| Author | Messages | |
listmail
Posts:824
 | | 05/10/2007 8:58 AM |
| v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
P.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
LI.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
DIV.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
SPAN.gmailquote {
mso-style-name: gmail_quote
}
SPAN.EmailStyle20 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle21 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle22 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle23 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle24 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
The point is that there are lots of possible attack
vectors, you need to weigh them as accurately as possible and try to assign risk
to them and deal with them as such. If we took away every possible security
vector, all of our machines would be embedded in 6'x6' solid cubes of titanium.
So with the reality of the situation that you are not going to remove every
risk, we must define the level of risk and what we consider to be acceptable.
To me, opening the additional surface areas on DCs is far
more of a risk factor to me than insecure update capability. This isn't just DNS
on a DC, this is any additional services that don't directly provide auth/authz
but provide additional external interfaces or as I call it, attack surface. It
applies to services from MSFT as well as drivers, agents, and services from
other vendors. The security model of Windows is such that if you can get
something running locally, you have blown by a great deal if not most of the
security in place. The fact that most of these services seem to be running in
localsystem is just a great big step to help attack and increases risk further.
If you look at the risk level of say this published
vulnerability that started this thread, even MSFT considers the risk high enough
that they have to publish a bulletin about it; critical if I recall. I think if
non-secured DDNS is this insecure, we should see a security bulletin as well and
at the very least MSFT would disallow DCs from a client aspect from registering
to a non-secured DDNS or better yet, all of their DDNS server options would
offer secure updates. I am not saying there is no risk, but I am questioning
what therisk really is because the guidance doesn't seem to match the
concern and I don't want to believe that MSFT would let us hang our collective
asses that much into the breeze.
Looking at this, and again I don't expect you or anyone to
say this is the problem step by step, I don't see anything other than DOS that
is readily apparent or even apparent after looking at it for a while.There
absolutely could be something there but we are talking about a product with a
general product support groupΏ](i.e. admins) that can't even figure out
how a Domain Admin in one domain can compromise other domains in the same
forest, anything really subtle or requiring deep kerberos knowledge just isn't
coming up on myradar as something that is highly risky until I start
seeing at least some level of chatter about it in the places I lurk or seeing
some real level of concern out of MSFT.ObviouslyI could be
missing something and there could be a huge big boogie monster hiding behind it
that is jumping out in production orgs and hasbeen but if so, I would
expect the guidance to be MUCH stronger in regards to DDNS as well as the
commitment to providing it outside of ADI DDNS. Also I know a lot of very smart
people, I would expect more would be considerably more nervous about it if they
saw something I didn't.
And for everyone reading this... For the record, Eric has
been very clear that this is a real issue. My point is that a caldera (super
volcano) shooting up out of Yellowstone is also a real issue. How will you let
that force you to change what you do?
joe
Ώ] By this I mean general pool of admins and consultants.
There are quite a lot of bright folks who figured this out all by themselves but
they are dwarfed by the number of people who don't think it can be done and that
is with something that the number of people who have done this or seen it done
is really pretty high.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric
FleischmanSent: Thursday, May 10, 2007 12:30 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
The
point is just that you want to remove these things, not justify that because one
exists you can let them all in. And of course, some are easier than
others.
~Eric
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 8:52
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
I agree
that the DL isn't the appropriate place which is why I said that specifically.
:)
As for
the rest... Bad things can happen if I can do network tracing on your network.
You should assume that I can do bad things to your forest if I can trace your
network.
Where do
we stand now? No insecureDDNS and no network. :)
Or... I
just don't let you on my network. None of the other AD "experts" I have spoken
with seem so positive about their ability to compromise my forest just by me not
using ADI Secure DDNS.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007
11:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Bad
things can happen if I own your DNS. This DL is not an appropriate forum for
such a discussion. But you should assume that I can do bad things to your forest
if I own your DNS.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 6:47
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Oh true,
I am not completely on board with the necessity of secure updates. I hear a lot
of noise around it and how someone can own your forest with it but can't
visualize a realistic attack vector in that realm to gain access that likely
wouldn't be easier to manage in some other way. I'd like to think I am not a
complete retard in this but I just don't see it and I have yet to have found
anywhere anyone who could point to even an accidental attack which we used to
see on a regular basis with WINS and misconfigured SAMBA and I easily overcame
those SAMBA issues when encountered.
Certainly
I don't expect an open discussion about actual attack methodshere in this
forum because if there is something real out there that just hasn't made it onto
the RADAR of anyone who tends to write exploits against things such that they
have done anything around it. Other attacks on forests etc I have seen code
examples for and not just stuff I have written. And certainly I can't take my
lack of understanding of a possible hole there as it being safe, but I do look
at the global knowledge level here and how serious MSFT may or may not be about
secure updates (i..e only being offered with one config and it not being the
default OS config) andthen make some judgements on relative likelihood of
possible compromise and the numbers just don't come up as giving me much fear in
the realm of insecure updates.
In my
experience, the biggest threat to come through DNS other than the various and
numerousissues that have occurred through the years due toADI DNS
dork ups and bugs has been this recent DNS vuln which was far more dangerous to
environments running ADI DNS than any other environment. In fact if you ran ADI
DNS in an enterprise with distributed DNS Admin delegation, this issue was a
positively serious kick square in the balls for choosing that model.It
wasn't the idea that you get control of the DNS Service and then start pumping
in bad DNS entries, you had localsystem on the DC and just did whatever the heck
you felt like doing. Why take a nice scenic hack route past old windmill road
when the door to the gold is sitting wide open?
joe
P.S. And
sorry for this... Rocky, tried to respond to your email, but it bounced with a
550 access denied from netherworld.jws.com
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 6:49
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Totally
agree. If you are comparing AD integrated DNS with some other solution that also
does secure dynamic updates, that’s a great convo I’d love to be part of. But I
want to make sure…do we agree that secure dynamic updates (or no dynamic
updates, ie you manage it yourself) are a min bar requirement? I have not gotten
the sense that you really buy in to this argument yet.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 2:05
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
I don't
cut bait, I just don't agree that MSFT is the only company that knows how to do
some form of secure DDNS updates.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 3:37
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
The
argument for AD integrated DNS, as I understand it, is around dynamic update.
Replication is all well and good (maybe it is better than xfer, maybe not, I
really don’t know), but the secure dynamic update part is the goodness side of
it.
So,
how do you achieve this? I know joe cuts bait on dynamic updates….I’m of the
opinion (based on masses of PSS data over the last 7 years) that most customers
cannot do this. So how do you achieve it? Or do you just accept the lack of
security on this front?
After
we tease apart that one, I’d like to discuss your circular replication argument
further.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 9:44
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Eric,
Better
DNS servers? DNS is DNS, whether AD integrated or Primary, Secondary, its
basically the same. I am saying that for troubleshooting its just easier to have
primary/secondary and place your DNS where you need them, instead of having it
tied to a DC, and thus add another infrastructure role to the domain
controllers, when its not always needed.
I know
M$ wants you to do AD integrated DNS, since they think its the best thing since
sliced bread, but down in the trenches where the work gets done and the problems
get solved, its not always the best choice. I personally don't see why you need
to have your DNS and AD on the same replication scheme, if something breaks in
replication is it AD or is it DNS, you have no physical seperation of the two,
so you start going in loops.
And
given the flaws we keep getting each and every month, from Microsoft land on
this, that and the other service, or offering, the less you can have on your DC'
and Infrastructure systems and the better you hardnen them from the start the
better off you will be. This DNS RPC interface issue was just an example, and I
am sure the security researchers out there are going to find more, and again
makes admin lives harder, but our systems more secure in the long run.
Also it
takes Microsoft how long to create a patch to fix this, but the exploit code has
been out for quite a while, and I am sure some hacker has coded a working
exploit by now, its probably in metasploit, ENCASE and other Pentest products,
so point and click and fire away at the DC's with DNS, if you haven't protected
yourself.
Just my
take on the situation, not saying that AD Integrated DNS isnt a viable option,
but think of this you wonder why Internet DNS in on BIND, and its not AD
integrated or even M$and its spread throughout the world...
EZ
Edward E.
Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007
12:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
I
don’t yet get this logic, please explain it to me like I’m an
idiot.
The
primary/secondary road ends up taking you to a place where you point DCs at the
subset of DNS servers you end up creating. How is this better than having use AD
integrated DNS, and pointing DCs to a subset of anointed “better” DNS
servers?
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:23
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
AD and
its replication and functions are dependent on DNS being correctly configured.
If you follow the logic of not having all your eggs in one basket, then the
following will make sense.
Why
would you want to have both your DNS and AD together on the same box, and
integrated into the AD replication, if something is broken in AD replication
scheme its going to affect your DNS as well, which also affects alot more of
your infrastructure.
Secondly,
it makes decommission of the DC's a little more of a task than it needs to be,
not impossible, and not a regular event in most environments, but still again,
infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate and redundant as
per good network design ( PhysicalSite redundancy is what I am driving at
here)
These
are just my views, administrators will do what they feel comfortable with but I
have been running primary, secondary DNS tertiary DNS at a third site for years
and not had much problems with DNS replication, uptime and minimal
troubleshooting, plus I know if my primary site gets hit I got critical
infrastructure elsewhere that can continue to service the organization in case
of issues.
I think
in the age of DR, this isn't a bad way to go, and I am sure most of the folks
that still run BIND for there DNS services would probably see the reasoning in
it.
Z
Edward E.
Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of DannySent: Wednesday, May 09, 2007 10:50
AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Sorry to jump in here, but I am
understanding that you both are recommending to avoid AD-integrated DNS where
possible?
On 5/9/07, joe < listmail@joeware.net> wrote:
I can find no fault in that paragraph.
