| Author | Messages | |
listmail
Posts:454
 | | 05/09/2007 9:46 AM |
| v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
P.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
LI.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
DIV.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
SPAN.gmailquote {
mso-style-name: gmail_quote
}
SPAN.EmailStyle20 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle21 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle22 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
Oh true, I am not completely on board with the necessity of
secure updates. I hear a lot of noise around it and how someone can own your
forest with it but can't visualize a realistic attack vector in that realm to
gain access that likely wouldn't be easier to manage in some other way. I'd like
to think I am not a complete retard in this but I just don't see it and I have
yet to have found anywhere anyone who could point to even an accidental attack
which we used to see on a regular basis with WINS and misconfigured SAMBA and I
easily overcame those SAMBA issues when encountered.
Certainly I don't expect an open discussion about actual
attack methodshere in this forum because if there is something real out
there that just hasn't made it onto the RADAR of anyone who tends to write
exploits against things such that they have done anything around it. Other
attacks on forests etc I have seen code examples for and not just stuff I have
written. And certainly I can't take my lack of understanding of a possible hole
there as it being safe, but I do look at the global knowledge level here and how
serious MSFT may or may not be about secure updates (i..e only being offered
with one config and it not being the default OS config)
andthen make some judgements on relative likelihood of
possible compromise and the numbers just don't come up as giving me much fear in
the realm of insecure updates.
In my experience, the biggest threat to come through DNS
other than the various and numerousissues that have occurred through the
years due toADI DNS dork ups and bugs has been this recent DNS vuln which
was far more dangerous to environments running ADI DNS than any other
environment. In fact if you ran ADI DNS in an enterprise with distributed DNS
Admin delegation, this issue was a positively serious kick square in the balls
for choosing that model.It wasn't the idea that you get control of the
DNS Service and then start pumping in bad DNS entries, you had localsystem on
the DC and just did whatever the heck you felt like doing. Why take a nice
scenic hack route past old windmill road when the door to the gold is sitting
wide open?
joe
P.S. And sorry for this... Rocky, tried to respond to your
email, but it bounced with a 550 access denied from netherworld.jws.com
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric
FleischmanSent: Wednesday, May 09, 2007 6:49 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Totally
agree. If you are comparing AD integrated DNS with some other solution that also
does secure dynamic updates, that’s a great convo I’d love to be part of. But I
want to make sure…do we agree that secure dynamic updates (or no dynamic
updates, ie you manage it yourself) are a min bar requirement? I have not gotten
the sense that you really buy in to this argument yet.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 2:05
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
I don't
cut bait, I just don't agree that MSFT is the only company that knows how to do
some form of secure DDNS updates.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 3:37
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
The
argument for AD integrated DNS, as I understand it, is around dynamic update.
Replication is all well and good (maybe it is better than xfer, maybe not, I
really don’t know), but the secure dynamic update part is the goodness side of
it.
So,
how do you achieve this? I know joe cuts bait on dynamic updates….I’m of the
opinion (based on masses of PSS data over the last 7 years) that most customers
cannot do this. So how do you achieve it? Or do you just accept the lack of
security on this front?
After
we tease apart that one, I’d like to discuss your circular replication argument
further.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 9:44
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Eric,
Better
DNS servers? DNS is DNS, whether AD integrated or Primary, Secondary, its
basically the same. I am saying that for troubleshooting its just easier to have
primary/secondary and place your DNS where you need them, instead of having it
tied to a DC, and thus add another infrastructure role to the domain
controllers, when its not always needed.
I know
M$ wants you to do AD integrated DNS, since they think its the best thing since
sliced bread, but down in the trenches where the work gets done and the problems
get solved, its not always the best choice. I personally don't see why you need
to have your DNS and AD on the same replication scheme, if something breaks in
replication is it AD or is it DNS, you have no physical seperation of the two,
so you start going in loops.
And
given the flaws we keep getting each and every month, from Microsoft land on
this, that and the other service, or offering, the less you can have on your DC'
and Infrastructure systems and the better you hardnen them from the start the
better off you will be. This DNS RPC interface issue was just an example, and I
am sure the security researchers out there are going to find more, and again
makes admin lives harder, but our systems more secure in the long run.
Also it
takes Microsoft how long to create a patch to fix this, but the exploit code has
been out for quite a while, and I am sure some hacker has coded a working
exploit by now, its probably in metasploit, ENCASE and other Pentest products,
so point and click and fire away at the DC's with DNS, if you haven't protected
yourself.
Just my
take on the situation, not saying that AD Integrated DNS isnt a viable option,
but think of this you wonder why Internet DNS in on BIND, and its not AD
integrated or even M$and its spread throughout the world...
EZ
Edward E.
Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007
12:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
I
don’t yet get this logic, please explain it to me like I’m an
idiot.
The
primary/secondary road ends up taking you to a place where you point DCs at the
subset of DNS servers you end up creating. How is this better than having use AD
integrated DNS, and pointing DCs to a subset of anointed “better” DNS
servers?
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:23
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
AD and
its replication and functions are dependent on DNS being correctly configured.
If you follow the logic of not having all your eggs in one basket, then the
following will make sense.
Why
would you want to have both your DNS and AD together on the same box, and
integrated into the AD replication, if something is broken in AD replication
scheme its going to affect your DNS as well, which also affects alot more of
your infrastructure.
Secondly,
it makes decommission of the DC's a little more of a task than it needs to be,
not impossible, and not a regular event in most environments, but still again,
infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate and redundant as
per good network design ( PhysicalSite redundancy is what I am driving at
here)
These
are just my views, administrators will do what they feel comfortable with but I
have been running primary, secondary DNS tertiary DNS at a third site for years
and not had much problems with DNS replication, uptime and minimal
troubleshooting, plus I know if my primary site gets hit I got critical
infrastructure elsewhere that can continue to service the organization in case
of issues.
I think
in the age of DR, this isn't a bad way to go, and I am sure most of the folks
that still run BIND for there DNS services would probably see the reasoning in
it.
Z
Edward E.
Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of DannySent: Wednesday, May 09, 2007 10:50
AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Sorry to jump in here, but I am
understanding that you both are recommending to avoid AD-integrated DNS where
possible?
On 5/9/07, joe < listmail@joeware.net> wrote:
I can find no fault in that paragraph.
