| Author | Messages | |
sbradcpa
Posts:317
 | | 05/08/2007 1:27 AM |
| MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote
Code Execution (935966)
http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
Max Severity: Critical
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| RamonLinan
Posts:0
| | 05/08/2007 1:34 AM |
| Hi,
The link is not working
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, May 08, 2007 1:28 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote
Code Execution (935966)
http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
Max Severity: Critical
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| sbradcpa
Posts:317
| | 05/08/2007 1:37 AM |
| Patience the links are still replicating across the web...
Ramon Linan wrote:
> Hi,
>
> The link is not working
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley,
> CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Tuesday, May 08, 2007 1:28 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
> Interface Could Allow Remote,Code Execution
>
> MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote
> Code Execution (935966)
> http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
> Max Severity: Critical
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| deji
Posts:140
| | 05/08/2007 1:39 AM |
| Ctrl-F5
Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Ramon LinanSent: Tue 5/8/2007 10:34 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
Hi,
The link is not working
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, May 08, 2007 1:28 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote
Code Execution (935966)
http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
Max Severity: Critical
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| listmail
Posts:454
| | 05/08/2007 11:15 AM |
| Nice and handy that it just so happened to be all wrapped up and done for
the May patch release so someone didn't have to get a knock on the head
inside of MSFT for two out of band patches in a month...
Also nice to have DCs in a state of having unmanageable services or exposed
to exploits in enterprise environments I think.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, May 08, 2007 1:28 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface
Could Allow Remote,Code Execution
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote
Code Execution (935966)
http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
Max Severity: Critical
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| sbradcpa
Posts:317
| | 05/08/2007 11:21 AM |
| Exchange one is the one I'm eyeing up this month.
IE7 has the printing fixes for IE7 included.
Don't forget the Word and Office patches for the workstations.... and
WSUS 3.0 is out ...and....
joe wrote:
> Nice and handy that it just so happened to be all wrapped up and done for
> the May patch release so someone didn't have to get a knock on the head
> inside of MSFT for two out of band patches in a month...
>
> Also nice to have DCs in a state of having unmanageable services or exposed
> to exploits in enterprise environments I think.
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley, CPA
> aka Ebitz - SBS Rocks [MVP]
> Sent: Tuesday, May 08, 2007 1:28 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface
> Could Allow Remote,Code Execution
>
> MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote
> Code Execution (935966)
> http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
> Max Severity: Critical
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
--
If you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog.
..and my blog is at www.sbsdiva.com....
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| sbradcpa
Posts:317
| | 05/09/2007 1:01 AM |
| Encase is a forensic software btw.
Does the average firm expose their DNS infrastructure openly to the web
unless they are a University? Leave the mitigation in place if RPC as
an attack surface is a concern. Many a security researcher predicts
that RPC will continue to have issues as it's a technology built when
we trusted our internal networks. (and the security person who
predicted more RPC issues works for Microsoft btw)
When incidents.org indicates that the average firm spends more on
Coffee than they do on security... how much of these issues are self
inflicted?
As a little SBSer that is recommended to do DNS forwarding I also have
to be concerned about the patch status of my ISP's DNS forwarders as
well. BIND is not immune from issues, nor immune from causing them and
making risk to me if not patched and maintained . No software is
without issues or security concerns and our decisions need to be made
accordingly.
Ziots, Edward wrote:
v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
SPAN.gmailquote {
mso-style-name: gmail_quote
}
SPAN.EmailStyle19 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
Eric,
Better DNS servers? DNS is DNS,
whether AD integrated or Primary, Secondary, its basically the same. I
am saying that for troubleshooting its just easier to have
primary/secondary and place your DNS where you need them, instead of
having it tied to a DC, and thus add another infrastructure role to the
domain controllers, when its not always needed.
I know M$ wants you to do AD
integrated DNS, since they think its the best thing since sliced bread,
but down in the trenches where the work gets done and the problems get
solved, its not always the best choice. I personally don't see why you
need to have your DNS and AD on the same replication scheme, if
something breaks in replication is it AD or is it DNS, you have no
physical seperation of the two, so you start going in loops.
And given the flaws we keep
getting each and every month, from Microsoft land on this, that and the
other service, or offering, the less you can have on your DC' and
Infrastructure systems and the better you hardnen them from the start
the better off you will be. This DNS RPC interface issue was just an
example, and I am sure the security researchers out there are going to
find more, and again makes admin lives harder, but our systems more
secure in the long run.
Also it takes Microsoft how long
to create a patch to fix this, but the exploit code has been out for
quite a while, and I am sure some hacker has coded a working exploit by
now, its probably in metasploit, ENCASE and other Pentest products, so
point and click and fire away at the DC's with DNS, if you haven't
protected yourself.
Just my take on the situation,
not saying that AD Integrated DNS isnt a viable option, but think of
this you wonder why Internet DNS in on BIND, and its not AD integrated
or even M$and its spread throughout the world...
EZ
Edward E. Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security +
email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric
Fleischman
Sent: Wednesday, May 09, 2007 12:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
I
don’t yet get this logic, please explain it to me like I’m an idiot.
The
primary/secondary road ends up taking you to a place where you point
DCs at the subset of DNS servers you end up creating. How is this
better than having use AD integrated DNS, and pointing DCs to a subset
of anointed “better” DNS servers?
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
Edward
Sent: Wednesday, May 09, 2007 8:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
AD
and its replication and functions are dependent on DNS being correctly
configured. If you follow the logic of not having all your eggs in one
basket, then the following will make sense.
Why
would you want to have both your DNS and AD together on the same box,
and integrated into the AD replication, if something is broken in AD
replication scheme its going to affect your DNS as well, which also
affects alot more of your infrastructure.
Secondly,
it makes decommission of the DC's a little more of a task than it needs
to be, not impossible, and not a regular event in most environments,
but still again, infrastructure roles ( DHCP, WINS, DNS, DC) should be
seperate and redundant as per good network design ( PhysicalSite
redundancy is what I am driving at here)
These
are just my views, administrators will do what they feel comfortable
with but I have been running primary, secondary DNS tertiary DNS at a
third site for years and not had much problems with DNS replication,
uptime and minimal troubleshooting, plus I know if my primary site gets
hit I got critical infrastructure elsewhere that can continue to
service the organization in case of issues.
I
think in the age of DR, this isn't a bad way to go, and I am sure most
of the folks that still run BIND for there DNS services would probably
see the reasoning in it.
Z
Edward
E. Ziots
Network
Engineer
Lifespan
Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security +
email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Danny
Sent: Wednesday, May 09, 2007 10:50 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
Sorry to jump in
here, but I am understanding that you both are recommending to avoid
AD-integrated DNS where possible?
