MAC addressing filtering for DHCP leases<\/h2>\n
In Windows Server 2008 R2 you can now create \u201callow\u201d and \u201cdeny\u201d filter lists for MAC addresses in DHCP. We\u2019re used to creating such lists on small wireless networks, but why not do the same thing on both your wired and wireless networks? You can make it easier to exert some control over who connects to your network by configuring your MAC address allow and deny lists in your DHCP server.<\/p>\n
You can access this feature by opening the DHCP console and navigating down to the Filters<\/strong> node in the IPv4 tree (note that filters are not available for IPv6 addresses). You have two options when you right click the Allow<\/strong> or Deny<\/strong> node \u2013 New Filter<\/strong> and Enable<\/strong>. In general, you should have your list of MAC addresses that you want to allow or deny first, then create the filter entries, and then enable the allow or deny options. You can see an example of this in the figure below.<\/p>\n When you select the Filter<\/strong> option, you will see the New Filter<\/strong> dialog box, where you enter a MAC address<\/strong> and an optional Description<\/strong>.<\/p>\n You\u2019d think that after you click Enable<\/strong> it will enable MAC address filtering for your allow and deny lists. However, there is one more thing you need to do. Right click IPv4<\/strong> in the left pane of the console and click Properties<\/strong>. Then in the IPv4 Properties<\/strong> dialog box, click the Filters<\/strong> tab. Put checkmarks in the Enable Allow List<\/strong> and\/or Enable Deny List<\/strong> depending on what you want to do. Note the warning here: clients that had previously received IP addresses will be denied address renewal, unless their MAC addresses\/patterns are present in the allow list. So, before you start your MAC address filtering, make sure to read the next section, which will make entering MAC addresses in your allow list a lot easier.<\/p>\n You could add new filtering lists by entering the MAC addresses of all the machines on your network in an Excel spreadsheet and then entering each of these, one at a time, in the DHCP console. However, that would take a while. The new DHCP console makes it easier to add MAC addresses to your filter list by using your existing leases. All you need to do is select one or more of the reservations from the list, then right click and then click Add to Filter<\/strong> and then Allow<\/strong> or Deny<\/strong>, as you can see in the figure below. This is a lot better than trying to hunt down MAC addresses and entering them one at a time.<\/p>\n Notice when we right click on the entry in the leases list that there is another option: Add to Reservation<\/strong>. All you need to do it select one or more entries in the leases list and then right click the selection and click Add to Reservation<\/strong>. After you do that, you\u2019ll see a dialog box informing you that the lease was added to a Reservation, as seen in the figure below.<\/p>\n The Windows Server 2008 R2 DHCP server can work together with DNS to prevent DNS name entries from being overwritten. Right click IPv4<\/strong> in the left pane of the console and click Properties<\/strong>. In the IPv4 Properties<\/strong> dialog box, click the DNS<\/strong> tab, as seen in the figure below.<\/p>\n In the Name Protection<\/strong> frame, click the Configure<\/strong> button.<\/p>\n When this option is enabled, the DHCP server will register A and PTR records on behalf of the client. However, if there is a name already registered in DNS which is the same, the DHCP update will fail. There are a few things you need to understand about this feature before you use it:<\/p>\n Reservations are often created for servers with specific purposes that lie outside the general IP address settings that you would assign to other machines on the network. For example, you might want to configure specific routes or name servers or default gateways to machines that have a DHCP reservation. You can do this by navigating to the Reservations<\/strong> folder in the left pane of the console and then expanding that node and clicking on the name of the machine with the reservation to which you want to assign specific DHCP options, as seen in the figure below.