:)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:57 AMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionFunny part if you can call it a funny part is
that your DC's wouldn't have been vulnerable if you didn't have
AD-Integrated DNS. Which limitsthe attack surface quite a bit when you are
dealing with say 2-3 DNSservers instead of multiple DNS servers with DC
responsibilites to boot. This is whay I am never in the favor of putting
multiple infrastructureroles on any one system, especially a
DC.ZEdward E. ZiotsNetwork EngineerLifespan
OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.orgcell:401-639-3505-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Tuesday,
May 08, 2007 11:21 PM To: ActiveDir@mail.activedir.orgSubject:
Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionExchange one is the one I'm eyeing up this
month. IE7 has the printing fixes for IE7 included.Don't forget
the Word and Office patches for the workstations.... andWSUS 3.0 is out
...and....joe wrote:> Nice and handy that it just so happened to
be all wrapped up and done > for the May patch release so someone didn't
have to get a knock on the> head inside of MSFT for two out of band
patches in a month...>> Also nice to have DCs in a state of having
unmanageable services or > exposed to exploits in enterprise environments
I think.>> --> O'Reilly Active Directory Third Edition
-> http://www.joeware.net/win/ad3e.htm
>>> -----Original Message-----> From: ActiveDir-owner@mail.activedir.org>
[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Susan> Bradley, CPA
aka Ebitz - SBS Rocks [MVP]> Sent: Tuesday, May 08, 2007 1:28 PM>
To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS
RPC> Interface Could Allow Remote,Code Execution>>
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow> Remote
Code Execution (935966) > http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx>
Max Severity: Critical>> List info : http://www.activedir.org/List.aspx>
List FAQ: http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.activedir.org/ma/default.aspx>>
List info : http://www.activedir.org/List.aspx>
List FAQ: http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.activedir.org/ma/default.aspx>>--If
you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS
Blog...and my blog is at www.sbsdiva.com....List
info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspxList
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx
-- CPDE - Certified Petroleum
Distribution Engineer CCBC - Certified Canadian Beer Consumer | | | |
| sbradcpa
Posts:317
| | 05/09/2007 10:09 AM |
| Word that I heard is that there was an initial buzz after the first
incidents.org reports of it but after that it tapered off and the "bad
guys went off to the next big thing".
In all of these security events.. is it a real risk ...or are the fears
of the risk bigger?
joe wrote:
v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
P.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
LI.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
DIV.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
SPAN.gmailquote {
mso-style-name: gmail_quote
}
SPAN.EmailStyle20 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle21 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle22 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
Oh true, I am not completely on
board with the necessity of secure updates. I hear a lot of noise
around it and how someone can own your forest with it but can't
visualize a realistic attack vector in that realm to gain access that
likely wouldn't be easier to manage in some other way. I'd like to
think I am not a complete retard in this but I just don't see it and I
have yet to have found anywhere anyone who could point to even an
accidental attack which we used to see on a regular basis with WINS and
misconfigured SAMBA and I easily overcame those SAMBA issues when
encountered.
Certainly I don't expect an open
discussion about actual attack methodshere in this forum because if
there is something real out there that just hasn't made it onto the
RADAR of anyone who tends to write exploits against things such that
they have done anything around it. Other attacks on forests etc I have
seen code examples for and not just stuff I have written. And certainly
I can't take my lack of understanding of a possible hole there as it
being safe, but I do look at the global knowledge level here and how
serious MSFT may or may not be about secure updates (i..e only being
offered with one config and it not being the default OS config) andthen
make some judgements on relative likelihood of possible compromise and
the numbers just don't come up as giving me much fear in the realm of
insecure updates.
In my experience, the biggest
threat to come through DNS other than the various and numerousissues
that have occurred through the years due toADI DNS dork ups and bugs
has been this recent DNS vuln which was far more dangerous to
environments running ADI DNS than any other environment. In fact if you
ran ADI DNS in an enterprise with distributed DNS Admin delegation,
this issue was a positively serious kick square in the balls for
choosing that model.It wasn't the idea that you get
control of the DNS Service and then start pumping in bad DNS entries,
you had localsystem on the DC and just did whatever the heck you felt
like doing. Why take a nice scenic hack route past old windmill road
when the door to the gold is sitting wide open?
joe
P.S. And sorry for this...
Rocky, tried to respond to your email, but it bounced with a 550 access
denied from netherworld.jws.com
--
O'Reilly Active Directory Third
Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric
Fleischman
Sent: Wednesday, May 09, 2007 6:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
Totally
agree. If you are comparing AD integrated DNS with some other solution
that also does secure dynamic updates, that’s a great convo I’d love to
be part of. But I want to make sure…do we agree that secure dynamic
updates (or no dynamic updates, ie you manage it yourself) are a min
bar requirement? I have not gotten the sense that you really buy in to
this argument yet.
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, May 09, 2007 2:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
I
don't cut bait, I just don't agree that MSFT is the only company that
knows how to do some form of secure DDNS updates.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric
Fleischman
Sent: Wednesday, May 09, 2007 3:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
The
argument for AD integrated DNS, as I understand it, is around dynamic
update. Replication is all well and good (maybe it is better than xfer,
maybe not, I really don’t know), but the secure dynamic update part is
the goodness side of it.
So,
how do you achieve this? I know joe cuts bait on dynamic updates….I’m
of the opinion (based on masses of PSS data over the last 7 years) that
most customers cannot do this. So how do you achieve it? Or do you just
accept the lack of security on this front?
After
we tease apart that one, I’d like to discuss your circular replication
argument further.
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
Edward
Sent: Wednesday, May 09, 2007 9:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
Eric,
Better
DNS servers? DNS is DNS, whether AD integrated or Primary, Secondary,
its basically the same. I am saying that for troubleshooting its just
easier to have primary/secondary and place your DNS where you need
them, instead of having it tied to a DC, and thus add another
infrastructure role to the domain controllers, when its not always
needed.
I
know M$ wants you to do AD integrated DNS, since they think its the
best thing since sliced bread, but down in the trenches where the work
gets done and the problems get solved, its not always the best choice.
I personally don't see why you need to have your DNS and AD on the same
replication scheme, if something breaks in replication is it AD or is
it DNS, you have no physical seperation of the two, so you start going
in loops.
And
given the flaws we keep getting each and every month, from Microsoft
land on this, that and the other service, or offering, the less you can
have on your DC' and Infrastructure systems and the better you hardnen
them from the start the better off you will be. This DNS RPC interface
issue was just an example, and I am sure the security researchers out
there are going to find more, and again makes admin lives harder, but
our systems more secure in the long run.
Also
it takes Microsoft how long to create a patch to fix this, but the
exploit code has been out for quite a while, and I am sure some hacker
has coded a working exploit by now, its probably in metasploit, ENCASE
and other Pentest products, so point and click and fire away at the
DC's with DNS, if you haven't protected yourself.
Just
my take on the situation, not saying that AD Integrated DNS isnt a
viable option, but think of this you wonder why Internet DNS in on
BIND, and its not AD integrated or even M$and its spread throughout
the world...
