As we all know, DHCP Servers are used to assign IP Addresses and other configuration information to client computers running almost any sort of operating system, ranging from regular desktop computers, through laptop computers, up to thin clients and mobile devices. All these require a DHCP server in order to get their TCP/IP configuration settings (unless you manually configure them). One of the major headaches around using DHCP servers was the fact that the moment a computer is connected to your network, it will ask for, and receive, an IP 
Address from any available DHCP. This will happen to both trusted and un-trusted computers, causing us, the administrators, a potential security risk.
Overview
DHCP Administrators would like to control access to their networks, by issuing IP addresses to known clients or denying the same to select machines. This functionality may be added to the MS DHCP Server, by installing this package, thereby adding an additional lightweight layer of security on the network.
This DHCP Server Callout DLL allows the administrator to filter incoming DHCP Requests to DHCP Server based on the MAC Address of the DHCP client. When a device or computer tries to connect to the network, it shall first try to obtain an IP address from the DHCP Server. DHCP Server Callout DLL checks if the MAC address of the machine is present in a known list of MAC addresses (, that has been configured by administrators). The client’s request to obtain an IP address or other configuration information (via DHCP), shall be forwarded or dropped based on the list configured by administrator.
This callout DLL will help user in solving either of the following problems
1. Allow machines, whose MAC addresses are configured in a list to get an IP address or
2. Deny IP addresses to machines, whose MAC addresses are configured in a list.
System Requirements
- Server: Windows 2003 Server (Enterprise or higher)/Windows 2008 Server (Enterprise or higher, 32 or 64 bit), running DHCP Server
Usage
1. Run the appropriate installer depending on your processor architecture, (i.e., on a 32 bit Windows Server OS, run <executable1.xxx> or run <executable2.xxx> on 64 bit Server OS)
2. Edit the file (e.g. MACFilter.txt), per the file format, provided in the section “Mac Address List File Format”.
3. You can customize the setup, in your environment, by changing the following registry keys:
| CalloutErrorLogFile | REG_MULTI_SZ | Specify the file path for logging errors by this callout dll. If this registry key is not specified, callout dll will output errors %WINDIR%\System32\Log.txt.
Eg: C:\DHCP\LOGS\MacFilterLogError.txt |
| CalloutInfoLogFile | REG_MULTI_SZ | Specify the file path for logging information messages by callout dll. If this key is not present, no information messages will be logged.
Eg. C:\DHCP\LOGS\MacFilterLogInfo.txt |
| CalloutMACAddressListFile | REG_MULTI_SZ | Specify the complete file path including name of MAC address list file.
Eg. C:\DHCP\MacFilterList.txt |
MAC Address List File Format
- File should contain action followed by MAC address list as show in below
#MACList.txt
MAC_ACTION = {ALLOW / DENY}
#List of MAC Addresses:
000a0c0d1254 #lab-server1
000d0c4a6723 #lab-server2
…
…
- File supports comments. Comments can be entered following a ‘#’ sign. Any text followed by ‘#’ till the end of line is treated as a comment.
- First line in the file (excluding comments) should specify the action. Action can be either ALLOW or DENY
- When action is specified as ALLOW, all requests from MAC address present in this list will be served by DHCP servers. All requests originating from MAC address not present in this list will be ignored.
- When action is specified as DENY, all request from MAC address present in the list will be ignored by DHCP servers. All requests from MAC addresses not present in this list will be severed by DHCP server.
- Only one action out of ALLOW or DENY can be specified in MAC Address List File
- MAC address should be specified in format XXXXXXXXXXXX (where X can be hex digit 0 – F).There should not any delimiter such as -, : in MAC address. Each MAC address should be specified in separate line.
- If there is any error in MAC Address List File, it will be logged into CalloutErrorLogFile or default error log file. Following is expected behavior of dll in cases of errors
- If the action is not specified correctly, then DHCP server will function as if there is no callout dll i.e. none of the requests will be ignored.
- If one or more MAC addresses are not specified correctly, then in this case those MAC address entries will be ignored. Error for the same will be logged in error log file.
The installer does the following:
1. Places the MAC Filter callout dll in your system32 directory.
2. Creates \ Modifies following registry keys at location HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters
| Key Name | Key Type | Description |
| CalloutDlls | REG_MULTI_SZ | This key specifies callout dll path for DHCP server e.g. c:\windows\system32\MacFilterCallout.dll |
| CalloutEnabled | DWORD | 1 = DHCP Server loads callout.dlls
(Value 0 means DHCP Server does not load callout dlls) |
| CalloutErrorLogFile | REG_MULTI_SZ | Specify the file path for logging errors by this callout dll. If this registry key is not specified, callout dll will output errors %WINDIR%\System32\Log.txt |
| CalloutInfoLogFile | REG_MULTI_SZ | Specify the file path for logging information messages by callout dll. If this key is not present, no information messages will be logged. |
| CalloutMACAddressListFile | REG_MULTI_SZ | Specify the complete file path including name of MAC address list file. |
By default the location for the Error Log, Info Log, MACList is initialized to the location of the DHCP Server audit log at the installation time. These values can be changed through regedit.
3. Stop DHCP server (if it is already running)
4. Start DHCP server. When DHCP server is started, event 1033 will be logged if Callout DLL is loaded successfully by DHCP server.
You can download the MacFilterCallout application from MacFilterCallout.zip.
Special thanks to Microsoft Windows DHCP Team Blog for providing this tool
[...] It Can be restrict IP address based on the Mac Address Filtering [...]
[...] the team dhcp blog came up with mac filtering tool by which we can restrict ip address based on the mac address of the machine Share this on [...]