:)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:57 AMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionFunny part if you can call it a funny part is
that your DC's wouldn't have been vulnerable if you didn't have
AD-Integrated DNS. Which limitsthe attack surface quite a bit when you are
dealing with say 2-3 DNSservers instead of multiple DNS servers with DC
responsibilites to boot. This is whay I am never in the favor of putting
multiple infrastructureroles on any one system, especially a
DC.ZEdward E. ZiotsNetwork EngineerLifespan
OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.orgcell:401-639-3505-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Tuesday,
May 08, 2007 11:21 PM To: ActiveDir@mail.activedir.orgSubject:
Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionExchange one is the one I'm eyeing up this
month. IE7 has the printing fixes for IE7 included.Don't forget
the Word and Office patches for the workstations.... andWSUS 3.0 is out
...and....joe wrote:> Nice and handy that it just so happened to
be all wrapped up and done > for the May patch release so someone didn't
have to get a knock on the> head inside of MSFT for two out of band
patches in a month...>> Also nice to have DCs in a state of having
unmanageable services or > exposed to exploits in enterprise environments
I think.>> --> O'Reilly Active Directory Third Edition
-> http://www.joeware.net/win/ad3e.htm
>>> -----Original Message-----> From: ActiveDir-owner@mail.activedir.org>
[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Susan> Bradley, CPA
aka Ebitz - SBS Rocks [MVP]> Sent: Tuesday, May 08, 2007 1:28 PM>
To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS
RPC> Interface Could Allow Remote,Code Execution>>
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow> Remote
Code Execution (935966) > http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx>
Max Severity: Critical>> List info : http://www.activedir.org/List.aspx>
List FAQ: http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.activedir.org/ma/default.aspx>>
List info : http://www.activedir.org/List.aspx>
List FAQ: http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.activedir.org/ma/default.aspx>>--If
you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS
Blog...and my blog is at www.sbsdiva.com....List
info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspxList
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx
-- CPDE - Certified Petroleum
Distribution Engineer CCBC - Certified Canadian Beer Consumer | | | |
| listmail
Posts:824
| | 05/10/2007 8:58 AM |
| Yeah I just don't see a lot of Server Core SBS servers in
the near future... Well unless you count those Novell
boxes...
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]Sent: Thursday, May 10, 2007 1:41
AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Well server core isn't SBS friendly period....nor is SBS the poster
child of how to set up secure DNS.I was just asking more along the lines
if there was a similar listserve to BIND-User for the Windows
world.Akomolafe, Deji wrote:
>>>is there a
"DNS" only security listserve like BIND has?)
There is abunch of DNS-related
mailing lists on lists.oarci.netbutthey arenot
DNS-on-Windows-centric. And not typically SBS-friendly, if you know what I
mean ;)
Sincerely,
_____
(, / |
/)
/) /) /---|
(/_ ______ ___// _ // _ )
/ |_/(__(_) //
(_(_)(/_(_(_/(__(/_(_/
/)
(/ Microsoft MVP - Directory
Serviceswww.akomolafe.com- we know
IT-5.75, -3.23Do
you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon
From: Susan Bradley, CPA aka Ebitz - SBS Rocks
[MVP]Sent: Wed 5/9/2007 10:28 PMTo: ActiveDir@mail.activedir.orgSubject:
Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
http://iase.disa.mil/stigs/checklist/DNS-Checklist-V3R1-1.pdfVulnerability
Discussion:A vulnerability in the underlying operating system of a DNS
server could potentially impact notonly the DNS server but the entire
network infrastructure to include the Global Information
Grid(GIG).Checks: DNS0170Review the Operating System against the
appropriate OS STIG. For a Windows system thiswould mean an evaluation
with the Gold Disk; for a UNIX/LINUX system this would mean anevaluation
using the SRR scripts. STIG compliance means that all findings are either
closed, orthere is a POA&M to address any outstanding
vulnerabilities.Fixes: DNS0170The underlying Operating System of the
DNS server must be in compliance with the appropriateOS
STIG.Vulnerability Discussion:Whether running the latest version
of software or an earlier version, the administrator should beaware of the
vulnerabilities, exploits, security fixes, and patches for the version that is
inoperation in the enterprise.Check: DNS0190If the site is using
BIND, interview the SA to determine if they have subscribed to ISC’s
mailinglist called “bind-announce” (information on the Internet at http://www.isc.org/sw/bind/bindlists.php) for
vulnerabilities and software notifications.Fix: DNS0190If BIND is
utilized, the SA will subscribe to ISC’s mailing list called
“bind-announce”(information on the Internet at http://www.isc.org/sw/bind/bind-lists.php) for
vulnerabilities andsoftware notifications.Comments:.... looks
like keeping aware goes a long way to keeping a DNS server safe
(stupid question alert when DNS servers are on server core and what
not... is there a "DNS" only security listserve like BIND
has?)Akomolafe, Deji wrote:
v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
P.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
LI.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
DIV.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
SPAN.gmailquote {
mso-style-name: gmail_quote
}
SPAN.EmailStyle20 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle21 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle22 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle23 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
And will this be as a
result of integrating DNS into AD? I say no, because I know that you can
still do bad things regardless of the DNS flavor or its complete separation
from AD. This, to me, negates the argument that you should not AD-integrate
DNS because of security "issues".
Sincerely,
_____
(, / |
/)
/) /) /---|
(/_ ______ ___// _ // _ )
/ |_/(__(_) //
(_(_)(/_(_(_/(__(/_(_/
/)
(/ Microsoft MVP - Directory
Serviceswww.akomolafe.com- we know
IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: Eric FleischmanSent: Wed
5/9/2007 8:34 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Bad
things can happen if I own your DNS. This DL is not an appropriate forum for
such a discussion. But you should assume that I can do bad things to your
forest if I own your DNS.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of joeSent: Wednesday, May 09, 2007 6:47
PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Oh
true, I am not completely on board with the necessity of secure updates. I
hear a lot of noise around it and how someone can own your forest with it
but can't visualize a realistic attack vector in that realm to gain access
that likely wouldn't be easier to manage in some other way. I'd like to
think I am not a complete retard in this but I just don't see it and I have
yet to have found anywhere anyone who could point to even an accidental
attack which we used to see on a regular basis with WINS and misconfigured
SAMBA and I easily overcame those SAMBA issues when encountered.
Certainly
I don't expect an open discussion about actual attack methodshere in
this forum because if there is something real out there that just hasn't
made it onto the RADAR of anyone who tends to write exploits against things
such that they have done anything around it. Other attacks on forests etc I
have seen code examples for and not just stuff I have written. And certainly
I can't take my lack of understanding of a possible hole there as it being
safe, but I do look at the global knowledge level here and how serious MSFT
may or may not be about secure updates (i..e only being offered with one
config and it not being the default OS config) andthen make some
judgements on relative likelihood of possible compromise and the numbers
just don't come up as giving me much fear in the realm of insecure
updates.
In
my experience, the biggest threat to come through DNS other than the various
and numerousissues that have occurred through the years due
toADI DNS dork ups and bugs has been this recent DNS vuln which was
far more dangerous to environments running ADI DNS than any other
environment. In fact if you ran ADI DNS in an enterprise with distributed
DNS Admin delegation, this issue was a positively serious kick square in the
balls for choosing that model.It wasn't the idea that you get control
of the DNS Service and then start pumping in bad DNS entries, you had
localsystem on the DC and just did whatever the heck you felt like doing.
Why take a nice scenic hack route past old windmill road when the door to
the gold is sitting wide open?
joe
P.S.
And sorry for this... Rocky, tried to respond to your email, but it bounced
with a 550 access denied from netherworld.jws.com
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 6:49
PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Totally
agree. If you are comparing AD integrated DNS with some other solution that
also does secure dynamic updates, that’s a great convo I’d love to be part
of. But I want to make sure…do we agree that secure dynamic updates (or no
dynamic updates, ie you manage it yourself) are a min bar requirement? I
have not gotten the sense that you really buy in to this argument
yet.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of joeSent: Wednesday, May 09, 2007 2:05
PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
I
don't cut bait, I just don't agree that MSFT is the only company that knows
how to do some form of secure DDNS updates.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 3:37
PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
The
argument for AD integrated DNS, as I understand it, is around dynamic
update. Replication is all well and good (maybe it is better than xfer,
maybe not, I really don’t know), but the secure dynamic update part is the
goodness side of it.
So,
how do you achieve this? I know joe cuts bait on dynamic updates….I’m of the
opinion (based on masses of PSS data over the last 7 years) that most
customers cannot do this. So how do you achieve it? Or do you just accept
the lack of security on this front?
After
we tease apart that one, I’d like to discuss your circular replication
argument further.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 9:44
AMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Eric,
Better
DNS servers? DNS is DNS, whether AD integrated or Primary, Secondary, its
basically the same. I am saying that for troubleshooting its just easier to
have primary/secondary and place your DNS where you need them, instead of
having it tied to a DC, and thus add another infrastructure role to the
domain controllers, when its not always needed.
I
know M$ wants you to do AD integrated DNS, since they think its the best
thing since sliced bread, but down in the trenches where the work gets done
and the problems get solved, its not always the best choice. I personally
don't see why you need to have your DNS and AD on the same replication
scheme, if something breaks in replication is it AD or is it DNS, you have
no physical seperation of the two, so you start going in loops.
And
given the flaws we keep getting each and every month, from Microsoft land on
this, that and the other service, or offering, the less you can have on your
DC' and Infrastructure systems and the better you hardnen them from the
start the better off you will be. This DNS RPC interface issue was just an
example, and I am sure the security researchers out there are going to find
more, and again makes admin lives harder, but our systems more secure in the
long run.
Also
it takes Microsoft how long to create a patch to fix this, but the exploit
code has been out for quite a while, and I am sure some hacker has coded a
working exploit by now, its probably in metasploit, ENCASE and other Pentest
products, so point and click and fire away at the DC's with DNS, if you
haven't protected yourself.
Just
my take on the situation, not saying that AD Integrated DNS isnt a viable
option, but think of this you wonder why Internet DNS in on BIND, and its
not AD integrated or even M$and its spread throughout the world...
EZ
Edward
E. Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 12:26
PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
I
don’t yet get this logic, please explain it to me like I’m an
idiot.