EZ
Edward
E. Ziots
Network
Engineer
Lifespan
Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security +
email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric
Fleischman
Sent: Wednesday, May 09, 2007 12:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
I
don’t yet get this logic, please explain it to me like I’m an idiot.
The
primary/secondary road ends up taking you to a place where you point
DCs at the subset of DNS servers you end up creating. How is this
better than having use AD integrated DNS, and pointing DCs to a subset
of anointed “better” DNS servers?
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
Edward
Sent: Wednesday, May 09, 2007 8:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
AD
and its replication and functions are dependent on DNS being correctly
configured. If you follow the logic of not having all your eggs in one
basket, then the following will make sense.
Why
would you want to have both your DNS and AD together on the same box,
and integrated into the AD replication, if something is broken in AD
replication scheme its going to affect your DNS as well, which also
affects alot more of your infrastructure.
Secondly,
it makes decommission of the DC's a little more of a task than it needs
to be, not impossible, and not a regular event in most environments,
but still again, infrastructure roles ( DHCP, WINS, DNS, DC) should be
seperate and redundant as per good network design ( PhysicalSite
redundancy is what I am driving at here)
These
are just my views, administrators will do what they feel comfortable
with but I have been running primary, secondary DNS tertiary DNS at a
third site for years and not had much problems with DNS replication,
uptime and minimal troubleshooting, plus I know if my primary site gets
hit I got critical infrastructure elsewhere that can continue to
service the organization in case of issues.
I
think in the age of DR, this isn't a bad way to go, and I am sure most
of the folks that still run BIND for there DNS services would probably
see the reasoning in it.
Z
Edward
E. Ziots
Network
Engineer
Lifespan
Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security +
email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Danny
Sent: Wednesday, May 09, 2007 10:50 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
Sorry to jump in
here, but I am understanding that you both are recommending to avoid
AD-integrated DNS where possible?
On 5/9/07, joe
<
listmail@joeware.net> wrote:
I can find no fault in that paragraph. :)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, Edward
Sent: Wednesday, May 09, 2007 8:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Funny part if you can call it a funny part is that your DC's wouldn't
have been vulnerable if you didn't have AD-Integrated DNS. Which limits
the attack surface quite a bit when you are dealing with say 2-3 DNS
servers instead of multiple DNS servers with DC responsibilites to
boot.
This is whay I am never in the favor of putting multiple infrastructure
roles on any one system, especially a DC.
Z
Edward E. Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +
email:eziots@lifespan.org
cell:401-639-3505
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, May 08, 2007 11:21 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Exchange one is the one I'm eyeing up this month.
IE7 has the printing fixes for IE7 included.
Don't forget the Word and Office patches for the workstations.... and
WSUS 3.0 is out ...and....
joe wrote:
> Nice and handy that it just so happened to be all wrapped up and
done
> for the May patch release so someone didn't have to get a knock on
the
> head inside of MSFT for two out of band patches in a month...
>
> Also nice to have DCs in a state of having unmanageable services
or
> exposed to exploits in enterprise environments I think.
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Susan
> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Tuesday, May 08, 2007 1:28 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
> Interface Could Allow Remote,Code Execution
>
> MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
> Remote Code Execution (935966)
> http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
> Max Severity: Critical
>
> List info : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
--
If you are a SBSer... you had better be reading
http://blogs.technet.com/sbs
- the SBS Blog.
..and my blog is at www.sbsdiva.com....
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer
--
If you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog.
..and my blog is at www.sbsdiva.com....
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| listmail
Posts:454
| | 05/09/2007 10:23 AM |
| I can find no fault in that paragraph. :)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, Edward
Sent: Wednesday, May 09, 2007 8:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Funny part if you can call it a funny part is that your DC's wouldn't
have been vulnerable if you didn't have AD-Integrated DNS. Which limits
the attack surface quite a bit when you are dealing with say 2-3 DNS
servers instead of multiple DNS servers with DC responsibilites to boot.
This is whay I am never in the favor of putting multiple infrastructure
roles on any one system, especially a DC.
Z
Edward E. Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security +
email:eziots@lifespan.org
cell:401-639-3505
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, May 08, 2007 11:21 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Exchange one is the one I'm eyeing up this month.
IE7 has the printing fixes for IE7 included.
Don't forget the Word and Office patches for the workstations.... and
WSUS 3.0 is out ...and....
joe wrote:
> Nice and handy that it just so happened to be all wrapped up and done
> for the May patch release so someone didn't have to get a knock on the
> head inside of MSFT for two out of band patches in a month...
>
> Also nice to have DCs in a state of having unmanageable services or
> exposed to exploits in enterprise environments I think.
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan
> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Tuesday, May 08, 2007 1:28 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
> Interface Could Allow Remote,Code Execution
>
> MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
> Remote Code Execution (935966)
> http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
> Max Severity: Critical
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
--
If you are a SBSer... you had better be reading
http://blogs.technet.com/sbs - the SBS Blog.
..and my blog is at www.sbsdiva.com....
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| listmail
Posts:454
| | 05/09/2007 10:46 AM |
| Yeah I think the worm folks realized that the impact while
high would be tough to achieve since most client machineswon't be running
DNS and those are the ones most likely to hop networks.
If someone had simply combined a couple of things though,
this could have been very nasty for companies. A single Christina Aguilera Photo
in email with embedded code or a zip file promising something good and bam, a
company loses control over every machine that is running MSFT DNS. If the
machine they open the file on is part of the forest, all MSFT DNS servers in the
environment would likely have been compromised before the user's fingers were
fully off the mouse button. It is really easy to look at a forest and find all
MSFT DNS Servers in a single query in very short order. AD is designed to
quickly give out that info.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]Sent: Wednesday, May 09, 2007 10:09
PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Word that I heard is that there was an initial buzz after the first
incidents.org reports of it but after that it tapered off and the "bad guys went
off to the next big thing".In all of these security events.. is it a
real risk ...or are the fears of the risk bigger?joe wrote:
v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
P.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
LI.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
DIV.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
SPAN.gmailquote {
mso-style-name: gmail_quote
}
SPAN.EmailStyle20 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle21 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle22 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
Oh true, I am not completely on board with the necessity
of secure updates. I hear a lot of noise around it and how someone can own
your forest with it but can't visualize a realistic attack vector in that
realm to gain access that likely wouldn't be easier to manage in some other
way. I'd like to think I am not a complete retard in this but I just don't see
it and I have yet to have found anywhere anyone who could point to even an
accidental attack which we used to see on a regular basis with WINS and
misconfigured SAMBA and I easily overcame those SAMBA issues when encountered.
