Security

Lock IT Down: Defending your MAC address

Learn about the internal addresses on your computer that can open you to attack


In my article “Can you protect your MAC address?” I asked TechRepublic members to solve a security problem that has been perplexing me for some time. The problem stems from the ability to set your own MAC address, a legitimate and sometimes necessary functionality. Windows 95, 98, and Me do not allow you to adequately secure the system to prevent malicious or even inadvertent misuse. Check out my article “Beware of your MAC address” to learn more about this problem.

Here are some of the numerous posts and e-mails on the subject. I offered a bounty of 5,000 TechPoints for the best solution and promised to divulge the registry keys used to set your MAC address.

Port level security at the switch
Spiderman, Cedar Hannan, and Troy Etherton were among the many members to suggest implementing port level security on the switches. The idea being that only certain predetermined MAC addresses would be allowed access to any given port. Most network equipment manufactures support this feature, and it is relatively easy to implement.

TechRepublic member Spiderman detailed a simplified management technique used to govern port level security in a large diverse network:

“There is a tool I use called VMPS that is in with the IOS of every Cisco Switch. VMPS means VLAN Membership Policy Server. This is a text file that lives on my Linux box that one of my Primary VMPS Switches queries at the time I configured on it. Then, all my other switches ask the Primary switch for the same info (a lot faster since they have a gig link to my Primary and the VMPS file lives in RAM). Now, in that file, I can group what switches belong to a group or what MAC address belong to a group (i.e., accounting) and say that port 1-18 are only accessible for accounting.”

For his detailed explanation, Spiderman received 500 TechPoints. Cedar and Troy each received 250 TechPoints.

Monitoring for duplicate MACs
Tgreaser suggested using a public domain utility called arpwatch to monitor the network for duplicate MAC addresses. This terrific little utility lets you send out an e-mail message when something goes awry on your network. Tgreaser also received 500 TechPoints for this suggestion.

Douglassn and Tony K. approached the problem from a slightly different perspective. Douglassn suggested associating .vbs and .js files with Notepad, while Tony K. gave this detailed tutorial on locking down both e-mail and browser:

“1. Install the Outlook Attachment security update and block scripts, html files, etc. from being passed to your users. Upgrade OE for those who use it.
2. Change the default action on .reg and .vbs files to open in Notepad, rather than execute or run.
3. Enable the security settings in IE & Netscape to disable running scripts.”

Tony K. received 500 TechPoints for his detailed answer, and Douglassn received 250 TechPoints.

Look to the antivirus providers
John Buck suggested that getting the antivirus camp involved could easily solve this problem. "Using antivirus software to monitor the registry keys that change the address would be a terrific solution, if we could just convince the antivirus vendors to implement it. To that end, I suggest that everyone e-mail their antivirus vendor suggesting the monitoring of hardware vs. software MAC addresses." For his suggestion, John Buck received 500 TechPoints.

Using the .reg file
Jdfcomputers decided to take a more direct approach to the problem. His solution was simply to force the MAC address via a .reg file, which can be executed from a login script or autoexec.bat. This solution addresses the root of the problem, which is the ability to set the MAC address in the first place. For his creative thinking, Jdfcomputers received 2,250 TechPoints!

The registry key revealed
Throughout the original article and follow-up discussions, many members posted what they thought was the registry key used to set the MAC address. The truth of the matter is that all of them were correct, for their particular implementation. But none of them would work across the board. The reason for the confusion is simple. Setting the MAC address on a Windows-based computer is dependant upon the NIC driver being used. So the registry key location varies slightly for each NIC.
Warning: This article involves the procedure to use when editing your system registry. Using the Windows Registry Editor incorrectly can cause serious problems requiring the reinstallation of your operating system. TechRepublic does not support problems that arise from editing your registry. Use the Registry Editor and the following directions at your own risk.
For most NICs, you need to navigate to:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\<NICDriver<X>>\NetworkAddress


where <NICDriver<X>> is the name of the driver for your NIC plus a number (usually 1). From there you would set the value of NetworkAddress to whatever you want your MAC address to be. My personal favorite is “AABBCCDDEEFF.” Deleting the key or setting the value to an empty string will cause the MAC address to default to the Hardware address. At least this was true in every case that I was able to test. But there are so many NICs out there, and each of them has a unique driver.

Some manufacturers use a slightly different approach, as was illustrated by Jdfcomputers when he wrote:

“An LAA is set as a data string in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\Class\Net\000<x>\ NetworkAddress


where <x> is the number of the network adapter.“

In most of the drivers that I looked at, this is likely to be a Compaq network adapter. The reason for the difference is more manufacturer than OS. Remember, the location of the key is driver-specific. Compaq simply decided to do things a little differently than most other manufacturers.

Special consideration for Windows 2000
Under Windows 2000, the rules of the game have changed a bit. Microsoft must have thought that Compaq had the right idea (or vice versa) because the location of the registry key under Win2K is:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\Class\{<One Big number>}\
<One Little Number>\NetworkAddress


where <One Big number> is what I assume to be some kind of driver ID, and <One Little Number> is the NIC’s sequential number within the system. In my home system, the little number was 000. I assume this is because I only have one NIC in the system. If any of you know the true meaning of these numbers, please post a comment.

Implementing Jdfcomputers’ solution
In order to implement the solution given by Jdfcomputers, I would suggest you first consult the documentation for your NIC or contact the NIC manufacturer to find out how they implement locally administered addresses (LAA). Once you have the registry key, you can create a .reg file using any text editor or by saving the key from regedit. Store the saved file in the root of your local hard disk during system setup and put an entry in the autoexec.bat file to run regedit and pass the name of the .reg file as a parameter.

If a MAC address gets changed without changing this file, then the system will reboot the first time with the new MAC address. The next time the system reboots, the autoexec.bat will have already set the MAC back to its original state. This will ensure that any wayward NICs get reset before they have a chance to wreak havoc on your network.
What do you think of Mike’s argument on the security issues surrounding your computer’s MAC address? What do you think of the solutions offered in this article? Post a comment or e-mail Mike and let your voice be heard!

Editor's Picks