The
primary/secondary road ends up taking you to a place where you point DCs at
the subset of DNS servers you end up creating. How is this better than
having use AD integrated DNS, and pointing DCs to a subset of anointed
“better” DNS servers?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:23
AMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
AD
and its replication and functions are dependent on DNS being correctly
configured. If you follow the logic of not having all your eggs in one
basket, then the following will make sense.
Why
would you want to have both your DNS and AD together on the same box, and
integrated into the AD replication, if something is broken in AD replication
scheme its going to affect your DNS as well, which also affects alot more of
your infrastructure.
Secondly,
it makes decommission of the DC's a little more of a task than it needs to
be, not impossible, and not a regular event in most environments, but still
again, infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate and
redundant as per good network design ( PhysicalSite redundancy is what
I am driving at here)
These
are just my views, administrators will do what they feel comfortable with
but I have been running primary, secondary DNS tertiary DNS at a third site
for years and not had much problems with DNS replication, uptime and minimal
troubleshooting, plus I know if my primary site gets hit I got critical
infrastructure elsewhere that can continue to service the organization in
case of issues.
I
think in the age of DR, this isn't a bad way to go, and I am sure most of
the folks that still run BIND for there DNS services would probably see the
reasoning in it.
Z
Edward
E. Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of DannySent: Wednesday, May 09, 2007 10:50
AMTo: ActiveDir@mail.activedir.orgSubject:
Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Sorry to jump in here, but I
am understanding that you both are recommending to avoid AD-integrated DNS
where possible?
On 5/9/07, joe wrote:
I can find no fault in that paragraph.
:)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Ziots, EdwardSent: Wednesday, May 09, 2007 8:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionFunny part if you can call it a funny
part is that your DC's wouldn't have been vulnerable if you didn't have
AD-Integrated DNS. Which limitsthe attack surface quite a bit when you
are dealing with say 2-3 DNSservers instead of multiple DNS servers with
DC responsibilites to boot. This is whay I am never in the favor of
putting multiple infrastructureroles on any one system, especially a
DC.ZEdward E. ZiotsNetwork EngineerLifespan
OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.orgcell:401-639-3505-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Tuesday, May 08,
2007 11:21 PM To: ActiveDir@mail.activedir.orgSubject: Re:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionExchange one is the one I'm eyeing up
this month. IE7 has the printing fixes for IE7
included.Don't forget the Word and Office patches for the
workstations.... andWSUS 3.0 is out ...and....joe wrote:>
Nice and handy that it just so happened to be all wrapped up and done
> for the May patch release so someone didn't have to get a knock on
the> head inside of MSFT for two out of band patches in a
month...>> Also nice to have DCs in a state of having
unmanageable services or > exposed to exploits in enterprise
environments I think.>> --> O'Reilly Active Directory
Third Edition -> http://www.joeware.net/win/ad3e.htm>>>
-----Original Message-----> From: ActiveDir-owner@mail.activedir.org>
[mailto:mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Susan> Bradley, CPA aka Ebitz - SBS Rocks [MVP]>
Sent: Tuesday, May 08, 2007 1:28 PM> To: mailto:ActiveDir@mail.activedir.org>
Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC>
Interface Could Allow Remote,Code Execution>> MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow> Remote Code
Execution (935966) > http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx>
Max Severity: Critical>> List info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.activedir.org/ma/default.aspx>>
List info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.activedir.org/ma/default.aspx>>--If
you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS
Blog...and my blog is at http://www.sbsdiva.com/....List
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx List
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspxList
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx
-- CPDE - Certified Petroleum
Distribution Engineer CCBC - Certified Canadian Beer Consumer
--
If you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog.
..and my blog is at http://www.sbsdiva.com/....List
info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
--
If you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog.
..and my blog is at www.sbsdiva.com....List
info : http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx List archive:
http://www.activedir.org/ma/default.aspx | | | |
| listmail
Posts:824
| | 05/10/2007 9:23 AM |
| v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
P.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
LI.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
DIV.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
SPAN.gmailquote {
mso-style-name: gmail_quote
}
SPAN.EmailStyle20 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle21 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle22 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle23 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
> Checking out, I have a DHCP server to convert off Windows
today,
>
which means one-less infrastructure system to patch
Gosh I
hope not, unless you mean it becomes someone else's responsibility to patch it.
Patches obviously aren't new to Microsoft products, I recall patching my old
RSTS/E systems but back then a patch was often more of a manual process, you
pulled out a raw file editor and changed actual bytes in the file or you ran a
special tool to import a blob.
>
one less headache to deal with.
I
would accept, a different type of headache. Again, this isn't about MSFT versus
the world. Or vice versa.
>
sorry for most customers that just isn't coming close to
reality
I am
afraid I can't sit with this one very well either. I would say that in fact most
of MSFT customers live in the MSFT reality and when you are talking about most
of the MSFT customers, you are talking about most of the world. We call it and
actually they call it the Bread and Butter. I mentioned it in one of my other
posts, for the bread and butter, full MSFT ADI DNS is very likely the best
answer for them because the level of understanding isn't such that they could or
even should spend the time building an alternate DNS model. In terms of covering
up details so folks without deep core understanding can run things I think MSFT
does an amazing. Look at Kerberos, they made it a real going concern. Prior to
that you either needed to be dedicated to figuring out how to make it work or
you needed to be at an EDU and had all sorts of time to burn trying to make it
work and none of them solved the issues with multi-realm or auto-ticket renewal
or anything like that meaning it really wasn't a feasible technology for the
masses. Kerberos on *nix is not only difficult, it can be downright painful. The
same can be said of DNS, most MSFT customers should not be mucking with it
because most MSFT customers don't have the background or understanding in it to
muck with it. These are the same customers who would almost certainly be working
just fine on WINS right now.
That
being said, if you have DNS understanding and especially if you are large and
have a robust DNS infrastructure that existed well before MSFT started playing
there, looking at moving from ADI and even MSFT DNS if you were ever even there
is a very valid thing to do.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
EdwardSent: Thursday, May 10, 2007 8:33 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
(Golf Clap) Way to go Joe. Deji, I replied to you
offline, I am sure you read and understood my comments.
I keep reading this discussion and all I hear is AD-Int DNS
is the best thing since slice bread, and its got new features. Other side, we
hear of what is happening in the trenches, how the RPC's problem with DNS from
last month was definitely a literal kick in the balls to those that enabled
AD-Int DNS.There was a nice elaborate and realistic discussion of how to
exploit the DNS problem with traditional attack methods, to trully obtain evil
results. And in the face of all this Deji, you still advocating AD-Int DNS, and
adding an addtional role to the DC's and with that adding addtional risk, and
possible unknown, undiscovered vulnerabilities in M$ DNS service.
This is why I don't drink the M$ kool-aid or subscribe to
the rhetoric from Microsoft, because they are viewing solution and ideas through
there own idealistic eutopia and sorry for most customers that just isn't coming
close to reality. You have to know your own risks, and the best way to mitigate
them, the vendor can't do everything for you, nor should you let them. Nor does
everything the vendor say is correct, or even valid for your organization,
bussiness, or what-not.
I think we all have trully beat perverbal dead horse into
the ground, and we probably just need a topic change before it starts to
get a little out of control.
Checking out, I have a DHCP server to convert off Windows
today, which means one-less infrastructure system to patch, one less headache to
deal with. Probably soon DNS will be converted, I guess 2 out of 3 aint bad.
Cheers,
EZ
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
joeSent: Thursday, May 10, 2007 8:23 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Topic shift Deji, try to keep up... :)
Read back through the thread. I would say we should have
changed the subject but it never changed to "Why you shouldn't use ADI DNS" in
the first place so I find I am not concerned.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Akomolafe,
DejiSent: Thursday, May 10, 2007 1:07 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
And will this be as a result
of integrating DNS into AD? I say no, because I know that you can still do bad
things regardless of the DNS flavor or its complete separation from AD. This, to
me, negates the argument that you should not AD-integrate DNS because of
security "issues".
Sincerely,
_____
(, / |
/)
/) /) /---| (/_
______ ___// _ // _ )
/ |_/(__(_) //
(_(_)(/_(_(_/(__(/_(_/
/)
(/ Microsoft MVP - Directory
Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you
were worried about Yesterday?
-anon
From: Eric FleischmanSent: Wed
5/9/2007 8:34 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Bad
things can happen if I own your DNS. This DL is not an appropriate forum for
such a discussion. But you should assume that I can do bad things to your forest
if I own your DNS.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 6:47
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Oh true,
I am not completely on board with the necessity of secure updates. I hear a lot
of noise around it and how someone can own your forest with it but can't
visualize a realistic attack vector in that realm to gain access that likely
wouldn't be easier to manage in some other way. I'd like to think I am not a
complete retard in this but I just don't see it and I have yet to have found
anywhere anyone who could point to even an accidental attack which we used to
see on a regular basis with WINS and misconfigured SAMBA and I easily overcame
those SAMBA issues when encountered.
Certainly
I don't expect an open discussion about actual attack methodshere in this
forum because if there is something real out there that just hasn't made it onto
the RADAR of anyone who tends to write exploits against things such that they
have done anything around it. Other attacks on forests etc I have seen code
examples for and not just stuff I have written. And certainly I can't take my
lack of understanding of a possible hole there as it being safe, but I do look
at the global knowledge level here and how serious MSFT may or may not be about
secure updates (i..e only being offered with one config and it not being the
default OS config) andthen make some judgements on relative likelihood of
possible compromise and the numbers just don't come up as giving me much fear in
the realm of insecure updates.