Certainly I don't expect an open discussion about actual
attack methodshere in this forum because if there is something real out
there that just hasn't made it onto the RADAR of anyone who tends to write
exploits against things such that they have done anything around it. Other
attacks on forests etc I have seen code examples for and not just stuff I have
written. And certainly I can't take my lack of understanding of a possible
hole there as it being safe, but I do look at the global knowledge level here
and how serious MSFT may or may not be about secure updates (i..e only being
offered with one config and it not being the default OS config)
andthen make some judgements on relative likelihood of
possible compromise and the numbers just don't come up as giving me much fear
in the realm of insecure updates.
In my experience, the biggest threat to come through DNS
other than the various and numerousissues that have occurred through the
years due toADI DNS dork ups and bugs has been this recent DNS vuln
which was far more dangerous to environments running ADI DNS than any other
environment. In fact if you ran ADI DNS in an enterprise with distributed DNS
Admin delegation, this issue was a positively serious kick square in the balls
for choosing that model.It wasn't the
idea that you get control of the DNS Service and then start pumping in bad DNS
entries, you had localsystem on the DC and just did whatever the heck you felt
like doing. Why take a nice scenic hack route past old windmill road when the
door to the gold is sitting wide open?
joe
P.S. And sorry for this... Rocky, tried to respond to
your email, but it bounced with a 550 access denied from netherworld.jws.com
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007
6:49 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Totally
agree. If you are comparing AD integrated DNS with some other solution that
also does secure dynamic updates, that’s a great convo I’d love to be part of.
But I want to make sure…do we agree that secure dynamic updates (or no dynamic
updates, ie you manage it yourself) are a min bar requirement? I have not
gotten the sense that you really buy in to this argument
yet.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 2:05
PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
I
don't cut bait, I just don't agree that MSFT is the only company that knows
how to do some form of secure DDNS updates.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007
3:37 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
The
argument for AD integrated DNS, as I understand it, is around dynamic update.
Replication is all well and good (maybe it is better than xfer, maybe not, I
really don’t know), but the secure dynamic update part is the goodness side of
it.
So,
how do you achieve this? I know joe cuts bait on dynamic updates….I’m of the
opinion (based on masses of PSS data over the last 7 years) that most
customers cannot do this. So how do you achieve it? Or do you just accept the
lack of security on this front?
After
we tease apart that one, I’d like to discuss your circular replication
argument further.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 9:44
AMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Eric,
Better
DNS servers? DNS is DNS, whether AD integrated or Primary, Secondary, its
basically the same. I am saying that for troubleshooting its just easier to
have primary/secondary and place your DNS where you need them, instead of
having it tied to a DC, and thus add another infrastructure role to the domain
controllers, when its not always needed.
I know
M$ wants you to do AD integrated DNS, since they think its the best thing
since sliced bread, but down in the trenches where the work gets done and the
problems get solved, its not always the best choice. I personally don't see
why you need to have your DNS and AD on the same replication scheme, if
something breaks in replication is it AD or is it DNS, you have no physical
seperation of the two, so you start going in loops.
And
given the flaws we keep getting each and every month, from Microsoft land on
this, that and the other service, or offering, the less you can have on your
DC' and Infrastructure systems and the better you hardnen them from the start
the better off you will be. This DNS RPC interface issue was just an example,
and I am sure the security researchers out there are going to find more, and
again makes admin lives harder, but our systems more secure in the long run.
Also
it takes Microsoft how long to create a patch to fix this, but the exploit
code has been out for quite a while, and I am sure some hacker has coded a
working exploit by now, its probably in metasploit, ENCASE and other Pentest
products, so point and click and fire away at the DC's with DNS, if you
haven't protected yourself.
Just
my take on the situation, not saying that AD Integrated DNS isnt a viable
option, but think of this you wonder why Internet DNS in on BIND, and its not
AD integrated or even M$and its spread throughout the world...
EZ
Edward E.
Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007
12:26 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
I
don’t yet get this logic, please explain it to me like I’m an
idiot.
The
primary/secondary road ends up taking you to a place where you point DCs at
the subset of DNS servers you end up creating. How is this better than having
use AD integrated DNS, and pointing DCs to a subset of anointed “better” DNS
servers?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:23
AMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
AD and
its replication and functions are dependent on DNS being correctly configured.
If you follow the logic of not having all your eggs in one basket, then the
following will make sense.
Why
would you want to have both your DNS and AD together on the same box, and
integrated into the AD replication, if something is broken in AD replication
scheme its going to affect your DNS as well, which also affects alot more of
your infrastructure.
Secondly,
it makes decommission of the DC's a little more of a task than it needs to be,
not impossible, and not a regular event in most environments, but still again,
infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate and redundant
as per good network design ( PhysicalSite redundancy is what I am
driving at here)
These
are just my views, administrators will do what they feel comfortable with but
I have been running primary, secondary DNS tertiary DNS at a third site for
years and not had much problems with DNS replication, uptime and minimal
troubleshooting, plus I know if my primary site gets hit I got critical
infrastructure elsewhere that can continue to service the organization in case
of issues.
I
think in the age of DR, this isn't a bad way to go, and I am sure most of the
folks that still run BIND for there DNS services would probably see the
reasoning in it.
Z
Edward E.
Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of DannySent: Wednesday, May 09, 2007 10:50
AMTo: ActiveDir@mail.activedir.orgSubject:
Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Sorry to jump in here, but I am
understanding that you both are recommending to avoid AD-integrated DNS where
possible?
On 5/9/07, joe <
listmail@joeware.net> wrote:
I can find no fault in that paragraph.
