There are many options available to a Windows 10 user when it comes to managing computer networks, both wired and wireless. Some of them are incredibly vital while others offer less utility from a security perspective.
In this article, we will explore why MAC filtering falls into the latter category. This knowledge is important because there is a common perception that MAC filtering is an effective network security measure.
To be brief and to the point, it is not, and quite emphatically so. While the process certainly has some utility and advantages in specific circumstances, as far as negating external threats are concerned, it is a few degrees above completely useless.
Read on to learn all about MAC filtering, how to do it in Windows 10, when to do it and most importantly, when NOT to depend on it.
Intro to MAC addresses and filtering
All computers use a piece of hardware called a network interface controller (also called a network card) to connect to all networks, local and wide. A Media Access Control (MAC) address is a unique identifier assigned to each network card — and by extension, the PC to which it belongs — in a computer network.
If you want to manage access rights to a network, it can be done easily using these MAC addresses. Any PC whose MAC address is on a whitelist is allowed access to the network ports, while those on blacklists are denied access or blocked. This entire process is called MAC filtering.
If your PC has both Ethernet and Wi-Fi capabilities, that means that it has two separate adapters — one wired and the other wireless. If you use virtualization software, there can be even more! Since MAC addresses are tied to network cards and not their PCs, it is quite common to see one PC host multiple MAC addresses.
You can identify a MAC address by its format — a series of 12 hexadecimal digits arranged as “00-00-00-00-00-00-00.”
Finding the MAC addresses on a Windows 10 PC
The quickest way to look at MAC addresses on a Windows PC is by using the command prompt. Initiate an instance by clicking on the Start button and typing “CMD.” Run it and a command prompt window will appear. Type the command “ipconfig/all”and execute it by pressing Enter.
In the list that follows, you can find the MAC address of individual cards by looking at the entry beside “Physical Address.” It will be a 12-digit hexadecimal number. If you want a strict GUI-based method, head to the Settings menu. Go to Network & Internet and click the name of any active connection. At the bottom of “Properties,” you can find the “Physical Address (MAC).”
How MAC filtering is useful
A MAC address is like a government ID or Social Security number given to citizens. It is a permanent address for a device in a network that doesn’t change under normal circumstances, ever. In contrast, IP addresses of network devices are constantly changing unless they are set as “static” by the system administrator.
Thus, a MAC address gives the network admins a reliable address to keep track of known devices within the system. They are an effective form of access control, which is basically like the work of a bouncer in front of a nightclub. If you are on his list, you are in; if not, you stay out!
In personal and home networks, MAC filtering is less useful unless there are multiple networks and many users/devices involved. Or if you are a parent who wants to restrict your kids’ access to the internet during specific hours of the day.
Otherwise, the best use case for MAC filtering is often in an enterprise or institutional setting.
In large, complex networks with multiple gateways and access points, administrators can use MAC filtering to restrict user access to specific networks. It largely serves as an organizational or administrative purpose.
Managing MAC filtering in Windows 10
To enable or disable MAC filtering in Windows 10, you have to access your network router. In most modern instances, it is your home wireless router. All routers have an IP address that you can use to access its controls using your browser.
This IP address is usually available with the documentation of the router. If you don’t have it, you can look it up on the command prompt using just the ipconfigcommand. From the listed networks, find your active connection and make note of its default gateway.
Enter this figure, which is usually something that looks like 22.214.171.124, into your browser address bar and press Enter. When you reach the router page, you have to enter your router admin ID and password.
In the settings, MAC filtering is usually found under Advanced Settings, Security, Access Control or something else similar to these. Its exact location will vary with the router brand. Inside, you have the option to choose your form of filtering, with these two options:
Blacklist: Deny access to specific MAC addresses
Whitelist: Grant access only to specific MAC addresses
Choose the one you prefer and add/remove MAC addresses of devices that exist in your network. Save and exit your router settings to make these changes permanent.
Disadvantages of MAC filtering
The utility of MAC filtering from a security perspective is a controversial topic. While it is widely marketed as a security measure, MAC filtering on its own is incapable of protecting your network against hacks.
Reverting to the “bouncer” analogy used earlier, we can identify the primary weakness of MAC filtering as a security measure. It is only effective if the hacker does not have access to either of the two pieces of information:
The MAC address whitelist of the network
At least one of the MAC addresses of a device connected to the network (in case of a blacklisted MAC filtering system)
If a hacker can gain access to a MAC address that has access to the network, they can masquerade as that device and compromise the network security. And they can easily find the MAC addresses by monitoring the network traffic using toolsets likeKali Linux and Wireshark.
This is useful to a hacker because they can use a technique called “spoofing” to easily change the MAC address of their device. In fact, in Windows 10, anybody can do this by following these steps:
Open Device Manager and expand the Network Adapters category
Select your Ethernet or wireless adapter, right-click and head to Properties
In the Advanced tab, look for Locally Administered Address, found in the Property box.
Select it and remove its associated MAC address in the Value box
Replace it with another 12-digit hexadecimal number of your choice, without hyphens or spaces
The changes will take effect after a system reboot
You can check the changes using ipconfig/allfrom the command prompt
MAC filtering is a useful network administration tool with limited security potential. It can be used as an extra layer of protection above the basic layers like WPA2-AES security protocols. But as a standalone security measure, it is woefully inadequate.
Even ordinary users with admin access to a Windows PC can change its MAC addresses. And hackers can quite easily find the MAC addresses of devices connected to a network using monitoring tools. Combine these two flaws and we can easily see why experts consider MAC filtering as a potential liability in the realm of network security. Besides, it is also very time-consuming to set up if there are many devices/network adapters involved.