In my
experience, the biggest threat to come through DNS other than the various and
numerousissues that have occurred through the years due toADI DNS
dork ups and bugs has been this recent DNS vuln which was far more dangerous to
environments running ADI DNS than any other environment. In fact if you ran ADI
DNS in an enterprise with distributed DNS Admin delegation, this issue was a
positively serious kick square in the balls for choosing that model.It
wasn't the idea that you get control of the DNS Service and then start pumping
in bad DNS entries, you had localsystem on the DC and just did whatever the heck
you felt like doing. Why take a nice scenic hack route past old windmill road
when the door to the gold is sitting wide open?
joe
P.S. And
sorry for this... Rocky, tried to respond to your email, but it bounced with a
550 access denied from netherworld.jws.com
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 6:49
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Totally
agree. If you are comparing AD integrated DNS with some other solution that also
does secure dynamic updates, that’s a great convo I’d love to be part of. But I
want to make sure…do we agree that secure dynamic updates (or no dynamic
updates, ie you manage it yourself) are a min bar requirement? I have not gotten
the sense that you really buy in to this argument yet.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 2:05
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
I don't
cut bait, I just don't agree that MSFT is the only company that knows how to do
some form of secure DDNS updates.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 3:37
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
The
argument for AD integrated DNS, as I understand it, is around dynamic update.
Replication is all well and good (maybe it is better than xfer, maybe not, I
really don’t know), but the secure dynamic update part is the goodness side of
it.
So,
how do you achieve this? I know joe cuts bait on dynamic updates….I’m of the
opinion (based on masses of PSS data over the last 7 years) that most customers
cannot do this. So how do you achieve it? Or do you just accept the lack of
security on this front?
After
we tease apart that one, I’d like to discuss your circular replication argument
further.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 9:44
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Eric,
Better
DNS servers? DNS is DNS, whether AD integrated or Primary, Secondary, its
basically the same. I am saying that for troubleshooting its just easier to have
primary/secondary and place your DNS where you need them, instead of having it
tied to a DC, and thus add another infrastructure role to the domain
controllers, when its not always needed.
I know
M$ wants you to do AD integrated DNS, since they think its the best thing since
sliced bread, but down in the trenches where the work gets done and the problems
get solved, its not always the best choice. I personally don't see why you need
to have your DNS and AD on the same replication scheme, if something breaks in
replication is it AD or is it DNS, you have no physical seperation of the two,
so you start going in loops.
And
given the flaws we keep getting each and every month, from Microsoft land on
this, that and the other service, or offering, the less you can have on your DC'
and Infrastructure systems and the better you hardnen them from the start the
better off you will be. This DNS RPC interface issue was just an example, and I
am sure the security researchers out there are going to find more, and again
makes admin lives harder, but our systems more secure in the long run.
Also it
takes Microsoft how long to create a patch to fix this, but the exploit code has
been out for quite a while, and I am sure some hacker has coded a working
exploit by now, its probably in metasploit, ENCASE and other Pentest products,
so point and click and fire away at the DC's with DNS, if you haven't protected
yourself.
Just my
take on the situation, not saying that AD Integrated DNS isnt a viable option,
but think of this you wonder why Internet DNS in on BIND, and its not AD
integrated or even M$and its spread throughout the world...
EZ
Edward E.
Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007
12:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
I
don’t yet get this logic, please explain it to me like I’m an
idiot.
The
primary/secondary road ends up taking you to a place where you point DCs at the
subset of DNS servers you end up creating. How is this better than having use AD
integrated DNS, and pointing DCs to a subset of anointed “better” DNS
servers?
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:23
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
AD and
its replication and functions are dependent on DNS being correctly configured.
If you follow the logic of not having all your eggs in one basket, then the
following will make sense.
Why
would you want to have both your DNS and AD together on the same box, and
integrated into the AD replication, if something is broken in AD replication
scheme its going to affect your DNS as well, which also affects alot more of
your infrastructure.
Secondly,
it makes decommission of the DC's a little more of a task than it needs to be,
not impossible, and not a regular event in most environments, but still again,
infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate and redundant as
per good network design ( PhysicalSite redundancy is what I am driving at
here)
These
are just my views, administrators will do what they feel comfortable with but I
have been running primary, secondary DNS tertiary DNS at a third site for years
and not had much problems with DNS replication, uptime and minimal
troubleshooting, plus I know if my primary site gets hit I got critical
infrastructure elsewhere that can continue to service the organization in case
of issues.
I think
in the age of DR, this isn't a bad way to go, and I am sure most of the folks
that still run BIND for there DNS services would probably see the reasoning in
it.
Z
Edward E.
Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of DannySent: Wednesday, May 09, 2007 10:50
AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Sorry to jump in here, but I am
understanding that you both are recommending to avoid AD-integrated DNS where
possible?
On 5/9/07, joe wrote:
I can find no fault in that paragraph.
:)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
EdwardSent: Wednesday, May 09, 2007 8:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPCInterface Could Allow Remote,Code
ExecutionFunny part if you can call it a funny part is that your DC's
wouldn't have been vulnerable if you didn't have AD-Integrated DNS. Which
limitsthe attack surface quite a bit when you are dealing with say 2-3
DNSservers instead of multiple DNS servers with DC responsibilites to boot.
This is whay I am never in the favor of putting multiple
infrastructureroles on any one system, especially a
DC.ZEdward E. ZiotsNetwork EngineerLifespan
OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.orgcell:401-639-3505-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan
Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Tuesday, May 08, 2007 11:21
PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPCInterface Could Allow Remote,Code
ExecutionExchange one is the one I'm eyeing up this month. IE7
has the printing fixes for IE7 included.Don't forget the Word and Office
patches for the workstations.... andWSUS 3.0 is out ...and....joe
wrote:> Nice and handy that it just so happened to be all wrapped up and
done > for the May patch release so someone didn't have to get a knock on
the> head inside of MSFT for two out of band patches in a
month...>> Also nice to have DCs in a state of having unmanageable
services or > exposed to exploits in enterprise environments I
think.>> --> O'Reilly Active Directory Third Edition
-> http://www.joeware.net/win/ad3e.htm>>>
-----Original Message-----> From: ActiveDir-owner@mail.activedir.org> [mailto:mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Susan> Bradley, CPA aka Ebitz - SBS Rocks [MVP]> Sent: Tuesday,
May 08, 2007 1:28 PM> To: mailto:ActiveDir@mail.activedir.org> Subject:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC> Interface Could
Allow Remote,Code Execution>> MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow> Remote Code Execution (935966) > http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx>
Max Severity: Critical>> List info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: http://www.activedir.org/ma/default.aspx>> List
info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: http://www.activedir.org/ma/default.aspx>>--If
you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog...and my
blog is at www.sbsdiva.com....List info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspx List
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspxList
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspx
-- CPDE - Certified Petroleum
Distribution Engineer CCBC - Certified Canadian Beer Consumer | | | |
| habr
Posts:0
| | 05/10/2007 9:24 AM |
| STIG ID: DNS0415 [Page 47 of
141] of that document Ώ]
Looks like Deji is OK to
me.
RH
Ώ] Where in Blue Blazes
do you find all this stuff Susan ?!
______________________________________________________________
-----Original Message-----From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]Sent: 10 May, 2007 1:29
AMTo: ActiveDir@mail.activedir.orgSubject: Re:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Executionhttp://iase.disa.mil/stigs/checklist/DNS-Checklist-V3R1-1.pdfVulnerability
Discussion:A vulnerability in the underlying operating system of a DNS
server could potentially impact notonly the DNS server but the entire
network infrastructure to include the Global Information
Grid(GIG).Checks: DNS0170Review the Operating System against the
appropriate OS STIG. For a Windows system thiswould mean an evaluation
with the Gold Disk; for a UNIX/LINUX system this would mean anevaluation
using the SRR scripts. STIG compliance means that all findings are either
closed, orthere is a POA&M to address any outstanding
vulnerabilities.Fixes: DNS0170The underlying Operating System of the
DNS server must be in compliance with the appropriateOS
STIG.Vulnerability Discussion:Whether running the latest version
of software or an earlier version, the administrator should beaware of the
vulnerabilities, exploits, security fixes, and patches for the version that is
inoperation in the enterprise.Check: DNS0190If the site is using
BIND, interview the SA to determine if they have subscribed to ISCs
mailinglist called bind-announce (information on the Internet at http://www.isc.org/sw/bind/bindlists.php)
for vulnerabilities and software notifications.Fix: DNS0190If BIND is
utilized, the SA will subscribe to ISCs mailing list called
bind-announce(information on the Internet at http://www.isc.org/sw/bind/bind-lists.php)
for vulnerabilities andsoftware notifications.Comments:....
looks like keeping aware goes a long way to keeping a DNS server safe
(stupid question alert when DNS servers are on server core and what
not... is there a "DNS" only security listserve like BIND
has?)Akomolafe, Deji wrote:
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
And will this be as a
result of integrating DNS into AD? I say no, because I know that you can
still do bad things regardless of the DNS flavor or its complete separation
from AD. This, to me, negates the argument that you should not AD-integrate
DNS because of security "issues".
Sincerely,
_____
(, / |
/)
/) /) /---|
(/_ ______ ___// _ // _ )
/ |_/(__(_) //
(_(_)(/_(_(_/(__(/_(_/
/)
(/ Microsoft MVP - Directory
Serviceswww.akomolafe.com- we know
IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: Eric FleischmanSent: Wed
5/9/2007 8:34 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Bad
things can happen if I own your DNS. This DL is not an appropriate forum for
such a discussion. But you should assume that I can do bad things to your
forest if I own your DNS.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 6:47
PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Oh
true, I am not completely on board with the necessity of secure updates. I
hear a lot of noise around it and how someone can own your forest with it
but can't visualize a realistic attack vector in that realm to gain access
that likely wouldn't be easier to manage in some other way. I'd like to
think I am not a complete retard in this but I just don't see it and I have
yet to have found anywhere anyone who could point to even an accidental
attack which we used to see on a regular basis with WINS and misconfigured
SAMBA and I easily overcame those SAMBA issues when encountered.
Certainly
I don't expect an open discussion about actual attack methodshere in
this forum because if there is something real out there that just hasn't
made it onto the RADAR of anyone who tends to write exploits against things
such that they have done anything around it. Other attacks on forests etc I
have seen code examples for and not just stuff I have written. And certainly
I can't take my lack of understanding of a possible hole there as it being
safe, but I do look at the global knowledge level here and how serious MSFT
may or may not be about secure updates (i..e only being offered with one
config and it not being the default OS config) andthen make some
judgements on relative likelihood of possible compromise and the numbers
just don't come up as giving me much fear in the realm of insecure
updates.