:)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Ziots, EdwardSent: Wednesday, May 09, 2007 8:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionFunny part if you can call it a funny part
is that your DC's wouldn't have been vulnerable if you didn't have
AD-Integrated DNS. Which limitsthe attack surface quite a bit when you are
dealing with say 2-3 DNSservers instead of multiple DNS servers with DC
responsibilites to boot. This is whay I am never in the favor of putting
multiple infrastructureroles on any one system, especially a
DC.ZEdward E. ZiotsNetwork EngineerLifespan
OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.orgcell:401-639-3505-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Tuesday, May 08,
2007 11:21 PM To: ActiveDir@mail.activedir.orgSubject: Re:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionExchange one is the one I'm eyeing up this
month. IE7 has the printing fixes for IE7 included.Don't
forget the Word and Office patches for the workstations.... andWSUS 3.0 is
out ...and....joe wrote:> Nice and handy that it just so
happened to be all wrapped up and done > for the May patch release so
someone didn't have to get a knock on the> head inside of MSFT for
two out of band patches in a month...>> Also nice to have DCs in
a state of having unmanageable services or > exposed to exploits in
enterprise environments I think.>> --> O'Reilly Active
Directory Third Edition -> http://www.joeware.net/win/ad3e.htm
>>> -----Original Message-----> From: ActiveDir-owner@mail.activedir.org>
[mailto: ActiveDir-owner@mail.activedir.org] On Behalf Of
Susan> Bradley, CPA aka Ebitz - SBS Rocks [MVP]> Sent: Tuesday,
May 08, 2007 1:28 PM> To: ActiveDir@mail.activedir.org > Subject:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC> Interface Could
Allow Remote,Code Execution>> MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow> Remote Code Execution (935966) >
http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx>
Max Severity: Critical>> List info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx> List
archive: http://www.activedir.org/ma/default.aspx>>
List info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx> List
archive: http://www.activedir.org/ma/default.aspx>>--If
you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS
Blog...and my blog is at www.sbsdiva.com....List
info : http://www.activedir.org/List.aspx List
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx List
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspxList
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx
-- CPDE - Certified Petroleum
Distribution Engineer CCBC - Certified Canadian Beer Consumer
--
If you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog.
..and my blog is at www.sbsdiva.com....List
info : http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx List archive:
http://www.activedir.org/ma/default.aspx | | | |
| nocmonkey
Posts:0
| | 05/09/2007 10:49 AM |
| Sorry to jump in here, but I am understanding that you both are recommending to avoid AD-integrated DNS where possible?On 5/9/07, joe <
listmail@joeware.net> wrote:I can find no fault in that paragraph. :)
--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original Message-----From:
ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:57 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could Allow Remote,Code ExecutionFunny part if you can call it a funny part is that your DC's wouldn't
have been vulnerable if you didn't have AD-Integrated DNS. Which limitsthe attack surface quite a bit when you are dealing with say 2-3 DNSservers instead of multiple DNS servers with DC responsibilites to boot.
This is whay I am never in the favor of putting multiple infrastructureroles on any one system, especially a DC.ZEdward E. ZiotsNetwork EngineerLifespan OrganizationMCSE,MCSA,MCP+I,
M.E,CCA,Network+, Security +email:eziots@lifespan.orgcell:401-639-3505-----Original Message-----From:
ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Tuesday, May 08, 2007 11:21 PM
To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could Allow Remote,Code ExecutionExchange one is the one I'm eyeing up this month.
IE7 has the printing fixes for IE7 included.Don't forget the Word and Office patches for the workstations.... andWSUS 3.0 is out ...and....joe wrote:> Nice and handy that it just so happened to be all wrapped up and done
> for the May patch release so someone didn't have to get a knock on the> head inside of MSFT for two out of band patches in a month...>> Also nice to have DCs in a state of having unmanageable services or
> exposed to exploits in enterprise environments I think.>> --> O'Reilly Active Directory Third Edition -> http://www.joeware.net/win/ad3e.htm
>>> -----Original Message-----> From: ActiveDir-owner@mail.activedir.org> [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Susan> Bradley, CPA aka Ebitz - SBS Rocks [MVP]> Sent: Tuesday, May 08, 2007 1:28 PM> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC> Interface Could Allow Remote,Code Execution>> MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow> Remote Code Execution (935966)
> http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx> Max Severity: Critical>> List info :
http://www.activedir.org/List.aspx> List FAQ: http://www.activedir.org/ListFAQ.aspx> List archive:
http://www.activedir.org/ma/default.aspx>> List info : http://www.activedir.org/List.aspx> List FAQ:
http://www.activedir.org/ListFAQ.aspx> List archive: http://www.activedir.org/ma/default.aspx>>--If you are a SBSer... you had better be reading
http://blogs.technet.com/sbs - the SBS Blog...and my blog is at www.sbsdiva.com....List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:
http://www.activedir.org/ma/default.aspxList info : http://www.activedir.org/List.aspxList FAQ:
http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspx-- CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer | | | |
| EZiots
Posts:31
| | 05/09/2007 11:23 AM |
| AD and its replication and functions are dependent on DNS
being correctly configured. If you follow the logic of not having all your eggs
in one basket, then the following will make sense.
Why would you want to have both your DNS and AD together on
the same box, and integrated into the AD replication, if something is broken in
AD replication scheme its going to affect your DNS as well, which also affects
alot more of your infrastructure.
Secondly, it makes decommission of the DC's a little more
of a task than it needs to be, not impossible, and not a regular event in most
environments, but still again, infrastructure roles ( DHCP, WINS, DNS, DC)
should be seperate and redundant as per good network design ( PhysicalSite
redundancy is what I am driving at here)
These are just my views, administrators will do what they
feel comfortable with but I have been running primary, secondary DNS tertiary
DNS at a third site for years and not had much problems with DNS replication,
uptime and minimal troubleshooting, plus I know if my primary site gets hit I
got critical infrastructure elsewhere that can continue to service the
organization in case of issues.
I think in the age of DR, this isn't a bad way to go, and I
am sure most of the folks that still run BIND for there DNS services would
probably see the reasoning in it.
Z
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
DannySent: Wednesday, May 09, 2007 10:50 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Sorry to jump in here, but I am understanding that you both are
recommending to avoid AD-integrated DNS where possible?
