Is there a simple program that can block Mac addresses?

[jim]

Is there any Windows software that can block Mac addresses on the incoming
network adapter.
I want to block certain users on a LAN, they keep changing there IP
addresses on there Laptops.

I have a spare PC with 3 NIC's in.

I don't want DHCP,Firewall, Linux solutions .

I just want a basic Windows program.

Can you help?

Cheers

 

[Keith W. McCammon]

Blocking the MAC address using a spare PC is only going to stop that MAC
address from accessing the spare PC. You need to use access controls on
your switches to deal with this problem

If you do want to use the spare PC to block access from a given address to
your LAN, you'll:

1) need to alter the MAC tables to null-route the address, or the like
2) be building a firewall, which you've said that you don't want

 

[Marc Reynolds [MSFT]]

Nothing based on MAC address, but you could use IPSec based on IP addresss.
What are you trying to prevent them from gaining access to? Shares and data
should be locked down by user and group permissions.

--

Thanks,
Marc Reynolds
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Steven L Umbach]

I don't know of a Windows program that can do that. If the users are not
local administrators, then they can not change their ip addresses. Maybe a
user policy should be put in place about unathorized computers on the
network if that is what is happening. I know that may not be as easy as it
sounds for you, but if you can build a good enough case and take it to the
higher ups it might help. --- Steve

 

[Karl Levinson [x y] mvp]

There are a few problems with what you're trying to do.

These users can also change or spoof their MAC addresses, which is a problem
for you. It would be more secure to use "port security" to whitelist which
MAC addresses are approved to communicate on each switch port, or use some
sort of authentication to the switch and/or computer. If you do per-user
authentication to access the network resource in question, it doesn't matter
what MAC address they choose.

Whatever you do involving MAC addresses, I would think it would have to be
done on their local subnet / switch [e.g. each and every subnet they might
plug into]. Once a packet makes the first hop through a router, the source
MAC address is rewritten to be the MAC address of the router. Said another
way, if you were to try to block inbound access to a computer by source MAC
address, it would only work if the other computer was on the same subnet.
The computer's source MAC address is not kept anywhere in the packet once
the packet traverses a router.

If you know the MAC address you want to block, I suppose you could try
running an arp spoofing / man in the middle tool such as shijack on one
computer on the local subnet, which can effectively prevent anything from
reaching that MAC address, or if you prefer, sniff their session, data and
passwords, or take remote control of their connections, even encrypted ones.
You would want to be careful not to cause performance problems for your
switches and network devices... and I would think you would need one such
computer for each of your subnets. Once they change their MAC address, your
denial of service attack stops working.