In
my experience, the biggest threat to come through DNS other than the various
and numerousissues that have occurred through the years due
toADI DNS dork ups and bugs has been this recent DNS vuln which was
far more dangerous to environments running ADI DNS than any other
environment. In fact if you ran ADI DNS in an enterprise with distributed
DNS Admin delegation, this issue was a positively serious kick square in the
balls for choosing that model.It wasn't the idea that you get control
of the DNS Service and then start pumping in bad DNS entries, you had
localsystem on the DC and just did whatever the heck you felt like doing.
Why take a nice scenic hack route past old windmill road when the door to
the gold is sitting wide open?
joe
P.S.
And sorry for this... Rocky, tried to respond to your email, but it bounced
with a 550 access denied from netherworld.jws.com
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007
6:49 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Totally
agree. If you are comparing AD integrated DNS with some other solution that
also does secure dynamic updates, thats a great convo Id love to be part
of. But I want to make sure
do we agree that secure dynamic updates (or no
dynamic updates, ie you manage it yourself) are a min bar requirement? I
have not gotten the sense that you really buy in to this argument
yet.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 2:05
PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
I
don't cut bait, I just don't agree that MSFT is the only company that knows
how to do some form of secure DDNS updates.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007
3:37 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
The
argument for AD integrated DNS, as I understand it, is around dynamic
update. Replication is all well and good (maybe it is better than xfer,
maybe not, I really dont know), but the secure dynamic update part is the
goodness side of it.
So,
how do you achieve this? I know joe cuts bait on dynamic updates
.Im of the
opinion (based on masses of PSS data over the last 7 years) that most
customers cannot do this. So how do you achieve it? Or do you just accept
the lack of security on this front?
After
we tease apart that one, Id like to discuss your circular replication
argument further.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007
9:44 AMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Eric,
Better
DNS servers? DNS is DNS, whether AD integrated or Primary, Secondary, its
basically the same. I am saying that for troubleshooting its just easier to
have primary/secondary and place your DNS where you need them, instead of
having it tied to a DC, and thus add another infrastructure role to the
domain controllers, when its not always needed.
I
know M$ wants you to do AD integrated DNS, since they think its the best
thing since sliced bread, but down in the trenches where the work gets done
and the problems get solved, its not always the best choice. I personally
don't see why you need to have your DNS and AD on the same replication
scheme, if something breaks in replication is it AD or is it DNS, you have
no physical seperation of the two, so you start going in loops.
And
given the flaws we keep getting each and every month, from Microsoft land on
this, that and the other service, or offering, the less you can have on your
DC' and Infrastructure systems and the better you hardnen them from the
start the better off you will be. This DNS RPC interface issue was just an
example, and I am sure the security researchers out there are going to find
more, and again makes admin lives harder, but our systems more secure in the
long run.
Also
it takes Microsoft how long to create a patch to fix this, but the exploit
code has been out for quite a while, and I am sure some hacker has coded a
working exploit by now, its probably in metasploit, ENCASE and other Pentest
products, so point and click and fire away at the DC's with DNS, if you
haven't protected yourself.
Just
my take on the situation, not saying that AD Integrated DNS isnt a viable
option, but think of this you wonder why Internet DNS in on BIND, and its
not AD integrated or even M$and its spread throughout the world...
EZ
Edward
E. Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007
12:26 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
I
dont yet get this logic, please explain it to me like Im an
idiot.
The
primary/secondary road ends up taking you to a place where you point DCs at
the subset of DNS servers you end up creating. How is this better than
having use AD integrated DNS, and pointing DCs to a subset of anointed
better DNS servers?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007
8:23 AMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
AD
and its replication and functions are dependent on DNS being correctly
configured. If you follow the logic of not having all your eggs in one
basket, then the following will make sense.
Why
would you want to have both your DNS and AD together on the same box, and
integrated into the AD replication, if something is broken in AD replication
scheme its going to affect your DNS as well, which also affects alot more of
your infrastructure.
Secondly,
it makes decommission of the DC's a little more of a task than it needs to
be, not impossible, and not a regular event in most environments, but still
again, infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate and
redundant as per good network design ( PhysicalSite redundancy is what
I am driving at here)
These
are just my views, administrators will do what they feel comfortable with
but I have been running primary, secondary DNS tertiary DNS at a third site
for years and not had much problems with DNS replication, uptime and minimal
troubleshooting, plus I know if my primary site gets hit I got critical
infrastructure elsewhere that can continue to service the organization in
case of issues.
I
think in the age of DR, this isn't a bad way to go, and I am sure most of
the folks that still run BIND for there DNS services would probably see the
reasoning in it.
Z
Edward
E. Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of DannySent: Wednesday, May 09, 2007 10:50
AMTo: ActiveDir@mail.activedir.orgSubject:
Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Sorry to jump in here, but I
am understanding that you both are recommending to avoid AD-integrated DNS
where possible?
On 5/9/07, joe wrote:
I can find no fault in that paragraph.
:)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Ziots, EdwardSent: Wednesday, May 09, 2007 8:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionFunny part if you can call it a funny
part is that your DC's wouldn't have been vulnerable if you didn't have
AD-Integrated DNS. Which limitsthe attack surface quite a bit when you
are dealing with say 2-3 DNSservers instead of multiple DNS servers with
DC responsibilites to boot. This is whay I am never in the favor of
putting multiple infrastructureroles on any one system, especially a
DC.ZEdward E. ZiotsNetwork EngineerLifespan
OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.orgcell:401-639-3505-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Tuesday, May 08,
2007 11:21 PM To: ActiveDir@mail.activedir.orgSubject: Re:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionExchange one is the one I'm eyeing up
this month. IE7 has the printing fixes for IE7
included.Don't forget the Word and Office patches for the
workstations.... andWSUS 3.0 is out ...and....joe wrote:>
Nice and handy that it just so happened to be all wrapped up and done
> for the May patch release so someone didn't have to get a knock on
the> head inside of MSFT for two out of band patches in a
month...>> Also nice to have DCs in a state of having
unmanageable services or > exposed to exploits in enterprise
environments I think.>> --> O'Reilly Active Directory
Third Edition -> http://www.joeware.net/win/ad3e.htm>>>
-----Original Message-----> From: ActiveDir-owner@mail.activedir.org>
[mailto:mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Susan> Bradley, CPA aka Ebitz - SBS Rocks [MVP]>
Sent: Tuesday, May 08, 2007 1:28 PM> To: mailto:ActiveDir@mail.activedir.org>
Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC>
Interface Could Allow Remote,Code Execution>> MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow> Remote Code
Execution (935966) > http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx>
Max Severity: Critical>> List info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.activedir.org/ma/default.aspx>>
List info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.activedir.org/ma/default.aspx>>--If
you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS
Blog...and my blog is at www.sbsdiva.com....List
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx List
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspxList
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx
-- CPDE - Certified Petroleum
Distribution Engineer CCBC - Certified Canadian Beer Consumer
--
If you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog.
..and my blog is at www.sbsdiva.com....List
info : http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx List archive:
http://www.activedir.org/ma/default.aspx | | | |
| EZiots
Posts:0
| | 05/10/2007 9:32 AM |
| v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
P.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
LI.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
DIV.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
SPAN.gmailquote {
mso-style-name: gmail_quote
}
SPAN.EmailStyle20 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle21 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle22 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle23 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
Well the new DHCP is an applicance, so yep I dont have to
evaluate patches for the Win2k3 Windows box anymore, which means a little less
pain, not like I dont got 550+ more servers to address.
I can see that alot do go with the M$ model, Bread and
butter of things, but others don't.
DNS Infrastructure, has gone from BIND, to M$ ( 2k and 2k3)
just never to the AD-INT model, much perfer to put DNS on other dedicated
systems and troubleshoot accordingly.
so back to the grind, its been a fun discussion if nothing
else, but you have to rip my eyes out with a pitch fork before I go to AD-INT
DNS...
Z
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
joeSent: Thursday, May 10, 2007 9:23 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
> Checking out, I have a DHCP server to convert off Windows
today,
>
which means one-less infrastructure system to patch
Gosh I
hope not, unless you mean it becomes someone else's responsibility to patch it.
Patches obviously aren't new to Microsoft products, I recall patching my old
RSTS/E systems but back then a patch was often more of a manual process, you
pulled out a raw file editor and changed actual bytes in the file or you ran a
special tool to import a blob.
>
one less headache to deal with.
I
would accept, a different type of headache. Again, this isn't about MSFT versus
the world. Or vice versa.
>
sorry for most customers that just isn't coming close to
reality
I am
afraid I can't sit with this one very well either. I would say that in fact most
of MSFT customers live in the MSFT reality and when you are talking about most
of the MSFT customers, you are talking about most of the world. We call it and
actually they call it the Bread and Butter. I mentioned it in one of my other
posts, for the bread and butter, full MSFT ADI DNS is very likely the best
answer for them because the level of understanding isn't such that they could or
even should spend the time building an alternate DNS model. In terms of covering
up details so folks without deep core understanding can run things I think MSFT
does an amazing. Look at Kerberos, they made it a real going concern. Prior to
that you either needed to be dedicated to figuring out how to make it work or
you needed to be at an EDU and had all sorts of time to burn trying to make it
work and none of them solved the issues with multi-realm or auto-ticket renewal
or anything like that meaning it really wasn't a feasible technology for the
masses. Kerberos on *nix is not only difficult, it can be downright painful. The
same can be said of DNS, most MSFT customers should not be mucking with it
because most MSFT customers don't have the background or understanding in it to
muck with it. These are the same customers who would almost certainly be working
just fine on WINS right now.
That
being said, if you have DNS understanding and especially if you are large and
have a robust DNS infrastructure that existed well before MSFT started playing
there, looking at moving from ADI and even MSFT DNS if you were ever even there
is a very valid thing to do.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
EdwardSent: Thursday, May 10, 2007 8:33 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
(Golf Clap) Way to go Joe. Deji, I replied to you
offline, I am sure you read and understood my comments.