On 5/9/07, joe
< listmail@joeware.net>
wrote:
I can find no fault in that paragraph. :)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, Edward
Sent: Wednesday, May 09, 2007 8:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Funny part if you can call it a funny part is that your DC's wouldn't
have been vulnerable if you didn't have AD-Integrated DNS. Which limits
the attack surface quite a bit when you are dealing with say 2-3 DNS
servers instead of multiple DNS servers with DC responsibilites to
boot.
This is whay I am never in the favor of putting multiple infrastructure
roles on any one system, especially a DC.
Z
Edward E. Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +
email:eziots@lifespan.org
cell:401-639-3505
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, May 08, 2007 11:21 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Exchange one is the one I'm eyeing up this month.
IE7 has the printing fixes for IE7 included.
Don't forget the Word and Office patches for the workstations.... and
WSUS 3.0 is out ...and....
joe wrote:
> Nice and handy that it just so happened to be all wrapped up and
done
> for the May patch release so someone didn't have to get a knock on
the
> head inside of MSFT for two out of band patches in a month...
>
> Also nice to have DCs in a state of having unmanageable services
or
> exposed to exploits in enterprise environments I think.
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Susan
> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Tuesday, May 08, 2007 1:28 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
> Interface Could Allow Remote,Code Execution
>
> MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
> Remote Code Execution (935966)
> http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
> Max Severity: Critical
>
> List info : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
--
If you are a SBSer... you had better be reading
http://blogs.technet.com/sbs
- the SBS Blog.
..and my blog is at www.sbsdiva.com....
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| EZiots
Posts:31
| | 05/09/2007 1:07 AM |
| I agree with you Susan, as you know I don't follow the well
beaten path ( M$ way) on alot of issues, just because there are better ways of
getting things done.
Danny, I don't see any CON's as long as you can physically
secure the systems that hold your DNS, ( server security and physical site
security) along having multiple secondary systems to do DNS lookups, along with
good change management.
From the DR prespective, I will give you just a little
true-life example.
Legato Networker backup software uses DNS alot to work of
finding clients, etc etc, I could just imagine if we couldn't export our DNS
zones, because they are AD-Integrated, and save them to a USB stick and transfer
to another DNS system at our DR site, build a new DNS server, then install
Networker, and then inventory tapes, and get ready to start restores starting
with DC's and application servers, we would have to have a hosts file a mile
long to keep track of all the FQDN's of our systems. But with the
primary-secondary DNS servers, the follow example is a piece of cake.
I am sure other organizations, and companies have other
scenario's, I am not bashing AD-INT DNS, what I am say if you can keep your DC's
being just DC"s and DNS doing DNS, you can keep the roles seperate and simplfy
your life a little as an Admin. But everyone has there own views, and comfort
zones, I liked it the way it was done in BIND, and basically don't care to
change, if it aint broke no sense fixing it.
End Thread ( Part Duex)
Good discussion though, banter from time to time, with the
MVP's are enlightening.
Z
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]Sent: Wednesday, May 09, 2007 12:04
PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
When you are little and your eggs and baskets were set up by
Microsoft wizards and "just work" obviously those rules don't apply
:-)In this day and age of DR, XP's can log onto non existent domains
with cached credentials, Outlook can run in cached mode, so the clients are more
self reliant these days than they used to be as well.Danny wrote:
Edward, thanks for the explanation and elaboration. I understand
what you mean, specifically from a DR perspective. Do you see any cons to
de-integrating DNS from AD?
On 5/9/07, Ziots,
Edward wrote:
AD and
its replication and functions are dependent on DNS being correctly
configured. If you follow the logic of not having all your eggs in one
basket, then the following will make sense.
Why
would you want to have both your DNS and AD together on the same box, and
integrated into the AD replication, if something is broken in AD replication
scheme its going to affect your DNS as well, which also affects alot more of
your infrastructure.
Secondly, it makes decommission of the DC's a little more of a task
than it needs to be, not impossible, and not a regular event in most
environments, but still again, infrastructure roles ( DHCP, WINS, DNS, DC)
should be seperate and redundant as per good network design (
PhysicalSite redundancy is what I am driving at here)
These
are just my views, administrators will do what they feel comfortable with
but I have been running primary, secondary DNS tertiary DNS at a third site
for years and not had much problems with DNS replication, uptime and minimal
troubleshooting, plus I know if my primary site gets hit I got critical
infrastructure elsewhere that can continue to service the organization in
case of issues.
I think
in the age of DR, this isn't a bad way to go, and I am sure most of the
folks that still run BIND for there DNS services would probably see the
reasoning in it.
Z
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
DannySent: Wednesday, May 09, 2007 10:50 AMTo: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code
Execution
Sorry to jump in here, but I am
understanding that you both are recommending to avoid AD-integrated DNS
where possible?
On 5/9/07, joe
<
listmail@joeware.net> wrote:
I
can find no fault in that paragraph. :)--O'Reilly Active
Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
EdwardSent: Wednesday, May 09, 2007 8:57 AMTo: ActiveDir@mail.activedir.org Subject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionFunny part if you can call it a funny
part is that your DC's wouldn't have been vulnerable if you didn't
have AD-Integrated DNS. Which limitsthe attack surface quite a bit
when you are dealing with say 2-3 DNSservers instead of multiple DNS
servers with DC responsibilites to boot. This is whay I am never in
the favor of putting multiple infrastructureroles on any one system,
especially a DC.ZEdward E. ZiotsNetwork
EngineerLifespan OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+,
Security +email:eziots@lifespan.orgcell:401-639-3505
-----Original Message-----From: ActiveDir-owner@mail.activedir.org[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley,CPA
aka Ebitz - SBS Rocks [MVP]Sent: Tuesday, May 08, 2007 11:21 PM
To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPCInterface Could Allow
Remote,Code ExecutionExchange one is the one I'm eyeing up this
month. IE7 has the printing fixes for IE7 included.Don't
forget the Word and Office patches for the workstations.... andWSUS
3.0 is out ...and....joe wrote:> Nice and handy that it
just so happened to be all wrapped up and done > for the May patch
release so someone didn't have to get a knock on the> head
inside of MSFT for two out of band patches in a month...>>
Also nice to have DCs in a state of having unmanageable services or
> exposed to exploits in enterprise environments I
think.>> --> O'Reilly Active Directory Third Edition
-> http://www.joeware.net/win/ad3e.htm
>>> -----Original Message-----> From: ActiveDir-owner@mail.activedir.org > [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Susan>
Bradley, CPA aka Ebitz - SBS Rocks [MVP]> Sent: Tuesday, May 08,
2007 1:28 PM> To: ActiveDir@mail.activedir.org > Subject:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC> Interface
Could Allow Remote,Code Execution>> MS07-029: Vulnerability
in Windows DNS RPC Interface Could Allow> Remote Code Execution
(935966) > http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
> Max Severity: Critical>> List info
: http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx> List
archive: http://www.activedir.org/ma/default.aspx>>
List info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx> List
archive: http://www.activedir.org/ma/default.aspx>>--If
you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS
Blog...and my blog is at www.sbsdiva.com....List
info : http://www.activedir.org/List.aspx List
FAQ: http://www.activedir.org/ListFAQ.aspxList archive:
http://www.activedir.org/ma/default.aspx List
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive:
http://www.activedir.org/ma/default.aspxList
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive:
http://www.activedir.org/ma/default.aspx-- CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer
-- CPDE -
Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer
Consumer List info : http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx List archive:
http://www.activedir.org/ma/default.aspx | | | |
| EZiots
Posts:31
| | 05/09/2007 1:15 AM |
| Sorry meant Core Impact not En-Case. ( thanks for the
correction :))
What it all comes down to is Risk Mitigation and
Management.