On 5/9/07, joe < listmail@joeware.net> wrote:
I
can find no fault in that paragraph. :)--O'Reilly Active
Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:57 AMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionFunny part if you can call it a funny part
is that your DC's wouldn't have been vulnerable if you didn't have
AD-Integrated DNS. Which limitsthe attack surface quite a bit when you are
dealing with say 2-3 DNSservers instead of multiple DNS servers with DC
responsibilites to boot. This is whay I am never in the favor of putting
multiple infrastructureroles on any one system, especially a
DC.ZEdward E. ZiotsNetwork EngineerLifespan
OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.orgcell:401-639-3505-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent:
Tuesday, May 08, 2007 11:21 PM To: ActiveDir@mail.activedir.orgSubject:
Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionExchange one is the one I'm eyeing up this
month. IE7 has the printing fixes for IE7 included.Don't
forget the Word and Office patches for the workstations.... andWSUS 3.0 is
out ...and....joe wrote:> Nice and handy that it just so
happened to be all wrapped up and done > for the May patch release so
someone didn't have to get a knock on the> head inside of MSFT for
two out of band patches in a month...>> Also nice to have DCs in
a state of having unmanageable services or > exposed to exploits in
enterprise environments I think.>> --> O'Reilly Active
Directory Third Edition -> http://www.joeware.net/win/ad3e.htm
>>> -----Original Message-----> From: ActiveDir-owner@mail.activedir.org>
[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Susan> Bradley,
CPA aka Ebitz - SBS Rocks [MVP]> Sent: Tuesday, May 08, 2007 1:28
PM> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS
RPC> Interface Could Allow Remote,Code Execution>>
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow>
Remote Code Execution (935966) > http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx>
Max Severity: Critical>> List info : http://www.activedir.org/List.aspx>
List FAQ: http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.activedir.org/ma/default.aspx>>
List info : http://www.activedir.org/List.aspx>
List FAQ: http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.activedir.org/ma/default.aspx>>--If
you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS
Blog...and my blog is at www.sbsdiva.com....List
info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspxList
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx-- CPDE - Certified Petroleum Distribution Engineer CCBC -
Certified Canadian Beer Consumer | | | |
| efleis1
Posts:0
| | 05/09/2007 11:34 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
Bad things can happen if I own your DNS. This DL is not an
appropriate forum for such a discussion. But you should assume that I can do bad
things to your forest if I own your DNS.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, May 09, 2007 6:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Oh true, I am not completely on board with the necessity of secure
updates. I hear a lot of noise around it and how someone can own your forest
with it but can't visualize a realistic attack vector in that realm to gain
access that likely wouldn't be easier to manage in some other way. I'd like to
think I am not a complete retard in this but I just don't see it and I have yet
to have found anywhere anyone who could point to even an accidental attack
which we used to see on a regular basis with WINS and misconfigured SAMBA and I
easily overcame those SAMBA issues when encountered.
Certainly I don't expect an open discussion about actual attack
methodshere in this forum because if there is something real out there
that just hasn't made it onto the RADAR of anyone who tends to write exploits
against things such that they have done anything around it. Other attacks on
forests etc I have seen code examples for and not just stuff I have written.
And certainly I can't take my lack of understanding of a possible hole there as
it being safe, but I do look at the global knowledge level here and how serious
MSFT may or may not be about secure updates (i..e only being offered with one
config and it not being the default OS config) andthen make some
judgements on relative likelihood of possible compromise and the numbers just
don't come up as giving me much fear in the realm of insecure updates.
In my experience, the biggest threat to come through DNS other than
the various and numerousissues that have occurred through the years due
toADI DNS dork ups and bugs has been this recent DNS vuln which was far
more dangerous to environments running ADI DNS than any other environment. In
fact if you ran ADI DNS in an enterprise with distributed DNS Admin delegation,
this issue was a positively serious kick square in the balls for choosing that
model.It wasn't the idea that you get control of the DNS Service and then
start pumping in bad DNS entries, you had localsystem on the DC and just did whatever
the heck you felt like doing. Why take a nice scenic hack route past old
windmill road when the door to the gold is sitting wide open?
joe
P.S. And sorry for this... Rocky, tried to respond to your email,
but it bounced with a 550 access denied from netherworld.jws.com
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric Fleischman
Sent: Wednesday, May 09, 2007 6:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Totally agree. If you are comparing AD integrated DNS with some
other solution that also does secure dynamic updates, that’s a great
convo I’d love to be part of. But I want to make sure…do we agree
that secure dynamic updates (or no dynamic updates, ie you manage it yourself)
are a min bar requirement? I have not gotten the sense that you really buy in
to this argument yet.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of joe
Sent: Wednesday, May 09, 2007 2:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
I don't cut bait, I just don't agree that MSFT is the only company that
knows how to do some form of secure DDNS updates.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric Fleischman
Sent: Wednesday, May 09, 2007 3:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
The argument for AD integrated DNS, as I understand it, is
around dynamic update. Replication is all well and good (maybe it is better
than xfer, maybe not, I really don’t know), but the secure dynamic update
part is the goodness side of it.
So, how do you achieve this? I know joe cuts bait on dynamic
updates….I’m of the opinion (based on masses of PSS data over the
last 7 years) that most customers cannot do this. So how do you achieve it? Or
do you just accept the lack of security on this front?
After we tease apart that one, I’d like to discuss your
circular replication argument further.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Ziots, Edward
Sent: Wednesday, May 09, 2007 9:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Eric,
Better DNS servers? DNS is DNS, whether AD integrated or Primary,
Secondary, its basically the same. I am saying that for troubleshooting its
just easier to have primary/secondary and place your DNS where you need them,
instead of having it tied to a DC, and thus add another infrastructure role to
the domain controllers, when its not always needed.
I know M$ wants you to do AD integrated DNS, since they think its
the best thing since sliced bread, but down in the trenches where the work gets
done and the problems get solved, its not always the best choice. I personally
don't see why you need to have your DNS and AD on the same replication scheme,
if something breaks in replication is it AD or is it DNS, you have no physical
seperation of the two, so you start going in loops.
And given the flaws we keep getting each and every month, from
Microsoft land on this, that and the other service, or offering, the less you
can have on your DC' and Infrastructure systems and the better you hardnen them
from the start the better off you will be. This DNS RPC interface issue was
just an example, and I am sure the security researchers out there are going to
find more, and again makes admin lives harder, but our systems more secure in
the long run.
Also it takes Microsoft how long to create a patch to fix this, but
the exploit code has been out for quite a while, and I am sure some hacker has
coded a working exploit by now, its probably in metasploit, ENCASE and other
Pentest products, so point and click and fire away at the DC's with DNS, if you
haven't protected yourself.
Just my take on the situation, not saying that AD Integrated DNS
isnt a viable option, but think of this you wonder why Internet DNS in on BIND,
and its not AD integrated or even M$and its spread throughout the
world...
EZ
Edward E.
Ziots
Network
Engineer
Lifespan
Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security +
email:eziots@lifespan.org
cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric Fleischman
Sent: Wednesday, May 09, 2007 12:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
I don’t yet get this logic, please explain it to me like
I’m an idiot.
The primary/secondary road ends up taking you to a place where
you point DCs at the subset of DNS servers you end up creating. How is this
better than having use AD integrated DNS, and pointing DCs to a subset of
anointed “better” DNS servers?
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Ziots, Edward
Sent: Wednesday, May 09, 2007 8:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
AD and its replication and functions are dependent on DNS being
correctly configured. If you follow the logic of not having all your eggs in
one basket, then the following will make sense.
Why would you want to have both your DNS and AD together on the same
box, and integrated into the AD replication, if something is broken in AD
replication scheme its going to affect your DNS as well, which also affects
alot more of your infrastructure.
