCP Service
> >> >> >> >
> >> >> >> > Is there any way to restrict whether or not a client on a local[/color]
> > LAN[color=darkred]
> >> >> >> > receives
> >> >> >> > a DHCP address from my server based on MAC address?
> >> >> >> >
> >> >> >> > Let's say I have a visiting vendor. I do not want that notebook
> >> >> >> > computer
> >> >> >> > to
> >> >> >> > automatically pick up an IP address from my server as soon as[/color][/color][/color]
he[color=blue][color=green][color=darkred]
> >> >> >> > plugs
> >> >> > the
> >> >> >> > machine into my network. Instead, knowing his MAC address, I'd[/color]
> > want[color=darkred]
> >> >> >> > the
> >> >> >> > server not to assign him one.
> >> >> >> >
> >> >> >> > Thanx.
> >> >> >>
> >> >> >>
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >>
> >>
> >>[/color]
> >
> >[/color]
>
>[/color]


DHCP restriction via MAC...