I think we all know we can only control what we can control
and it would be fruitless to try and control what we can't ( ISP's practices, or
lack thereof).
Not sure who would let there DNS or any infrastructure
wide-open, even some of the .EDU's are tightening up the ship, because they are
getting blacklisted or firewalled off, because the attacks are coming from these
domains, free networks, lack of standards and controls, makes for a novice
hackers paradise.
I agree RPC has been in the past ( RPC DCOM and other
exploits, which have turned into destructive worms) and will be in the future an
avenue of attack. I agree bind isn't perfect, and if not setup and securly
configured it can be just as vulnerable as Windows DNS.
EZ
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]Sent: Wednesday, May 09, 2007 1:02
PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Encase is a forensic software btw.Does the average firm
expose their DNS infrastructure openly to the web unless they are a
University? Leave the mitigation in place if RPC as an attack surface is a
concern. Many a security researcher predicts that RPC will continue to
have issues as it's a technology built when we trusted our internal
networks. (and the security person who predicted more RPC issues works for
Microsoft btw)When incidents.org indicates that the average firm spends
more on Coffee than they do on security... how much of these issues are self
inflicted?As a little SBSer that is recommended to do DNS forwarding I
also have to be concerned about the patch status of my ISP's DNS forwarders as
well. BIND is not immune from issues, nor immune from causing them and
making risk to me if not patched and maintained . No software is without
issues or security concerns and our decisions need to be made
accordingly.Ziots, Edward wrote:
v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
SPAN.gmailquote {
mso-style-name: gmail_quote
}
SPAN.EmailStyle19 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
Eric,
Better DNS servers? DNS is DNS, whether AD integrated or
Primary, Secondary, its basically the same. I am saying that for
troubleshooting its just easier to have primary/secondary and place your DNS
where you need them, instead of having it tied to a DC, and thus add another
infrastructure role to the domain controllers, when its not always needed.
I know M$ wants you to do AD integrated DNS, since they
think its the best thing since sliced bread, but down in the trenches where
the work gets done and the problems get solved, its not always the best
choice. I personally don't see why you need to have your DNS and AD on the
same replication scheme, if something breaks in replication is it AD or is it
DNS, you have no physical seperation of the two, so you start going in loops.
And given the flaws we keep getting each and every month,
from Microsoft land on this, that and the other service, or offering, the less
you can have on your DC' and Infrastructure systems and the better you hardnen
them from the start the better off you will be. This DNS RPC interface issue
was just an example, and I am sure the security researchers out there are
going to find more, and again makes admin lives harder, but our systems more
secure in the long run.
Also it takes Microsoft how long to create a patch to fix
this, but the exploit code has been out for quite a while, and I am sure some
hacker has coded a working exploit by now, its probably in metasploit, ENCASE
and other Pentest products, so point and click and fire away at the DC's with
DNS, if you haven't protected yourself.
Just my take on the situation, not saying that AD
Integrated DNS isnt a viable option, but think of this you wonder why Internet
DNS in on BIND, and its not AD integrated or even M$and its spread
throughout the world...
EZ
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:eziots@lifespan.org
cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007
12:26 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
I
don’t yet get this logic, please explain it to me like I’m an
idiot.
The
primary/secondary road ends up taking you to a place where you point DCs at
the subset of DNS servers you end up creating. How is this better than having
use AD integrated DNS, and pointing DCs to a subset of anointed “better” DNS
servers?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:23
AMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
AD and
its replication and functions are dependent on DNS being correctly configured.
If you follow the logic of not having all your eggs in one basket, then the
following will make sense.
Why
would you want to have both your DNS and AD together on the same box, and
integrated into the AD replication, if something is broken in AD replication
scheme its going to affect your DNS as well, which also affects alot more of
your infrastructure.
Secondly,
it makes decommission of the DC's a little more of a task than it needs to be,
not impossible, and not a regular event in most environments, but still again,
infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate and redundant
as per good network design ( PhysicalSite redundancy is what I am
driving at here)
These
are just my views, administrators will do what they feel comfortable with but
I have been running primary, secondary DNS tertiary DNS at a third site for
years and not had much problems with DNS replication, uptime and minimal
troubleshooting, plus I know if my primary site gets hit I got critical
infrastructure elsewhere that can continue to service the organization in case
of issues.
I
think in the age of DR, this isn't a bad way to go, and I am sure most of the
folks that still run BIND for there DNS services would probably see the
reasoning in it.
Z
Edward E.
Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of DannySent: Wednesday, May 09, 2007 10:50
AMTo: ActiveDir@mail.activedir.orgSubject:
Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Sorry to jump in here, but I am
understanding that you both are recommending to avoid AD-integrated DNS where
possible?
On 5/9/07, joe < listmail@joeware.net> wrote:
I can find no fault in that paragraph.
