Hello folks,
Recently, i have post a script to interroge SCCM and find the MAC address informations. In this post, i show you how activate DHCP Filter “Allow” to protect your DHCP delivery lease to deny access to your network (i know, there is NAP or NAC but, it is a simple way to block the issuance of a DHCP lease).

Prerequirements

First, you need to create a Active Directory user and give to this account rights “DHCP Administrator”.

In SCCM console, add this users to group “Read-only Analyst” .

Activate filter “Allow” on DHCP server

Connect to your DHCP Server and open the management consoleOn the IPV4 tab, open the drop-down menu, and then select the “Filters” option and right-click the “Allow” folder and select “Enable”.

From now, the DHCP server no longer delivers leases.

On the DHCP Server, launch this script for retreive and add the MAC Address informations from SCCM Server to filter list “Allow”.

# Connection information
$SiteName = "FR1"
$ServerSite = "sccm"
# WMI Request
$ImportSCCM = $(Get-WmiObject -Class SMS_R_SYSTEM -Namespace "root\sms\site_$SiteName" -computerName $ServerSite)
# Create collection
$Mycoll = @()
foreach ($obj in $ImportSCCM) {
Write-Host $obj.NetbiosName $obj.MACAddresses $obj.OperatingSystemNameandVersion
$Mydetails = "" | Select-Object PCName, MacAddress, OS
If ($([String]$obj.MACAddresses) -eq "") {
$Mydetails.PCName = $obj.NetbiosName
$Mydetails.MacAddress = "Nul"
$Mydetails.OS = $obj.OperatingSystemNameandVersion
}
Else {
$Mydetails.PCName = $obj.NetbiosName
$Mydetails.MacAddress = [String]$obj.MACAddresses -replace ":","-"
$Mydetails.OS = $obj.OperatingSystemNameandVersion
}
$Mycoll += $Mydetails
}
#Add MacAddress into DHCP Filter
foreach ($objects in $Mycoll) {
Add-DhcpServerv4Filter -List Allow -MacAddress $objects.MacAddress -Description $objects.PCName -Confirm:$false -Force -Verbose
}
# Remove Obsolete entries
Compare-Object $(($Mycoll | Select-Object MacAddress).MacAddress) $(Get-DhcpServerv4Filter -ComputerName $DHCPServer -List Allow | Select-Object MacAddress).MacAddress -IncludeEqual | % {
if ($_.SideIndicator -eq "=>") {
Remove-DhcpServerv4Filter -ComputerName $DHCPServer -MacAddress $_.InputObject -Confirm:$false -Verbose
}
}

When the script is finished, you can see into the management console of DHCP Server, the entries are add into the “Allow” list.

The DHCP server correctly delivers the lease of the device whose MAC Address is allowed.

 

0 23