I keep reading this discussion and all I hear is AD-Int DNS
is the best thing since slice bread, and its got new features. Other side, we
hear of what is happening in the trenches, how the RPC's problem with DNS from
last month was definitely a literal kick in the balls to those that enabled
AD-Int DNS.There was a nice elaborate and realistic discussion of how to
exploit the DNS problem with traditional attack methods, to trully obtain evil
results. And in the face of all this Deji, you still advocating AD-Int DNS, and
adding an addtional role to the DC's and with that adding addtional risk, and
possible unknown, undiscovered vulnerabilities in M$ DNS service.
This is why I don't drink the M$ kool-aid or subscribe to
the rhetoric from Microsoft, because they are viewing solution and ideas through
there own idealistic eutopia and sorry for most customers that just isn't coming
close to reality. You have to know your own risks, and the best way to mitigate
them, the vendor can't do everything for you, nor should you let them. Nor does
everything the vendor say is correct, or even valid for your organization,
bussiness, or what-not.
I think we all have trully beat perverbal dead horse into
the ground, and we probably just need a topic change before it starts to
get a little out of control.
Checking out, I have a DHCP server to convert off Windows
today, which means one-less infrastructure system to patch, one less headache to
deal with. Probably soon DNS will be converted, I guess 2 out of 3 aint bad.
Cheers,
EZ
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
joeSent: Thursday, May 10, 2007 8:23 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Topic shift Deji, try to keep up... :)
Read back through the thread. I would say we should have
changed the subject but it never changed to "Why you shouldn't use ADI DNS" in
the first place so I find I am not concerned.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Akomolafe,
DejiSent: Thursday, May 10, 2007 1:07 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
And will this be as a result
of integrating DNS into AD? I say no, because I know that you can still do bad
things regardless of the DNS flavor or its complete separation from AD. This, to
me, negates the argument that you should not AD-integrate DNS because of
security "issues".
Sincerely,
_____
(, / |
/)
/) /) /---| (/_
______ ___// _ // _ )
/ |_/(__(_) //
(_(_)(/_(_(_/(__(/_(_/
/)
(/ Microsoft MVP - Directory
Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you
were worried about Yesterday?
-anon
From: Eric FleischmanSent: Wed
5/9/2007 8:34 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Bad
things can happen if I own your DNS. This DL is not an appropriate forum for
such a discussion. But you should assume that I can do bad things to your forest
if I own your DNS.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 6:47
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Oh true,
I am not completely on board with the necessity of secure updates. I hear a lot
of noise around it and how someone can own your forest with it but can't
visualize a realistic attack vector in that realm to gain access that likely
wouldn't be easier to manage in some other way. I'd like to think I am not a
complete retard in this but I just don't see it and I have yet to have found
anywhere anyone who could point to even an accidental attack which we used to
see on a regular basis with WINS and misconfigured SAMBA and I easily overcame
those SAMBA issues when encountered.
Certainly
I don't expect an open discussion about actual attack methodshere in this
forum because if there is something real out there that just hasn't made it onto
the RADAR of anyone who tends to write exploits against things such that they
have done anything around it. Other attacks on forests etc I have seen code
examples for and not just stuff I have written. And certainly I can't take my
lack of understanding of a possible hole there as it being safe, but I do look
at the global knowledge level here and how serious MSFT may or may not be about
secure updates (i..e only being offered with one config and it not being the
default OS config) andthen make some judgements on relative likelihood of
possible compromise and the numbers just don't come up as giving me much fear in
the realm of insecure updates.
In my
experience, the biggest threat to come through DNS other than the various and
numerousissues that have occurred through the years due toADI DNS
dork ups and bugs has been this recent DNS vuln which was far more dangerous to
environments running ADI DNS than any other environment. In fact if you ran ADI
DNS in an enterprise with distributed DNS Admin delegation, this issue was a
positively serious kick square in the balls for choosing that model.It
wasn't the idea that you get control of the DNS Service and then start pumping
in bad DNS entries, you had localsystem on the DC and just did whatever the heck
you felt like doing. Why take a nice scenic hack route past old windmill road
when the door to the gold is sitting wide open?
joe
P.S. And
sorry for this... Rocky, tried to respond to your email, but it bounced with a
550 access denied from netherworld.jws.com
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 6:49
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Totally
agree. If you are comparing AD integrated DNS with some other solution that also
does secure dynamic updates, that’s a great convo I’d love to be part of. But I
want to make sure…do we agree that secure dynamic updates (or no dynamic
updates, ie you manage it yourself) are a min bar requirement? I have not gotten
the sense that you really buy in to this argument yet.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 2:05
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
I don't
cut bait, I just don't agree that MSFT is the only company that knows how to do
some form of secure DDNS updates.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 3:37
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
The
argument for AD integrated DNS, as I understand it, is around dynamic update.
Replication is all well and good (maybe it is better than xfer, maybe not, I
really don’t know), but the secure dynamic update part is the goodness side of
it.
So,
how do you achieve this? I know joe cuts bait on dynamic updates….I’m of the
opinion (based on masses of PSS data over the last 7 years) that most customers
cannot do this. So how do you achieve it? Or do you just accept the lack of
security on this front?
After
we tease apart that one, I’d like to discuss your circular replication argument
further.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 9:44
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Eric,
Better
DNS servers? DNS is DNS, whether AD integrated or Primary, Secondary, its
basically the same. I am saying that for troubleshooting its just easier to have
primary/secondary and place your DNS where you need them, instead of having it
tied to a DC, and thus add another infrastructure role to the domain
controllers, when its not always needed.
I know
M$ wants you to do AD integrated DNS, since they think its the best thing since
sliced bread, but down in the trenches where the work gets done and the problems
get solved, its not always the best choice. I personally don't see why you need
to have your DNS and AD on the same replication scheme, if something breaks in
replication is it AD or is it DNS, you have no physical seperation of the two,
so you start going in loops.
And
given the flaws we keep getting each and every month, from Microsoft land on
this, that and the other service, or offering, the less you can have on your DC'
and Infrastructure systems and the better you hardnen them from the start the
better off you will be. This DNS RPC interface issue was just an example, and I
am sure the security researchers out there are going to find more, and again
makes admin lives harder, but our systems more secure in the long run.
Also it
takes Microsoft how long to create a patch to fix this, but the exploit code has
been out for quite a while, and I am sure some hacker has coded a working
exploit by now, its probably in metasploit, ENCASE and other Pentest products,
so point and click and fire away at the DC's with DNS, if you haven't protected
yourself.
Just my
take on the situation, not saying that AD Integrated DNS isnt a viable option,
but think of this you wonder why Internet DNS in on BIND, and its not AD
integrated or even M$and its spread throughout the world...
EZ
Edward E.
Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007
12:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
I
don’t yet get this logic, please explain it to me like I’m an
idiot.
The
primary/secondary road ends up taking you to a place where you point DCs at the
subset of DNS servers you end up creating. How is this better than having use AD
integrated DNS, and pointing DCs to a subset of anointed “better” DNS
servers?
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:23
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
AD and
its replication and functions are dependent on DNS being correctly configured.
If you follow the logic of not having all your eggs in one basket, then the
following will make sense.
Why
would you want to have both your DNS and AD together on the same box, and
integrated into the AD replication, if something is broken in AD replication
scheme its going to affect your DNS as well, which also affects alot more of
your infrastructure.
Secondly,
it makes decommission of the DC's a little more of a task than it needs to be,
not impossible, and not a regular event in most environments, but still again,
infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate and redundant as
per good network design ( PhysicalSite redundancy is what I am driving at
here)
These
are just my views, administrators will do what they feel comfortable with but I
have been running primary, secondary DNS tertiary DNS at a third site for years
and not had much problems with DNS replication, uptime and minimal
troubleshooting, plus I know if my primary site gets hit I got critical
infrastructure elsewhere that can continue to service the organization in case
of issues.
I think
in the age of DR, this isn't a bad way to go, and I am sure most of the folks
that still run BIND for there DNS services would probably see the reasoning in
it.
Z
Edward E.
Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of DannySent: Wednesday, May 09, 2007 10:50
AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Sorry to jump in here, but I am
understanding that you both are recommending to avoid AD-integrated DNS where
possible?
On 5/9/07, joe wrote:
I can find no fault in that paragraph.
:)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
EdwardSent: Wednesday, May 09, 2007 8:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPCInterface Could Allow Remote,Code
ExecutionFunny part if you can call it a funny part is that your DC's
wouldn't have been vulnerable if you didn't have AD-Integrated DNS. Which
limitsthe attack surface quite a bit when you are dealing with say 2-3
DNSservers instead of multiple DNS servers with DC responsibilites to boot.
This is whay I am never in the favor of putting multiple
infrastructureroles on any one system, especially a
DC.ZEdward E. ZiotsNetwork EngineerLifespan
OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.orgcell:401-639-3505-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan
Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Tuesday, May 08, 2007 11:21
PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPCInterface Could Allow Remote,Code
ExecutionExchange one is the one I'm eyeing up this month. IE7
has the printing fixes for IE7 included.Don't forget the Word and Office
patches for the workstations.... andWSUS 3.0 is out ...and....joe
wrote:> Nice and handy that it just so happened to be all wrapped up and
done > for the May patch release so someone didn't have to get a knock on
the> head inside of MSFT for two out of band patches in a
month...>> Also nice to have DCs in a state of having unmanageable
services or > exposed to exploits in enterprise environments I
think.>> --> O'Reilly Active Directory Third Edition
-> http://www.joeware.net/win/ad3e.htm>>>
-----Original Message-----> From: ActiveDir-owner@mail.activedir.org> [mailto:mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Susan> Bradley, CPA aka Ebitz - SBS Rocks [MVP]> Sent: Tuesday,
May 08, 2007 1:28 PM> To: mailto:ActiveDir@mail.activedir.org> Subject:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC> Interface Could
Allow Remote,Code Execution>> MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow> Remote Code Execution (935966) > http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx>
Max Severity: Critical>> List info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: http://www.activedir.org/ma/default.aspx>> List
info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: http://www.activedir.org/ma/default.aspx>>--If
you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog...and my
blog is at www.sbsdiva.com....List info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspx List
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspxList
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspx
-- CPDE - Certified Petroleum
Distribution Engineer CCBC - Certified Canadian Beer Consumer | | | |
| listmail
Posts:824
| | 05/10/2007 9:51 AM |
| v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
P.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
LI.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
DIV.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
SPAN.gmailquote {
mso-style-name: gmail_quote
}
SPAN.EmailStyle20 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle21 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle22 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle23 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
I think I have said similar things but I chose a normal
fork. :)
My favorite deployments have DNS nowhere near Windows and
running with a very dedicated and knowledgeable DNS team.