:)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:57 AMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionFunny part if you can call it a funny part
is that your DC's wouldn't have been vulnerable if you didn't have
AD-Integrated DNS. Which limitsthe attack surface quite a bit when you are
dealing with say 2-3 DNSservers instead of multiple DNS servers with DC
responsibilites to boot. This is whay I am never in the favor of putting
multiple infrastructureroles on any one system, especially a
DC.ZEdward E. ZiotsNetwork EngineerLifespan
OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.orgcell:401-639-3505-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent:
Tuesday, May 08, 2007 11:21 PM To: ActiveDir@mail.activedir.orgSubject:
Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionExchange one is the one I'm eyeing up this
month. IE7 has the printing fixes for IE7 included.Don't
forget the Word and Office patches for the workstations.... andWSUS 3.0 is
out ...and....joe wrote:> Nice and handy that it just so
happened to be all wrapped up and done > for the May patch release so
someone didn't have to get a knock on the> head inside of MSFT for
two out of band patches in a month...>> Also nice to have DCs in
a state of having unmanageable services or > exposed to exploits in
enterprise environments I think.>> --> O'Reilly Active
Directory Third Edition -> http://www.joeware.net/win/ad3e.htm
>>> -----Original Message-----> From: ActiveDir-owner@mail.activedir.org>
[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Susan> Bradley,
CPA aka Ebitz - SBS Rocks [MVP]> Sent: Tuesday, May 08, 2007 1:28
PM> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS
RPC> Interface Could Allow Remote,Code Execution>>
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow>
Remote Code Execution (935966) > http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx>
Max Severity: Critical>> List info : http://www.activedir.org/List.aspx>
List FAQ: http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.activedir.org/ma/default.aspx>>
List info : http://www.activedir.org/List.aspx>
List FAQ: http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.activedir.org/ma/default.aspx>>--If
you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS
Blog...and my blog is at www.sbsdiva.com....List
info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspxList
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx
-- CPDE - Certified Petroleum
Distribution Engineer CCBC - Certified Canadian Beer Consumer
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx List archive:
http://www.activedir.org/ma/default.aspx | | | |
| deji
Posts:140
| | 05/09/2007 1:32 AM |
|
"M$" is a religious state of mind that makes it very difficult for me to engage the believer in technical discussions.
How hard can it be to export AD-int zone be when you have dnscmd, or the trusty convert/re-convert option? Are you also aware of the replication options available even for AD-intg zones? Specifically, which part of the Legato scenario that you have described is made more complicated by integrating DNS into AD?
Considering the heavy reliance AD has on DNS, your position is hard to reconcile. I have heard various arguments against AD-intg, but the ones you've adduced here are, in my opinion, not very confusing. And, if you are going to be recommending that people don't use AD-intg, you should be better prepare to justify that recommendation.
Since you are pining so much for the advent of ServerCore, will you be dissapointed when you discoverthat DNS is one of the few roles you will be able to install on ServerCore?Willthat affect your trust in ServerCore? If not, what will ServerCore offer you in terms of DNS security that the standard LH install won't?
If your are going to mention the RPC issue as one of the reasons you would not integrate DNS into AD, I would like to suggest that you re-read the cause of the RPC issue again
Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Ziots, EdwardSent: Wed 5/9/2007 10:07 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
I agree with you Susan, as you know I don't follow the well beaten path ( M$ way) on alot of issues, just because there are better ways of getting things done.
Danny, I don't see any CON's as long as you can physically secure the systems that hold your DNS, ( server security and physical site security) along having multiple secondary systems to do DNS lookups, along with good change management.
From the DR prespective, I will give you just a little true-life example.
Legato Networker backup software uses DNS alot to work of finding clients, etc etc, I could just imagine if we couldn't export our DNS zones, because they are AD-Integrated, and save them to a USB stick and transfer to another DNS system at our DR site, build a new DNS server, then install Networker, and then inventory tapes, and get ready to start restores starting with DC's and application servers, we would have to have a hosts file a mile long to keep track of all the FQDN's of our systems. But with the primary-secondary DNS servers, the follow example is a piece of cake.
I am sure other organizations, and companies have other scenario's, I am not bashing AD-INT DNS, what I am say if you can keep your DC's being just DC"s and DNS doing DNS, you can keep the roles seperate and simplfy your life a little as an Admin. But everyone has there own views, and comfort zones, I liked it the way it was done in BIND, and basically don't care to change, if it aint broke no sense fixing it.
End Thread ( Part Duex)
Good discussion though, banter from time to time, with the MVP's are enlightening.
Z
Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Wednesday, May 09, 2007 12:04 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
When you are little and your eggs and baskets were set up by Microsoft wizards and "just work" obviously those rules don't apply :-)In this day and age of DR, XP's can log onto non existent domains with cached credentials, Outlook can run in cached mode, so the clients are more self reliant these days than they used to be as well.Danny wrote:
Edward, thanks for the explanation and elaboration. I understand what you mean, specifically from a DR perspective. Do you see any cons to de-integrating DNS from AD?
On 5/9/07, Ziots, Edward wrote:
AD and its replication and functions are dependent on DNS being correctly configured. If you follow the logic of not having all your eggs in one basket, then the following will make sense.
Why would you want to have both your DNS and AD together on the same box, and integrated into the AD replication, if something is broken in AD replication scheme its going to affect your DNS as well, which also affects alot more of your infrastructure.
Secondly, it makes decommission of the DC's a little more of a task than it needs to be, not impossible, and not a regular event in most environments, but still again, infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate and redundant as per good network design ( PhysicalSite redundancy is what I am driving at here)
These are just my views, administrators will do what they feel comfortable with but I have been running primary, secondary DNS tertiary DNS at a third site for years and not had much problems with DNS replication, uptime and minimal troubleshooting, plus I know if my primary site gets hit I got critical infrastructure elsewhere that can continue to service the organization in case of issues.
I think in the age of DR, this isn't a bad way to go, and I am sure most of the folks that still run BIND for there DNS services would probably see the reasoning in it.
Z
Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of DannySent: Wednesday, May 09, 2007 10:50 AMTo: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
Sorry to jump in here, but I am understanding that you both are recommending to avoid AD-integrated DNS where possible?
On 5/9/07, joe wrote:
I can find no fault in that paragraph. :)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original Message-----From: ActiveDir-owner@mail.activedir.org[mailto:mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:57 AMTo: mailto:ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could Allow Remote,Code ExecutionFunny part if you can call it a funny part is that your DC's wouldn't have been vulnerable if you didn't have AD-Integrated DNS. Which limitsthe attack surface quite a bit when you are dealing with say 2-3 DNSservers instead of multiple DNS servers with DC responsibilites to boot. This is whay I am never in the favor of putting multiple infrastructureroles on any one system, especially a DC.ZEdward E. ZiotsNetwork EngineerLifespan OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.orgcell:401-639-3505 -----Original Message-----From: ActiveDir-owner@mail.activedir.org[mailto:mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Tuesday, May 08, 2007 11:21 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could Allow Remote,Code ExecutionExchange one is the one I'm eyeing up this month. IE7 has the printing fixes for IE7 included.Don't forget the Word and Office patches for the workstations.... andWSUS 3.0 is out ...and....joe wrote:> Nice and handy that it just so happened to be all wrapped up and done > for the May patch release so someone didn't have to get a knock on the> head inside of MSFT for two out of band patches in a month...>> Also nice to have DCs in a state of having unmanageable services or > exposed to exploits in enterprise environments I think.>> --> O'Reilly Active Directory Third Edition -> http://www.joeware.net/win/ad3e.htm>>> -----Original Message-----> From: mailto:ActiveDir-owner@mail.activedir.org> [mailto:mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan> Bradley, CPA aka Ebitz - SBS Rocks [MVP]> Sent: Tuesday, May 08, 2007 1:28 PM> To: mailto:ActiveDir@mail.activedir.org> Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC> Interface Could Allow Remote,Code Execution>> MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow> Remote Code Execution (935966) > http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx> Max Severity: Critical>> List info : http://www.activedir.org/List.aspx> List FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: http://www.activedir.org/ma/default.aspx>> List info : http://www.activedir.org/List.aspx> List FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: http://www.activedir.org/ma/default.aspx>>--If you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog...and my blog is at http://www.sbsdiva.com/....List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspx-- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx | | | |
| nocmonkey
Posts:0
| | 05/09/2007 1:37 AM |
| Thanks, it is great to have people like you contribute to the list. Microsoft's best practices are not always the best for our organizations or our customers.Did y'all read Bruce's blog on the security and the increasing complexity software and IT systems: <
http://www.schneier.com/blog/archives/2007/05/do_we_really_ne.html>....DOn 5/9/07,
Ziots, Edward wrote:
Sorry meant Core Impact not En-Case. ( thanks for the
correction :))
What it all comes down to is Risk Mitigation and
Management.