<\/p>\n Right click the name of the machine and then click Configure Options<\/strong>. This brings up the Reservation Options<\/strong> dialog box, as seen in the figure below. Select and configure your DHCP options and they will be applied only to this machine. Nice huh?<\/p>\n NAP is Network Access Protection, which is a NAC (Network Access Control) type feature in Windows Server 2008 R2 that allows you to control, to a certain extent, which devices can connect to your network. NAP uses three methods that you can choose from to allow you to control who can connect to your network:<\/p>\n If you choose to use DHCP enforcement, machines that pass NAP inspection will be allowed to connect to the network through assignment of a valid IP address assigned via DHCP. NAP configuration is somewhat complex and involves configuration of several servers and services, including Group Policy, Network Policy Services, DHCP and others. We won\u2019t go into all of that here, but you can find out more on Microsoft\u2019s TechNet<\/a> site. Our focus here is DHCP, and if you want to use DHCP enforcement, you will need to configure the DHCP server. Here\u2019s how:<\/p>\n Right click IPv4<\/strong> in the left pane of the console and click Properties<\/strong>. In the IPv4 Properties<\/strong> dialog box, click the Network Access Protection<\/strong> tab. On this tab, you have these options:<\/p>\n These options allow you to enable NAP DHCP enforcement on all scopes, and if you enable it and then want to disable it, to disable NAP DHCP enforcement on all scopes. Also, as you can see in the figure below, you can control DHCP server behavior when the Network Policy Server (NPS) is unreachable. You have the option of granting the clients Full Access<\/strong>, Restricted Access<\/strong> or Drop Client Packet<\/strong>.<\/p>\n You get a lot more logging information in the Windows Server 2008 R2 DHCP server. Whenever you make a change to the DHCP configuration, you will see information about that change in the Event Viewer. Also, a daily log is kept that records DHCP activity in the location %Systemroot%\\system32\\DHCP. You can see an example of that log in the figure below.<\/p>\n![\"\"](\"http:\/\/www.windowsnetworking.com\/img\/upl\/image0021329854955362.jpg\")
\nFigure 1<\/strong><\/p>\n![\"\"](\"http:\/\/www.windowsnetworking.com\/img\/upl\/image0041329854955362.jpg\")
\nFigure 2<\/strong><\/p>\n![\"\"](\"http:\/\/www.windowsnetworking.com\/img\/upl\/image0061329854955362.jpg\")
\nFigure 3<\/strong><\/p>\nGenerate reservations and link layer address filtering lists from current leases<\/h2>\n
![\"\"](\"http:\/\/www.windowsnetworking.com\/img\/upl\/image0081329855063518.jpg\")
\nFigure 4<\/strong><\/p>\n![\"\"](\"http:\/\/www.windowsnetworking.com\/img\/upl\/image0101329855104158.jpg\")
\nFigure 5<\/strong><\/p>\nDHCP Name Protection<\/h2>\n
![\"\"](\"http:\/\/www.windowsnetworking.com\/img\/upl\/image0121329855104158.jpg\")
\nFigure 6<\/strong><\/p>\n![\"\"](\"http:\/\/www.windowsnetworking.com\/img\/upl\/image0141329855104158.jpg\")
\nFigure 7<\/strong><\/p>\n\n
Create new DHCP options that apply only to reservations<\/h2>\n
![\"\"](\"http:\/\/www.windowsnetworking.com\/img\/upl\/image0161329855104174.jpg\")
\nFigure 8<\/strong><\/p>\n![\"\"](\"http:\/\/www.windowsnetworking.com\/img\/upl\/image0181329855153799.jpg\")
\nFigure 9<\/strong><\/p>\nIntegration with NAP<\/h2>\n
\n
\n
![\"\"](\"http:\/\/www.windowsnetworking.com\/img\/upl\/image0201329855153799.jpg\")
\nFigure 10<\/strong><\/p>\nDHCP logging enhancements<\/h2>\n
![\"\"](\"http:\/\/www.windowsnetworking.com\/img\/upl\/image0221329855169987.jpg\")
![\"\"](\"http:\/\/www.windowsnetworking.com\/img\/upl\/image0241329855153799.jpg\")