At some point the message of "AD is really dependent on
DNS" became corrupted to be "AD and DNS go together like peas and carrots". It
simply isn't true. AD is even more dependenton the network itself more
than it needs DNS, does that mean AD should be underpinning all of the switches
and routers? Gosh I hope not.
Ah an appliance helps, but hopefully is still going to be
monitored, it is likely just a *nix box without a keyboard port and last I
looked those folks still had patches too. However being focused in a task, that
helps dramatically. Just like reducing the number of services running on DCs
does. :)
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
EdwardSent: Thursday, May 10, 2007 9:32 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Well the new DHCP is an applicance, so yep I dont have to
evaluate patches for the Win2k3 Windows box anymore, which means a little less
pain, not like I dont got 550+ more servers to address.
I can see that alot do go with the M$ model, Bread and
butter of things, but others don't.
DNS Infrastructure, has gone from BIND, to M$ ( 2k and 2k3)
just never to the AD-INT model, much perfer to put DNS on other dedicated
systems and troubleshoot accordingly.
so back to the grind, its been a fun discussion if nothing
else, but you have to rip my eyes out with a pitch fork before I go to AD-INT
DNS...
Z
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
joeSent: Thursday, May 10, 2007 9:23 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
> Checking out, I have a DHCP server to convert off Windows
today,
>
which means one-less infrastructure system to patch
Gosh I
hope not, unless you mean it becomes someone else's responsibility to patch it.
Patches obviously aren't new to Microsoft products, I recall patching my old
RSTS/E systems but back then a patch was often more of a manual process, you
pulled out a raw file editor and changed actual bytes in the file or you ran a
special tool to import a blob.
>
one less headache to deal with.
I
would accept, a different type of headache. Again, this isn't about MSFT versus
the world. Or vice versa.
>
sorry for most customers that just isn't coming close to
reality
I am
afraid I can't sit with this one very well either. I would say that in fact most
of MSFT customers live in the MSFT reality and when you are talking about most
of the MSFT customers, you are talking about most of the world. We call it and
actually they call it the Bread and Butter. I mentioned it in one of my other
posts, for the bread and butter, full MSFT ADI DNS is very likely the best
answer for them because the level of understanding isn't such that they could or
even should spend the time building an alternate DNS model. In terms of covering
up details so folks without deep core understanding can run things I think MSFT
does an amazing. Look at Kerberos, they made it a real going concern. Prior to
that you either needed to be dedicated to figuring out how to make it work or
you needed to be at an EDU and had all sorts of time to burn trying to make it
work and none of them solved the issues with multi-realm or auto-ticket renewal
or anything like that meaning it really wasn't a feasible technology for the
masses. Kerberos on *nix is not only difficult, it can be downright painful. The
same can be said of DNS, most MSFT customers should not be mucking with it
because most MSFT customers don't have the background or understanding in it to
muck with it. These are the same customers who would almost certainly be working
just fine on WINS right now.
That
being said, if you have DNS understanding and especially if you are large and
have a robust DNS infrastructure that existed well before MSFT started playing
there, looking at moving from ADI and even MSFT DNS if you were ever even there
is a very valid thing to do.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
EdwardSent: Thursday, May 10, 2007 8:33 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
(Golf Clap) Way to go Joe. Deji, I replied to you
offline, I am sure you read and understood my comments.
I keep reading this discussion and all I hear is AD-Int DNS
is the best thing since slice bread, and its got new features. Other side, we
hear of what is happening in the trenches, how the RPC's problem with DNS from
last month was definitely a literal kick in the balls to those that enabled
AD-Int DNS.There was a nice elaborate and realistic discussion of how to
exploit the DNS problem with traditional attack methods, to trully obtain evil
results. And in the face of all this Deji, you still advocating AD-Int DNS, and
adding an addtional role to the DC's and with that adding addtional risk, and
possible unknown, undiscovered vulnerabilities in M$ DNS service.
This is why I don't drink the M$ kool-aid or subscribe to
the rhetoric from Microsoft, because they are viewing solution and ideas through
there own idealistic eutopia and sorry for most customers that just isn't coming
close to reality. You have to know your own risks, and the best way to mitigate
them, the vendor can't do everything for you, nor should you let them. Nor does
everything the vendor say is correct, or even valid for your organization,
bussiness, or what-not.
I think we all have trully beat perverbal dead horse into
the ground, and we probably just need a topic change before it starts to
get a little out of control.
Checking out, I have a DHCP server to convert off Windows
today, which means one-less infrastructure system to patch, one less headache to
deal with. Probably soon DNS will be converted, I guess 2 out of 3 aint bad.
Cheers,
EZ
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
joeSent: Thursday, May 10, 2007 8:23 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Topic shift Deji, try to keep up... :)
Read back through the thread. I would say we should have
changed the subject but it never changed to "Why you shouldn't use ADI DNS" in
the first place so I find I am not concerned.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Akomolafe,
DejiSent: Thursday, May 10, 2007 1:07 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
And will this be as a result
of integrating DNS into AD? I say no, because I know that you can still do bad
things regardless of the DNS flavor or its complete separation from AD. This, to
me, negates the argument that you should not AD-integrate DNS because of
security "issues".
Sincerely,
_____
(, / |
/)
/) /) /---| (/_
______ ___// _ // _ )
/ |_/(__(_) //
(_(_)(/_(_(_/(__(/_(_/
/)
(/ Microsoft MVP - Directory
Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you
were worried about Yesterday?
-anon
From: Eric FleischmanSent: Wed
5/9/2007 8:34 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Bad
things can happen if I own your DNS. This DL is not an appropriate forum for
such a discussion. But you should assume that I can do bad things to your forest
if I own your DNS.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 6:47
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Oh true,
I am not completely on board with the necessity of secure updates. I hear a lot
of noise around it and how someone can own your forest with it but can't
visualize a realistic attack vector in that realm to gain access that likely
wouldn't be easier to manage in some other way. I'd like to think I am not a
complete retard in this but I just don't see it and I have yet to have found
anywhere anyone who could point to even an accidental attack which we used to
see on a regular basis with WINS and misconfigured SAMBA and I easily overcame
those SAMBA issues when encountered.
Certainly
I don't expect an open discussion about actual attack methodshere in this
forum because if there is something real out there that just hasn't made it onto
the RADAR of anyone who tends to write exploits against things such that they
have done anything around it. Other attacks on forests etc I have seen code
examples for and not just stuff I have written. And certainly I can't take my
lack of understanding of a possible hole there as it being safe, but I do look
at the global knowledge level here and how serious MSFT may or may not be about
secure updates (i..e only being offered with one config and it not being the
default OS config) andthen make some judgements on relative likelihood of
possible compromise and the numbers just don't come up as giving me much fear in
the realm of insecure updates.
In my
experience, the biggest threat to come through DNS other than the various and
numerousissues that have occurred through the years due toADI DNS
dork ups and bugs has been this recent DNS vuln which was far more dangerous to
environments running ADI DNS than any other environment. In fact if you ran ADI
DNS in an enterprise with distributed DNS Admin delegation, this issue was a
positively serious kick square in the balls for choosing that model.It
wasn't the idea that you get control of the DNS Service and then start pumping
in bad DNS entries, you had localsystem on the DC and just did whatever the heck
you felt like doing. Why take a nice scenic hack route past old windmill road
when the door to the gold is sitting wide open?
joe
P.S. And
sorry for this... Rocky, tried to respond to your email, but it bounced with a
550 access denied from netherworld.jws.com
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 6:49
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Totally
agree. If you are comparing AD integrated DNS with some other solution that also
does secure dynamic updates, that’s a great convo I’d love to be part of. But I
want to make sure…do we agree that secure dynamic updates (or no dynamic
updates, ie you manage it yourself) are a min bar requirement? I have not gotten
the sense that you really buy in to this argument yet.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 2:05
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
I don't
cut bait, I just don't agree that MSFT is the only company that knows how to do
some form of secure DDNS updates.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 3:37
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
The
argument for AD integrated DNS, as I understand it, is around dynamic update.
Replication is all well and good (maybe it is better than xfer, maybe not, I
really don’t know), but the secure dynamic update part is the goodness side of
it.
So,
how do you achieve this? I know joe cuts bait on dynamic updates….I’m of the
opinion (based on masses of PSS data over the last 7 years) that most customers
cannot do this. So how do you achieve it? Or do you just accept the lack of
security on this front?
After
we tease apart that one, I’d like to discuss your circular replication argument
further.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 9:44
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Eric,
Better
DNS servers? DNS is DNS, whether AD integrated or Primary, Secondary, its
basically the same. I am saying that for troubleshooting its just easier to have
primary/secondary and place your DNS where you need them, instead of having it
tied to a DC, and thus add another infrastructure role to the domain
controllers, when its not always needed.
I know
M$ wants you to do AD integrated DNS, since they think its the best thing since
sliced bread, but down in the trenches where the work gets done and the problems
get solved, its not always the best choice. I personally don't see why you need
to have your DNS and AD on the same replication scheme, if something breaks in
replication is it AD or is it DNS, you have no physical seperation of the two,
so you start going in loops.
And
given the flaws we keep getting each and every month, from Microsoft land on
this, that and the other service, or offering, the less you can have on your DC'
and Infrastructure systems and the better you hardnen them from the start the
better off you will be. This DNS RPC interface issue was just an example, and I
am sure the security researchers out there are going to find more, and again
makes admin lives harder, but our systems more secure in the long run.