I think we all know we can only control what we can control
and it would be fruitless to try and control what we can't ( ISP's practices, or
lack thereof).
Not sure who would let there DNS or any infrastructure
wide-open, even some of the .EDU's are tightening up the ship, because they are
getting blacklisted or firewalled off, because the attacks are coming from these
domains, free networks, lack of standards and controls, makes for a novice
hackers paradise.
I agree RPC has been in the past ( RPC DCOM and other
exploits, which have turned into destructive worms) and will be in the future an
avenue of attack. I agree bind isn't perfect, and if not setup and securly
configured it can be just as vulnerable as Windows DNS.
EZ
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security +
email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]Sent: Wednesday, May 09, 2007 1:02
PMTo: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Encase is a forensic software btw.Does the average firm
expose their DNS infrastructure openly to the web unless they are a
University? Leave the mitigation in place if RPC as an attack surface is a
concern. Many a security researcher predicts that RPC will continue to
have issues as it's a technology built when we trusted our internal
networks. (and the security person who predicted more RPC issues works for
Microsoft btw)When incidents.org indicates that the average firm spends
more on Coffee than they do on security... how much of these issues are self
inflicted?As a little SBSer that is recommended to do DNS forwarding I
also have to be concerned about the patch status of my ISP's DNS forwarders as
well. BIND is not immune from issues, nor immune from causing them and
making risk to me if not patched and maintained . No software is without
issues or security concerns and our decisions need to be made
accordingly.Ziots, Edward wrote:
Eric,
Better DNS servers? DNS is DNS, whether AD integrated or
Primary, Secondary, its basically the same. I am saying that for
troubleshooting its just easier to have primary/secondary and place your DNS
where you need them, instead of having it tied to a DC, and thus add another
infrastructure role to the domain controllers, when its not always needed.
I know M$ wants you to do AD integrated DNS, since they
think its the best thing since sliced bread, but down in the trenches where
the work gets done and the problems get solved, its not always the best
choice. I personally don't see why you need to have your DNS and AD on the
same replication scheme, if something breaks in replication is it AD or is it
DNS, you have no physical seperation of the two, so you start going in loops.
And given the flaws we keep getting each and every month,
from Microsoft land on this, that and the other service, or offering, the less
you can have on your DC' and Infrastructure systems and the better you hardnen
them from the start the better off you will be. This DNS RPC interface issue
was just an example, and I am sure the security researchers out there are
going to find more, and again makes admin lives harder, but our systems more
secure in the long run.
Also it takes Microsoft how long to create a patch to fix
this, but the exploit code has been out for quite a while, and I am sure some
hacker has coded a working exploit by now, its probably in metasploit, ENCASE
and other Pentest products, so point and click and fire away at the DC's with
DNS, if you haven't protected yourself.
Just my take on the situation, not saying that AD
Integrated DNS isnt a viable option, but think of this you wonder why Internet
DNS in on BIND, and its not AD integrated or even M$and its spread
throughout the world...
EZ
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:eziots@lifespan.org
cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007
12:26 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
I
don't yet get this logic, please explain it to me like I'm an
idiot.
The
primary/secondary road ends up taking you to a place where you point DCs at
the subset of DNS servers you end up creating. How is this better than having
use AD integrated DNS, and pointing DCs to a subset of anointed "better" DNS
servers?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:23
AMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
AD and
its replication and functions are dependent on DNS being correctly configured.
If you follow the logic of not having all your eggs in one basket, then the
following will make sense.
Why
would you want to have both your DNS and AD together on the same box, and
integrated into the AD replication, if something is broken in AD replication
scheme its going to affect your DNS as well, which also affects alot more of
your infrastructure.
Secondly,
it makes decommission of the DC's a little more of a task than it needs to be,
not impossible, and not a regular event in most environments, but still again,
infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate and redundant
as per good network design ( PhysicalSite redundancy is what I am
driving at here)
These
are just my views, administrators will do what they feel comfortable with but
I have been running primary, secondary DNS tertiary DNS at a third site for
years and not had much problems with DNS replication, uptime and minimal
troubleshooting, plus I know if my primary site gets hit I got critical
infrastructure elsewhere that can continue to service the organization in case
of issues.
I
think in the age of DR, this isn't a bad way to go, and I am sure most of the
folks that still run BIND for there DNS services would probably see the
reasoning in it.
Z
Edward E.
Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of DannySent: Wednesday, May 09, 2007 10:50
AMTo: ActiveDir@mail.activedir.orgSubject:
Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Sorry to jump in here, but I am
understanding that you both are recommending to avoid AD-integrated DNS where
possible?
On 5/9/07, joe < listmail@joeware.net> wrote:
I can find no fault in that paragraph.