Secondly, it makes decommission of the DC's a little more of a task
than it needs to be, not impossible, and not a regular event in most
environments, but still again, infrastructure roles ( DHCP, WINS, DNS, DC)
should be seperate and redundant as per good network design (
PhysicalSite redundancy is what I am driving at here)
These are just my views, administrators will do what they feel
comfortable with but I have been running primary, secondary DNS tertiary DNS at
a third site for years and not had much problems with DNS replication, uptime
and minimal troubleshooting, plus I know if my primary site gets hit I got
critical infrastructure elsewhere that can continue to service the organization
in case of issues.
I think in the age of DR, this isn't a bad way to go, and I am sure
most of the folks that still run BIND for there DNS services would probably see
the reasoning in it.
Z
Edward E.
Ziots
Network
Engineer
Lifespan
Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security +
email:eziots@lifespan.org
cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Danny
Sent: Wednesday, May 09, 2007 10:50 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Sorry to jump in here, but I am
understanding that you both are recommending to avoid AD-integrated DNS where
possible?
On 5/9/07, joe < listmail@joeware.net> wrote:
I can find no fault in that paragraph. :)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, Edward
Sent: Wednesday, May 09, 2007 8:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Funny part if you can call it a funny part is that your DC's wouldn't
have been vulnerable if you didn't have AD-Integrated DNS. Which limits
the attack surface quite a bit when you are dealing with say 2-3 DNS
servers instead of multiple DNS servers with DC responsibilites to boot.
This is whay I am never in the favor of putting multiple infrastructure
roles on any one system, especially a DC.
Z
Edward E. Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +
email:eziots@lifespan.org
cell:401-639-3505
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, May 08, 2007 11:21 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Exchange one is the one I'm eyeing up this month.
IE7 has the printing fixes for IE7 included.
Don't forget the Word and Office patches for the workstations.... and
WSUS 3.0 is out ...and....
joe wrote:
> Nice and handy that it just so happened to be all wrapped up and done
> for the May patch release so someone didn't have to get a knock on the
> head inside of MSFT for two out of band patches in a month...
>
> Also nice to have DCs in a state of having unmanageable services or
> exposed to exploits in enterprise environments I think.
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Susan
> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Tuesday, May 08, 2007 1:28 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
> Interface Could Allow Remote,Code Execution
>
> MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
> Remote Code Execution (935966)
> http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
> Max Severity: Critical
>
> List info : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
--
If you are a SBSer... you had better be reading
http://blogs.technet.com/sbs - the
SBS Blog.
..and my blog is at www.sbsdiva.com....
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer | | | |
| nocmonkey
Posts:0
| | 05/09/2007 11:50 AM |
| Edward, thanks for the explanation and elaboration. I understand what you mean, specifically from a DR perspective. Do you see any cons to de-integrating DNS from AD?On 5/9/07,
Ziots, Edward wrote:
AD and its replication and functions are dependent on DNS
being correctly configured. If you follow the logic of not having all your eggs
in one basket, then the following will make sense.
Why would you want to have both your DNS and AD together on
the same box, and integrated into the AD replication, if something is broken in
AD replication scheme its going to affect your DNS as well, which also affects
alot more of your infrastructure.
Secondly, it makes decommission of the DC's a little more
of a task than it needs to be, not impossible, and not a regular event in most
environments, but still again, infrastructure roles ( DHCP, WINS, DNS, DC)
should be seperate and redundant as per good network design ( PhysicalSite
redundancy is what I am driving at here)
These are just my views, administrators will do what they
feel comfortable with but I have been running primary, secondary DNS tertiary
DNS at a third site for years and not had much problems with DNS replication,
uptime and minimal troubleshooting, plus I know if my primary site gets hit I
got critical infrastructure elsewhere that can continue to service the
organization in case of issues.
I think in the age of DR, this isn't a bad way to go, and I
am sure most of the folks that still run BIND for there DNS services would
probably see the reasoning in it.
Z
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security +
email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
DannySent: Wednesday, May 09, 2007 10:50 AMTo:
ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Sorry to jump in here, but I am understanding that you both are
recommending to avoid AD-integrated DNS where possible?
On 5/9/07, joe < listmail@joeware.net> wrote:
I
can find no fault in that paragraph. :)--O'Reilly Active
Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:
ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:57 AMTo: ActiveDir@mail.activedir.org
Subject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionFunny part if you can call it a funny part
is that your DC's wouldn't have been vulnerable if you didn't have
AD-Integrated DNS. Which limitsthe attack surface quite a bit when you are
dealing with say 2-3 DNSservers instead of multiple DNS servers with DC
responsibilites to boot. This is whay I am never in the favor of putting
multiple infrastructureroles on any one system, especially a
DC.ZEdward E. ZiotsNetwork EngineerLifespan
OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.orgcell:401-639-3505
-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:
ActiveDir-owner@mail.activedir.org]
On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent:
Tuesday, May 08, 2007 11:21 PM To: ActiveDir@mail.activedir.orgSubject:
Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionExchange one is the one I'm eyeing up this
month. IE7 has the printing fixes for IE7 included.Don't
forget the Word and Office patches for the workstations.... andWSUS 3.0 is
out ...and....joe wrote:> Nice and handy that it just so
happened to be all wrapped up and done > for the May patch release so
someone didn't have to get a knock on the> head inside of MSFT for
two out of band patches in a month...>> Also nice to have DCs in
a state of having unmanageable services or > exposed to exploits in
enterprise environments I think.>> --> O'Reilly Active
Directory Third Edition -> http://www.joeware.net/win/ad3e.htm
>>> -----Original Message-----> From: ActiveDir-owner@mail.activedir.org
>
[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Susan> Bradley,
CPA aka Ebitz - SBS Rocks [MVP]> Sent: Tuesday, May 08, 2007 1:28
PM> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS
RPC> Interface Could Allow Remote,Code Execution>>
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow>
Remote Code Execution (935966) > http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
>
Max Severity: Critical>> List info : http://www.activedir.org/List.aspx>
List FAQ: http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.activedir.org/ma/default.aspx>>
List info : http://www.activedir.org/List.aspx>
List FAQ: http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.activedir.org/ma/default.aspx>>--If
you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS
Blog...and my blog is at www.sbsdiva.com....List
info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspxList
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx
-- CPDE - Certified Petroleum Distribution Engineer CCBC -
Certified Canadian Beer Consumer
-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer | | | |
| listmail
Posts:454
| | 05/09/2007 11:51 AM |
| v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
P.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
LI.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
DIV.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
SPAN.gmailquote {
mso-style-name: gmail_quote
}
SPAN.EmailStyle20 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle21 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle22 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle23 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
I agree that the DL isn't the appropriate place which is
why I said that specifically. :)
As for the rest... Bad things can happen if I can do
network tracing on your network. You should assume that I can do bad things to
your forest if I can trace your network.
