MAC Issuing ip addresses

Started by aanhaservices, Mar 31, 2023, 12:07 AM

Previous topic - Next topic

aanhaservicesTopic starter

There is a small server on board with Windows Server that handles the domain, DNS, and DHCP functions.

The domain includes, and therefore is connected to, the server of N-computers running Windows XP/7.

After having another cup of coffee, the company director becomes paranoid again and demands that IP binding by MAC be enabled for already installed computers, and that automatic IP address assignment for unknown individuals be disabled. This is to prevent malicious employees from connecting their laptops to the network and stealing confidential plans of world domination.

Given the company's reliance on small-soft products and the associated software licenses, as well as the inability to implement strict IP-to-MAC security at the router level (due to the high number of computers), the question arises: how can the admin comply with the manager's requirements while keeping costs to a minimum?

P.S. The hardworking admin considered transferring the DNS and DHCP functions to Linux, but is discouraged by the boss's stern gaze (as it would require an additional server) and the saying "if it works, don't touch it."

P.P.S. A slight complication to the task: Is it possible to implement a system for tracking the connection of "unfamiliar" computers to the network?


Any DHCP server can handle the usual MAC-to-IP binding configuration.

The boss is briefed in short about the second and subsequent paragraphs: Security will not be provided on inexpensive unmanaged switches. It requires normal managed switches with ACL support and VLANs that can be configured based on either the MAC address (such as for an old network printer or access control system box on the doors), or by configuring the switch port to the desired VLAN based on workstation password authentication in the network. This means that after entering a valid domain login/password, the switch port will be configured to the appropriate VLAN (e.g., accounting, admins, support, test VLAN), and an IP address from the desired subnet will be assigned.

Logging connections to switch ports will be done on a dedicated log server, which will send notifications such as "port fa0/1/2 on is up." Knowing the location of the switch and the socket connected to that port, security personnel can be dispatched to investigate any suspicious activities in specific areas, such as "office 123, 3rd floor, building 3".


It always brings me amusement when people argue about the differences between Windows and other operating systems like Nicks, especially when it comes to DHCP.

If necessary, one should take the time to read about DHCP and realize that its functionality is essentially the same on both Windows and Nicks, with only implementation variations.

According to Wikipedia, the DHCP protocol offers three methods for IP address distribution:

1. Manual distribution: In this approach, the network administrator assigns specific IP addresses to client computers based on their hardware address (MAC address). The only difference from manually configuring each computer is that the address information is centrally stored on a DHCP server, making it easier to modify if needed.

2. Automatic distribution: With this method, each computer is assigned an available IP address from a designated range defined by the administrator. These addresses are intended for permanent use.

3. Dynamic distribution: Similar to automatic distribution, but the address given to the computer is only leased for a certain period. After the lease expires, the IP address becomes available again, and the client must request a new one, which could potentially be the same address. Additionally, the client has the option to decline the offered address.

Select the appropriate method and learn how it is implemented in your software. However, it's important to note that this alone will not protect against MAC address spoofing; additional security measures are required.

Now, here's an idea: create two address pools. One pool is fully configured according to your preferences and requirements. The second pool is essentially fake, allowing anyone to obtain IP addresses but without any functioning servers or network resources. When a computer receives an address from this fake pool, it will experience difficulties due to the lack of actual services. This can serve as an indication that something is amiss and deter unauthorized access attempts.

Overall, understanding DHCP and its various implementation strategies can help ensure efficient IP address management and enhance network security.


The current protection measures are not foolproof, as even children can manually configure static IP addresses. Simply associating IP addresses with MAC addresses does not significantly enhance security.

A more effective solution would be to implement IEEE 802.1X with Network Access Protection Services on your Windows Server. This combination provides a stronger layer of security and control over network access.

IEEE 802.1X is a standard for network port-based authentication, ensuring that only authorized devices can connect to the network. Combined with Network Access Protection Services, which focus on endpoint security compliance, this solution can effectively prevent unauthorized access and enforce policy-based access control.

By deploying these technologies, you can significantly enhance the security of your network infrastructure and mitigate potential risks associated with unauthorized access or malicious activities.


To comply with the manager's requirements while minimizing costs, the admin can make use of the existing Windows Server infrastructure. Here are a few suggestions:

1. Enable IP binding by MAC address: Within the Windows Server environment, the admin can configure DHCP reservations. This allows specific IP addresses to be assigned to known MAC addresses. By adding reservations for the computers within the network, the admin ensures that only authorized devices can obtain specific IP addresses.

2. Disable automatic IP address assignment for unknown individuals: To prevent unknown individuals from connecting their laptops and obtaining an IP address, the admin can implement MAC address filtering on the DHCP server. This feature allows the admin to create an "allow" list of known MAC addresses and reject requests from unknown MAC addresses.

3. Implement network access control: The admin can enforce network access control by deploying a Network Access Control (NAC) solution. NAC solutions like Cisco ISE or Aruba ClearPass provide advanced authentication and authorization mechanisms to verify the identity and compliance of connected devices before granting network access.

4. Strengthen physical security: If feasible, the admin can improve physical security measures to prevent unauthorized access to the network. This may include securing network closets, implementing badge access systems, or using security cameras to monitor sensitive areas.

Regarding tracking unfamiliar computers, there are a few approaches to consider:

- Network monitoring tools: Deploy network monitoring tools capable of detecting and identifying new devices joining the network. These tools can provide real-time alerts when unfamiliar devices are detected, allowing the admin to investigate and take appropriate action.

- Network Access Control (NAC): As mentioned earlier, a NAC solution can help track unfamiliar computers by enforcing device authentication and profiling. It can automatically identify and report on devices that are not compliant with the organization's policies.

- Employee education: Regularly educate employees about the company's network usage policy and the potential risks associated with unauthorized device connections. Encourage employees to report any unfamiliar devices they come across.

While it may be tempting to consider transferring DNS and DHCP functions to Linux, the admin should carefully evaluate the trade-offs and potential benefits before making such a decision. The boss's concern about stability and the saying "if it works, don't touch it" should be taken into account.

suggestions to consider:

1. Network segmentation: Divide the network into different segments or VLANs based on the trust level and access requirements. This can help isolate sensitive resources and limit the impact of unauthorized access. For example, create separate VLANs for employee devices, guest devices, and critical servers.

2. Regularly review and update access controls: Keep track of authorized devices and periodically review and update access controls. Remove any outdated or unused DHCP reservations and ensure that only necessary devices have access to specific resources.

3. Implement network monitoring and intrusion detection systems: Deploy network monitoring and intrusion detection systems to identify and alert administrators of any suspicious activity, such as unauthorized devices attempting to connect to the network.

4. Network authentication protocols: Consider implementing stronger network authentication protocols such as 802.1X, which provides port-based network access control and can be used to authenticate devices before granting access to the network.

5. Employee awareness training: Educate employees about the importance of network security and the potential risks associated with connecting unauthorized devices. Promote good security practices, such as not sharing network credentials and reporting any suspicious activities.

6. Regularly update software and firmware: Ensure that all network devices, including switches, routers, and servers, are running the latest software and firmware versions, as they often contain security patches that address vulnerabilities.

7. Regularly backup network configurations: Perform regular backups of network configurations to ensure that in case of any issues or security breaches, the network can be restored quickly and efficiently.