:)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm
-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:
ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:57 AMTo: ActiveDir@mail.activedir.org
Subject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionFunny part if you can call it a funny part
is that your DC's wouldn't have been vulnerable if you didn't have
AD-Integrated DNS. Which limitsthe attack surface quite a bit when you are
dealing with say 2-3 DNSservers instead of multiple DNS servers with DC
responsibilites to boot. This is whay I am never in the favor of putting
multiple infrastructureroles on any one system, especially a
DC.ZEdward E. ZiotsNetwork EngineerLifespan
OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.orgcell:401-639-3505
-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:
ActiveDir-owner@mail.activedir.org]
On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent:
Tuesday, May 08, 2007 11:21 PM To: ActiveDir@mail.activedir.orgSubject:
Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionExchange one is the one I'm eyeing up this
month. IE7 has the printing fixes for IE7 included.Don't
forget the Word and Office patches for the workstations.... andWSUS 3.0 is
out ...and....joe wrote:> Nice and handy that it just so
happened to be all wrapped up and done > for the May patch release so
someone didn't have to get a knock on the> head inside of MSFT for
two out of band patches in a month...>> Also nice to have DCs in
a state of having unmanageable services or > exposed to exploits in
enterprise environments I think.>> --> O'Reilly Active
Directory Third Edition -> http://www.joeware.net/win/ad3e.htm
>>> -----Original Message-----> From: ActiveDir-owner@mail.activedir.org
>
[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Susan> Bradley,
CPA aka Ebitz - SBS Rocks [MVP]> Sent: Tuesday, May 08, 2007 1:28
PM> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS
RPC> Interface Could Allow Remote,Code Execution>>
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow>
Remote Code Execution (935966) > http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
>
Max Severity: Critical>> List info : http://www.activedir.org/List.aspx>
List FAQ: http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.activedir.org/ma/default.aspx>>
List info : http://www.activedir.org/List.aspx>
List FAQ: http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.activedir.org/ma/default.aspx>>--If
you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS
Blog...and my blog is at www.sbsdiva.com....List
info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspxList
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx
-- CPDE - Certified Petroleum
Distribution Engineer CCBC - Certified Canadian Beer Consumer
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx List archive:
http://www.activedir.org/ma/default.aspx
-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer | | | |
| deji
Posts:140
| | 05/09/2007 1:38 AM |
| >>>>but the ones you've adduced here are, in my opinion, not very confusing.
errrr.... I meant....
...but the ones you've adduced here are, in my opinion, not very convincing.
Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Akomolafe, DejiSent: Wed 5/9/2007 10:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
"M$" is a religious state of mind that makes it very difficult for me to engage the believer in technical discussions.
How hard can it be to export AD-int zone be when you have dnscmd, or the trusty convert/re-convert option? Are you also aware of the replication options available even for AD-intg zones? Specifically, which part of the Legato scenario that you have described is made more complicated by integrating DNS into AD?
Considering the heavy reliance AD has on DNS, your position is hard to reconcile. I have heard various arguments against AD-intg, but the ones you've adduced here are, in my opinion, not very confusing. And, if you are going to be recommending that people don't use AD-intg, you should be better prepare to justify that recommendation.
Since you are pining so much for the advent of ServerCore, will you be dissapointed when you discoverthat DNS is one of the few roles you will be able to install on ServerCore?Willthat affect your trust in ServerCore? If not, what will ServerCore offer you in terms of DNS security that the standard LH install won't?
If your are going to mention the RPC issue as one of the reasons you would not integrate DNS into AD, I would like to suggest that you re-read the cause of the RPC issue again
Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Ziots, EdwardSent: Wed 5/9/2007 10:07 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
I agree with you Susan, as you know I don't follow the well beaten path ( M$ way) on alot of issues, just because there are better ways of getting things done.
Danny, I don't see any CON's as long as you can physically secure the systems that hold your DNS, ( server security and physical site security) along having multiple secondary systems to do DNS lookups, along with good change management.
From the DR prespective, I will give you just a little true-life example.
Legato Networker backup software uses DNS alot to work of finding clients, etc etc, I could just imagine if we couldn't export our DNS zones, because they are AD-Integrated, and save them to a USB stick and transfer to another DNS system at our DR site, build a new DNS server, then install Networker, and then inventory tapes, and get ready to start restores starting with DC's and application servers, we would have to have a hosts file a mile long to keep track of all the FQDN's of our systems. But with the primary-secondary DNS servers, the follow example is a piece of cake.
I am sure other organizations, and companies have other scenario's, I am not bashing AD-INT DNS, what I am say if you can keep your DC's being just DC"s and DNS doing DNS, you can keep the roles seperate and simplfy your life a little as an Admin. But everyone has there own views, and comfort zones, I liked it the way it was done in BIND, and basically don't care to change, if it aint broke no sense fixing it.
End Thread ( Part Duex)
Good discussion though, banter from time to time, with the MVP's are enlightening.
Z
Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Wednesday, May 09, 2007 12:04 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
When you are little and your eggs and baskets were set up by Microsoft wizards and "just work" obviously those rules don't apply :-)In this day and age of DR, XP's can log onto non existent domains with cached credentials, Outlook can run in cached mode, so the clients are more self reliant these days than they used to be as well.Danny wrote:
Edward, thanks for the explanation and elaboration. I understand what you mean, specifically from a DR perspective. Do you see any cons to de-integrating DNS from AD?
On 5/9/07, Ziots, Edward wrote:
AD and its replication and functions are dependent on DNS being correctly configured. If you follow the logic of not having all your eggs in one basket, then the following will make sense.
Why would you want to have both your DNS and AD together on the same box, and integrated into the AD replication, if something is broken in AD replication scheme its going to affect your DNS as well, which also affects alot more of your infrastructure.
Secondly, it makes decommission of the DC's a little more of a task than it needs to be, not impossible, and not a regular event in most environments, but still again, infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate and redundant as per good network design ( PhysicalSite redundancy is what I am driving at here)
These are just my views, administrators will do what they feel comfortable with but I have been running primary, secondary DNS tertiary DNS at a third site for years and not had much problems with DNS replication, uptime and minimal troubleshooting, plus I know if my primary site gets hit I got critical infrastructure elsewhere that can continue to service the organization in case of issues.
I think in the age of DR, this isn't a bad way to go, and I am sure most of the folks that still run BIND for there DNS services would probably see the reasoning in it.
Z
Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of DannySent: Wednesday, May 09, 2007 10:50 AMTo: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
Sorry to jump in here, but I am understanding that you both are recommending to avoid AD-integrated DNS where possible?