Where do we stand now? No insecureDDNS and no
network. :)
Or... I just don't let you on my network. None of the other
AD "experts" I have spoken with seem so positive about their ability to
compromise my forest just by me not using ADI Secure DDNS.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric
FleischmanSent: Wednesday, May 09, 2007 11:34 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Bad
things can happen if I own your DNS. This DL is not an appropriate forum for
such a discussion. But you should assume that I can do bad things to your forest
if I own your DNS.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 6:47
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Oh true,
I am not completely on board with the necessity of secure updates. I hear a lot
of noise around it and how someone can own your forest with it but can't
visualize a realistic attack vector in that realm to gain access that likely
wouldn't be easier to manage in some other way. I'd like to think I am not a
complete retard in this but I just don't see it and I have yet to have found
anywhere anyone who could point to even an accidental attack which we used to
see on a regular basis with WINS and misconfigured SAMBA and I easily overcame
those SAMBA issues when encountered.
Certainly
I don't expect an open discussion about actual attack methodshere in this
forum because if there is something real out there that just hasn't made it onto
the RADAR of anyone who tends to write exploits against things such that they
have done anything around it. Other attacks on forests etc I have seen code
examples for and not just stuff I have written. And certainly I can't take my
lack of understanding of a possible hole there as it being safe, but I do look
at the global knowledge level here and how serious MSFT may or may not be about
secure updates (i..e only being offered with one config and it not being the
default OS config) andthen make some judgements on relative likelihood of
possible compromise and the numbers just don't come up as giving me much fear in
the realm of insecure updates.
In my
experience, the biggest threat to come through DNS other than the various and
numerousissues that have occurred through the years due toADI DNS
dork ups and bugs has been this recent DNS vuln which was far more dangerous to
environments running ADI DNS than any other environment. In fact if you ran ADI
DNS in an enterprise with distributed DNS Admin delegation, this issue was a
positively serious kick square in the balls for choosing that model.It
wasn't the idea that you get control of the DNS Service and then start pumping
in bad DNS entries, you had localsystem on the DC and just did whatever the heck
you felt like doing. Why take a nice scenic hack route past old windmill road
when the door to the gold is sitting wide open?
joe
P.S. And
sorry for this... Rocky, tried to respond to your email, but it bounced with a
550 access denied from netherworld.jws.com
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 6:49
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Totally
agree. If you are comparing AD integrated DNS with some other solution that also
does secure dynamic updates, that’s a great convo I’d love to be part of. But I
want to make sure…do we agree that secure dynamic updates (or no dynamic
updates, ie you manage it yourself) are a min bar requirement? I have not gotten
the sense that you really buy in to this argument yet.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 2:05
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
I don't
cut bait, I just don't agree that MSFT is the only company that knows how to do
some form of secure DDNS updates.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 3:37
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
The
argument for AD integrated DNS, as I understand it, is around dynamic update.
Replication is all well and good (maybe it is better than xfer, maybe not, I
really don’t know), but the secure dynamic update part is the goodness side of
it.
So,
how do you achieve this? I know joe cuts bait on dynamic updates….I’m of the
opinion (based on masses of PSS data over the last 7 years) that most customers
cannot do this. So how do you achieve it? Or do you just accept the lack of
security on this front?
After
we tease apart that one, I’d like to discuss your circular replication argument
further.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 9:44
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Eric,
Better
DNS servers? DNS is DNS, whether AD integrated or Primary, Secondary, its
basically the same. I am saying that for troubleshooting its just easier to have
primary/secondary and place your DNS where you need them, instead of having it
tied to a DC, and thus add another infrastructure role to the domain
controllers, when its not always needed.
I know
M$ wants you to do AD integrated DNS, since they think its the best thing since
sliced bread, but down in the trenches where the work gets done and the problems
get solved, its not always the best choice. I personally don't see why you need
to have your DNS and AD on the same replication scheme, if something breaks in
replication is it AD or is it DNS, you have no physical seperation of the two,
so you start going in loops.
And
given the flaws we keep getting each and every month, from Microsoft land on
this, that and the other service, or offering, the less you can have on your DC'
and Infrastructure systems and the better you hardnen them from the start the
better off you will be. This DNS RPC interface issue was just an example, and I
am sure the security researchers out there are going to find more, and again
makes admin lives harder, but our systems more secure in the long run.
Also it
takes Microsoft how long to create a patch to fix this, but the exploit code has
been out for quite a while, and I am sure some hacker has coded a working
exploit by now, its probably in metasploit, ENCASE and other Pentest products,
so point and click and fire away at the DC's with DNS, if you haven't protected
yourself.
Just my
take on the situation, not saying that AD Integrated DNS isnt a viable option,
but think of this you wonder why Internet DNS in on BIND, and its not AD
integrated or even M$and its spread throughout the world...
EZ
Edward E.
Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007
12:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
I
don’t yet get this logic, please explain it to me like I’m an
idiot.
The
primary/secondary road ends up taking you to a place where you point DCs at the
subset of DNS servers you end up creating. How is this better than having use AD
integrated DNS, and pointing DCs to a subset of anointed “better” DNS
servers?
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:23
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
AD and
its replication and functions are dependent on DNS being correctly configured.
If you follow the logic of not having all your eggs in one basket, then the
following will make sense.
Why
would you want to have both your DNS and AD together on the same box, and
integrated into the AD replication, if something is broken in AD replication
scheme its going to affect your DNS as well, which also affects alot more of
your infrastructure.
Secondly,
it makes decommission of the DC's a little more of a task than it needs to be,
not impossible, and not a regular event in most environments, but still again,
infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate and redundant as
per good network design ( PhysicalSite redundancy is what I am driving at
here)
These
are just my views, administrators will do what they feel comfortable with but I
have been running primary, secondary DNS tertiary DNS at a third site for years
and not had much problems with DNS replication, uptime and minimal
troubleshooting, plus I know if my primary site gets hit I got critical
infrastructure elsewhere that can continue to service the organization in case
of issues.
I think
in the age of DR, this isn't a bad way to go, and I am sure most of the folks
that still run BIND for there DNS services would probably see the reasoning in
it.
Z
Edward E.
Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of DannySent: Wednesday, May 09, 2007 10:50
AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Sorry to jump in here, but I am
understanding that you both are recommending to avoid AD-integrated DNS where
possible?
On 5/9/07, joe < listmail@joeware.net> wrote:
I can find no fault in that paragraph.
:)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:57 AMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionFunny part if you can call it a funny part is
that your DC's wouldn't have been vulnerable if you didn't have
AD-Integrated DNS. Which limitsthe attack surface quite a bit when you are
dealing with say 2-3 DNSservers instead of mu |
|
|