DHCP filters may reduce the risk of rogue devices

Windows Server 2008's DHCP engine has a filter that can reduce risk of rogue devices. IT pro Rick Vanover discusses this new feature.

One of the least glamorous parts of IT is tracking down a rouge system that received a DHCP address, especially if it is causing an issue on the network. IT pros have become good at looking at a MAC address and determining what type of system it may be. For instance, users may bring a wireless router from home into the office or install a virtual machine without any protections on the network.

Windows Server 2008 R2's DHCP engine introduces a MAC address filter engine. The filter is pretty cool; it allows you to specify wildcard MAC address ranges to allow or deny address assignment on the network.

For example, take the requirement to prohibit Hyper-V, VirtualPC, or VirtualServer virtual machines from receiving IP addresses on your network. Figure A shows how you can do this with the filter. Figure A

Click the image to enlarge.

For the specific case of virtual machines, I created a scorecard of the MAC address types and the associated hypervisors.

Clearly, the DHCP filters are not bulletproof. Most hypervisors and wireless devices let users spoof MAC addresses. But chances are, this will knock out most of the users who could potentially do the least desirable things on your network. In the case of wireless devices, determining the organizationally unique identifiers (OUIs) for Linksys, Netgear, D-Link, and other products may be a good idea if you have a problem with unauthorized devices showing up on your network. A more strict approach is to set a filter only for the devices you expect to use on your network.

I think this is pretty neat for an otherwise boring service. Do you see yourself using this new feature? Let us know in the comments.

Stay on top of the latest Windows Server 2003 and Windows Server 2008 tips and tricks with our free Windows Server newsletter, delivered each Wednesday.

Automatically sign up today!