On 5/9/07, joe wrote:
I can find no fault in that paragraph. :)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original Message-----From: ActiveDir-owner@mail.activedir.org[mailto:mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:57 AMTo: mailto:ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could Allow Remote,Code ExecutionFunny part if you can call it a funny part is that your DC's wouldn't have been vulnerable if you didn't have AD-Integrated DNS. Which limitsthe attack surface quite a bit when you are dealing with say 2-3 DNSservers instead of multiple DNS servers with DC responsibilites to boot. This is whay I am never in the favor of putting multiple infrastructureroles on any one system, especially a DC.ZEdward E. ZiotsNetwork EngineerLifespan OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.orgcell:401-639-3505 -----Original Message-----From: ActiveDir-owner@mail.activedir.org[mailto:mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Tuesday, May 08, 2007 11:21 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could Allow Remote,Code ExecutionExchange one is the one I'm eyeing up this month. IE7 has the printing fixes for IE7 included.Don't forget the Word and Office patches for the workstations.... andWSUS 3.0 is out ...and....joe wrote:> Nice and handy that it just so happened to be all wrapped up and done > for the May patch release so someone didn't have to get a knock on the> head inside of MSFT for two out of band patches in a month...>> Also nice to have DCs in a state of having unmanageable services or > exposed to exploits in enterprise environments I think.>> --> O'Reilly Active Directory Third Edition -> http://www.joeware.net/win/ad3e.htm>>> -----Original Message-----> From: mailto:ActiveDir-owner@mail.activedir.org> [mailto:mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan> Bradley, CPA aka Ebitz - SBS Rocks [MVP]> Sent: Tuesday, May 08, 2007 1:28 PM> To: mailto:ActiveDir@mail.activedir.org> Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC> Interface Could Allow Remote,Code Execution>> MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow> Remote Code Execution (935966) > http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx> Max Severity: Critical>> List info : http://www.activedir.org/List.aspx> List FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: http://www.activedir.org/ma/default.aspx>> List info : http://www.activedir.org/List.aspx> List FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: http://www.activedir.org/ma/default.aspx>>--If you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog...and my blog is at http://www.sbsdiva.com/....List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspx-- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx | | | |
| efleis1
Posts:0
| | 05/09/2007 3:37 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
The argument for AD
integrated DNS, as I understand it, is around dynamic update. Replication is
all well and good (maybe it is better than xfer, maybe not, I really don’t
know), but the secure dynamic update part is the goodness side of it.
So, how do you achieve this? I know joe cuts bait on dynamic
updates….I’m of the opinion (based on masses of PSS data over the last
7 years) that most customers cannot do this. So how do you achieve it? Or do
you just accept the lack of security on this front?
After we tease apart that one, I’d like to discuss your
circular replication argument further.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Ziots, Edward
Sent: Wednesday, May 09, 2007 9:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Eric,
Better DNS servers? DNS is DNS, whether AD integrated or Primary,
Secondary, its basically the same. I am saying that for troubleshooting its
just easier to have primary/secondary and place your DNS where you need them,
instead of having it tied to a DC, and thus add another infrastructure role to
the domain controllers, when its not always needed.
I know M$ wants you to do AD integrated DNS, since they think its
the best thing since sliced bread, but down in the trenches where the work gets
done and the problems get solved, its not always the best choice. I personally
don't see why you need to have your DNS and AD on the same replication scheme,
if something breaks in replication is it AD or is it DNS, you have no physical
seperation of the two, so you start going in loops.
And given the flaws we keep getting each and every month, from
Microsoft land on this, that and the other service, or offering, the less you
can have on your DC' and Infrastructure systems and the better you hardnen them
from the start the better off you will be. This DNS RPC interface issue was
just an example, and I am sure the security researchers out there are going to
find more, and again makes admin lives harder, but our systems more secure in
the long run.
Also it takes Microsoft how long to create a patch to fix this, but
the exploit code has been out for quite a while, and I am sure some hacker has
coded a working exploit by now, its probably in metasploit, ENCASE and other
Pentest products, so point and click and fire away at the DC's with DNS, if you
haven't protected yourself.
Just my take on the situation, not saying that AD Integrated DNS
isnt a viable option, but think of this you wonder why Internet DNS in on BIND,
and its not AD integrated or even M$and its spread throughout the
world...
EZ
Edward E.
Ziots
Network
Engineer
Lifespan
Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security +
email:eziots@lifespan.org
cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric Fleischman
Sent: Wednesday, May 09, 2007 12:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
I don’t yet get this logic, please explain it to me like
I’m an idiot.
The primary/secondary road ends up taking you to a place where
you point DCs at the subset of DNS servers you end up creating. How is this
better than having use AD integrated DNS, and pointing DCs to a subset of
anointed “better” DNS servers?
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Ziots, Edward
Sent: Wednesday, May 09, 2007 8:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
AD and its replication and functions are dependent on DNS being
correctly configured. If you follow the logic of not having all your eggs in
one basket, then the following will make sense.
Why would you want to have both your DNS and AD together on the
same box, and integrated into the AD replication, if something is broken in AD
replication scheme its going to affect your DNS as well, which also affects
alot more of your infrastructure.
Secondly, it makes decommission of the DC's a little more of a task
than it needs to be, not impossible, and not a regular event in most environments,
but still again, infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate
and redundant as per good network design ( PhysicalSite redundancy is
what I am driving at here)
These are just my views, administrators will do what they feel
comfortable with but I have been running primary, secondary DNS tertiary DNS at
a third site for years and not had much problems with DNS replication, uptime
and minimal troubleshooting, plus I know if my primary site gets hit I got
critical infrastructure elsewhere that can continue to service the organization
in case of issues.
I think in the age of DR, this isn't a bad way to go, and I am sure
most of the folks that still run BIND for there DNS services would probably see
the reasoning in it.
Z
Edward E.
Ziots
Network
Engineer
Lifespan
Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security +
email:eziots@lifespan.org
cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Danny
Sent: Wednesday, May 09, 2007 10:50 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Sorry to jump in here, but I am
understanding that you both are recommending to avoid AD-integrated DNS where
possible?
On 5/9/07, joe < listmail@joeware.net> wrote:
I can find no fault in that paragraph. :)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, Edward
Sent: Wednesday, May 09, 2007 8:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Funny part if you can call it a funny part is that your DC's wouldn't
have been vulnerable if you didn't have AD-Integrated DNS. Which limits
the attack surface quite a bit when you are dealing with say 2-3 DNS
servers instead of multiple DNS servers with DC responsibilites to boot.
This is whay I am never in the favor of putting multiple infrastructure
roles on any one system, especially a DC.
Z
Edward E. Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +
email:eziots@lifespan.org
cell:401-639-3505
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, May 08, 2007 11:21 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Exchange one is the one I'm eyeing up this month.
IE7 has the printing fixes for IE7 included.
Don't forget the Word and Office patches for the workstations.... and
WSUS 3.0 is out ...and....
joe wrote:
> Nice and handy that it just so happened to be all wrapped up and done
> for the May patch release so someone didn't have to get a knock on the
> head inside of MSFT for two out of band patches in a month...
>
> Also nice to have DCs in a state of having unmanageable services or
> exposed to exploits in enterprise environments I think.
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Susan
> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Tuesday, May 08, 2007 1:28 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
> Interface Could Allow Remote,Code Execution
>
> MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
> Remote Code Execution (935966)
> http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
> Max Severity: Critical
>
> List info : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
--
If you are a SBSer... you had better be reading
http://blogs.technet.com/sbs - the
SBS Blog.
..and my blog is at www.sbsdiva.com....
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer | | | |
| listmail
Posts:454
| | 05/09/2007 5:03 AM |
| > Probably for the same reason you put your
tea and sugar in the same cup, rather than,
> say, pour the sugar into your palm and lick
it while sipping your tea?
I don't know what anyone else thinks, but that really is abadΏ]
analogy. I mean it has zero/none/null value. Ditto for comeback on the M$ stuff.
Just blow by it, not worth an international incident.
You can do much better Deji.
joe
Ώ] Insert any number of other words which is what I would have used
first but I am trying to be nice. :)
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Akomolafe,
DejiSent: Wednesday, May 09, 2007 12:39 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
I know you said they were your
views, but on a technical board like this, I hope you don't mind me asking for
some technical validation of those
views.
>>>...its going to affect your DNS as well, which also affects alot more of your
infrastructure.
Is this because DNS is AD-intg, or is it a product of you
breaking "something" in your AD? It would be helpful if you could define
"something" and "break"to support your opinion. This way, we'll be able to
appreciate the soundness of your recommendation.
>>>be seperate and
redundant as per good network design
Does
integrating DNS into AD preclude you from having redundancy and, therefore,
"good network design"? If so, how?
>>>Why would you want to have both your
DNS and AD together on the same box
Probably for the same reason you put your
tea and sugar in the same cup, rather than, say, pour the sugar into your palm
and lick it while sipping your tea?
If "something is broken in AD replication
scheme", then internal name resolution will likely not be your priority at this
point. If something is broken in AD, and you are using the same DNS server for
internal and external name resolution, how does intergrating your internal zone
into AD "break" your external name resolution?
Sincerely,
_____
(, / |
/)
/) /) /---| (/_
______ ___// _ // _ )
/ |_/(__(_) //
(_(_)(/_(_(_/(__(/_(_/
/)
(/ Microsoft MVP - Directory
Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you
were worried about Yesterday?
-anon
From: Ziots, EdwardSent: Wed 5/9/2007
8:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
AD and its replication and functions are dependent on DNS
being correctly configured. If you follow the logic of not having all your eggs
in one basket, then the following will make sense.
Why would you want to have both your DNS and AD together on
the same box, and integrated into the AD replication, if something is broken in
AD replication scheme its going to affect your DNS as well, which also affects
alot more of your infrastructure.
Secondly, it makes decommission of the DC's a little more
of a task than it needs to be, not impossible, and not a regular event in most
environments, but still again, infrastructure roles ( DHCP, WINS, DNS, DC)
should be seperate and redundant as per good network design ( PhysicalSite
redundancy is what I am driving at here)
These are just my views, administrators will do what they
feel comfortable with but I have been running primary, secondary DNS tertiary
DNS at a third site for years and not had much problems with DNS replication,
uptime and minimal troubleshooting, plus I know if my primary site gets hit I
got critical infrastructure elsewhere that can continue to service the
organization in case of issues.
I think in the age of DR, this isn't a bad way to go, and I
am sure most of the folks that still run BIND for there DNS services would
probably see the reasoning in it.
Z
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
DannySent: Wednesday, May 09, 2007 10:50 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Sorry to jump in here, but I am understanding that you both are
recommending to avoid AD-integrated DNS where possible?
On 5/9/07, joe wrote:
I
can find no fault in that paragraph. :)--O'Reilly Active
Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
EdwardSent: Wednesday, May 09, 2007 8:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPCInterface Could Allow
Remote,Code ExecutionFunny part if you can call it a funny part is
that your DC's wouldn't have been vulnerable if you didn't have
AD-Integrated DNS. Which limitsthe attack surface quite a bit when you are
dealing with say 2-3 DNSservers instead of multiple DNS servers with DC
responsibilites to boot. This is whay I am never in the favor of putting
multiple infrastructureroles on any one system, especially a
DC.ZEdward E. ZiotsNetwork EngineerLifespan
OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.orgcell:401-639-3505-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan
Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Tuesday, May 08, 2007
11:21 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPCInterface Could Allow
Remote,Code ExecutionExchange one is the one I'm eyeing up this month.
IE7 has the printing fixes for IE7 included.Don't forget the
Word and Office patches for the workstations.... andWSUS 3.0 is out
...and....joe wrote:> Nice and handy that it just so happened
to be all wrapped up and done > for the May patch release so someone
didn't have to get a knock on the> head inside of MSFT for two out
of band patches in a month...>> Also nice to have DCs in a state
of having unmanageable services or > exposed to exploits in enterprise
environments I think.>> --> O'Reilly Active Directory
Third Edition -> http://www.joeware.net/win/ad3e.htm>>>
-----Original Message-----> From: ActiveDir-owner@mail.activedir.org> [mailto:mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Susan> Bradley, CPA aka Ebitz - SBS Rocks [MVP]> Sent: Tuesday,
May 08, 2007 1:28 PM> To: mailto:ActiveDir@mail.activedir.org> Subject:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC> Interface Could
Allow Remote,Code Execution>> MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow> Remote Code Execution (935966) >
http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx>
Max Severity: Critical>> List info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx> List archive:
http://www.activedir.org/ma/default.aspx>>
List info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx> List archive:
http://www.activedir.org/ma/default.aspx>>--If
you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog...and my
blog is at www.sbsdiva.com....List info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspx List
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspxList
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspx-- CPDE - Certified Petroleum Distribution Engineer CCBC -
Certified Canadian Beer Consumer | | | |
| listmail
Posts:454
| | 05/09/2007 5:04 AM |
| v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
SPAN.gmailquote {
mso-style-name: gmail_quote
}
SPAN.EmailStyle19 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
There absolutely are metasploit modules (both DEP and
non-DEP) for it as well as pure c-code exploits.
I am keeping out of most of this because I
havedebated the point with the some folks (including Eric) I respect on
the topic already... Not sure doing it here, at least yet, adds anything. Eric
and my debates tend to be better done offline anyway. :) He hates me, I made him
buy a lawn mower so that keeps coming up. If you ever see him in
person though, have him tell that story, it is quite entertaining to hear.
Hearing it in email just isn't the same as you don't get the inflections and
drama.
But yes, it can be said that I am not a huge fan of ADI
DNS. IT has, in large part to do with the space I work in, very large
enterprises primarily.I am not absolutely against it but it isn't my first
choice. Forthe reasons that Edward states and some I have on my own as
well, I agree with him a great deal here. The primary push that people try to
give is for secure DDNS, I don't buy into it. Dean and I debated this for a
while at DEC, we weren't very successful in coming up with real vectors that
gained any real foothold that wasn't accessible in some easier way although
there is no end of folks saying that if you let t |
|
|