Also it
takes Microsoft how long to create a patch to fix this, but the exploit code has
been out for quite a while, and I am sure some hacker has coded a working
exploit by now, its probably in metasploit, ENCASE and other Pentest products,
so point and click and fire away at the DC's with DNS, if you haven't protected
yourself.
Just my
take on the situation, not saying that AD Integrated DNS isnt a viable option,
but think of this you wonder why Internet DNS in on BIND, and its not AD
integrated or even M$and its spread throughout the world...
EZ
Edward E.
Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007
12:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
I
don’t yet get this logic, please explain it to me like I’m an
idiot.
The
primary/secondary road ends up taking you to a place where you point DCs at the
subset of DNS servers you end up creating. How is this better than having use AD
integrated DNS, and pointing DCs to a subset of anointed “better” DNS
servers?
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:23
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
AD and
its replication and functions are dependent on DNS being correctly configured.
If you follow the logic of not having all your eggs in one basket, then the
following will make sense.
Why
would you want to have both your DNS and AD together on the same box, and
integrated into the AD replication, if something is broken in AD replication
scheme its going to affect your DNS as well, which also affects alot more of
your infrastructure.
Secondly,
it makes decommission of the DC's a little more of a task than it needs to be,
not impossible, and not a regular event in most environments, but still again,
infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate and redundant as
per good network design ( PhysicalSite redundancy is what I am driving at
here)
These
are just my views, administrators will do what they feel comfortable with but I
have been running primary, secondary DNS tertiary DNS at a third site for years
and not had much problems with DNS replication, uptime and minimal
troubleshooting, plus I know if my primary site gets hit I got critical
infrastructure elsewhere that can continue to service the organization in case
of issues.
I think
in the age of DR, this isn't a bad way to go, and I am sure most of the folks
that still run BIND for there DNS services would probably see the reasoning in
it.
Z
Edward E.
Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of DannySent: Wednesday, May 09, 2007 10:50
AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Sorry to jump in here, but I am
understanding that you both are recommending to avoid AD-integrated DNS where
possible?
On 5/9/07, joe wrote:
I can find no fault in that paragraph.
:)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
EdwardSent: Wednesday, May 09, 2007 8:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPCInterface Could Allow Remote,Code
ExecutionFunny part if you can call it a funny part is that your DC's
wouldn't have been vulnerable if you didn't have AD-Integrated DNS. Which
limitsthe attack surface quite a bit when you are dealing with say 2-3
DNSservers instead of multiple DNS servers with DC responsibilites to boot.
This is whay I am never in the favor of putting multiple
infrastructureroles on any one system, especially a
DC.ZEdward E. ZiotsNetwork EngineerLifespan
OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.orgcell:401-639-3505-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan
Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Tuesday, May 08, 2007 11:21
PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPCInterface Could Allow Remote,Code
ExecutionExchange one is the one I'm eyeing up this month. IE7
has the printing fixes for IE7 included.Don't forget the Word and Office
patches for the workstations.... andWSUS 3.0 is out ...and....joe
wrote:> Nice and handy that it just so happened to be all wrapped up and
done > for the May patch release so someone didn't have to get a knock on
the> head inside of MSFT for two out of band patches in a
month...>> Also nice to have DCs in a state of having unmanageable
services or > exposed to exploits in enterprise environments I
think.>> --> O'Reilly Active Directory Third Edition
-> http://www.joeware.net/win/ad3e.htm>>>
-----Original Message-----> From: ActiveDir-owner@mail.activedir.org> [mailto:mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Susan> Bradley, CPA aka Ebitz - SBS Rocks [MVP]> Sent: Tuesday,
May 08, 2007 1:28 PM> To: mailto:ActiveDir@mail.activedir.org> Subject:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC> Interface Could
Allow Remote,Code Execution>> MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow> Remote Code Execution (935966) > http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx>
Max Severity: Critical>> List info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: http://www.activedir.org/ma/default.aspx>> List
info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: http://www.activedir.org/ma/default.aspx>>--If
you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog...and my
blog is at www.sbsdiva.com....List info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspx List
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspxList
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspx
-- CPDE - Certified Petroleum
Distribution Engineer CCBC - Certified Canadian Beer Consumer | | | |
| sbradcpa
Posts:496
| | 05/10/2007 10:00 AM |
| "which means one-less infrastructure system to patch"
And THAT my PatchMangement friend is a VERY dangerous attitude to
take. That is going to get us right back into a security mess with
people seeing Ubuntu and Macs as the security fix they are not.
There's a BIND security list for a reason. All systems are built by
humans and run by humans and thus are flawed.
Ziots, Edward wrote:
v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
P.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
LI.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
DIV.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
SPAN.gmailquote {
mso-style-name: gmail_quote
}
SPAN.EmailStyle20 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle21 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle22 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle23 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
(Golf Clap) Way to go Joe.
Deji, I replied to you offline, I am sure you read and understood my
comments.
I keep reading this discussion
and all I hear is AD-Int DNS is the best thing since slice bread, and
its got new features. Other side, we hear of what is happening in the
trenches, how the RPC's problem with DNS from last month was definitely
a literal kick in the balls to those that enabled AD-Int DNS.There was
a nice elaborate and realistic discussion of how to exploit the DNS
problem with traditional attack methods, to trully obtain evil results.
And in the face of all this Deji, you still advocating AD-Int DNS, and
adding an addtional role to the DC's and with that adding addtional
risk, and possible unknown, undiscovered vulnerabilities in M$ DNS
service.
This is why I don't drink the M$
kool-aid or subscribe to the rhetoric from Microsoft, because they are
viewing solution and ideas through there own idealistic eutopia and
sorry for most customers that just isn't coming close to reality. You
have to know your own risks, and the best way to mitigate them, the
vendor can't do everything for you, nor should you let them. Nor does
everything the vendor say is correct, or even valid for your
organization, bussiness, or what-not.
I think we all have trully beat
perverbal dead horse into the ground, and we probably just need a topic
change before it starts to get a little out of control.
Checking out, I have a DHCP
server to convert off Windows today, which means one-less
infrastructure system to patch, one less headache to deal with.
Probably soon DNS will be converted, I guess 2 out of 3 aint bad.
Cheers,
EZ
Edward E. Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security +
email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Thursday, May 10, 2007 8:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
Topic shift Deji, try to keep
up... :)
Read back through the thread. I
would say we should have changed the subject but it never changed to
"Why you shouldn't use ADI DNS" in the first place so I find I am not
concerned.
--
O'Reilly Active Directory Third
Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Akomolafe,
Deji
Sent: Thursday, May 10, 2007 1:07 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
And will
this be as a result of integrating DNS into AD? I say no, because I
know that you can still do bad things regardless of the DNS flavor or
its complete separation from AD. This, to me, negates the argument that
you should not AD-integrate DNS because of security "issues".
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.com- we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were
worried about Yesterday? -anon
From: Eric Fleischman
Sent: Wed 5/9/2007 8:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
Bad
things can happen if I own your DNS. This DL is not an appropriate
forum for such a discussion. But you should assume that I can do bad
things to your forest if I own your DNS.
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, May 09, 2007 6:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
Oh
true, I am not completely on board with the necessity of secure
updates. I hear a lot of noise around it and how someone can own your
forest with it but can't visualize a realistic attack vector in that
realm to gain access that likely wouldn't be easier to manage in some
other way. I'd like to think I am not a complete retard in this but I
just don't see it and I have yet to have found anywhere anyone who
could point to even an accidental attack which we used to see on a
regular basis with WINS and misconfigured SAMBA and I easily overcame
those SAMBA issues when encountered.
Certainly
I don't expect an open discussion about actual attack methodshere in
this forum because if there is something real out there that just
hasn't made it onto the RADAR of anyone who tends to write exploits
against things such that they have done anything around it. Other
attacks on forests etc I have seen code examples for and not just stuff
I have written. And certainly I can't take my lack of understanding of
a possible hole there as it being safe, but I do look at the global
knowledge level here and how serious MSFT may or may not be about
secure updates (i..e only being offered with one config and it not
being the default OS config) andthen make some judgements on relative
likelihood of possible compromise and the numbers just don't come up as
giving me much fear in the realm of insecure updates.
In
my experience, the biggest threat to come through DNS other than the
various and numerousissues that have occurred through the years due
toADI DNS dork ups and bugs has been this recent DNS vuln which was
far more dangerous to environments running ADI DNS than any other
environment. In fact if you ran ADI DNS in an enterprise with
distributed DNS Admin delegation, this issue was a positively serious
kick square in the balls for choosing that model.It wasn't the idea
that you get control of the DNS Service and then start pumping in bad
DNS entries, you had localsystem on the DC and just did whatever the
heck you felt like doing. Why take a nice scenic hack route past old
windmill road when the door to the gold is sitting wide open?
joe
P.S.
And sorry for this... Rocky, tried to respond to your email, but it
bounced with a 550 access denied from netherworld.jws.com
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric
Fleischman
Sent: Wednesday, May 09, 2007 6:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
Totally
agree. If you are comparing AD integrated DNS with some other solution
that also does secure dynamic updates, that’s a great convo I’d love to
be part of. But I want to make sure…do we agree that secure dynamic
updates (or no dynamic updates, ie you manage it yourself) are a min
bar requirement? I have not gotten the sense that you really buy in to
this argument yet.
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, May 09, 2007 2:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
I
don't cut bait, I just don't agree that MSFT is the only company that
knows how to do some form of secure DDNS updates.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric
Fleischman
Sent: Wednesday, May 09, 2007 3:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
The
argument for AD integrated DNS, as I understand it, is around dynamic
update. Replication is all well and good (maybe it is better than xfer,
maybe not, I really don’t know), but the secure dynamic update part is
the goodness side of it.
So,
how do you achieve this? I know joe cuts bait on dynamic updates….I’m
of the opinion (based on masses of PSS data over the last 7 years) that
most customers cannot do this. So how do you achieve it? Or do you just
accept the lack of security on this front?
After
we tease apart that one, I’d like to discuss your circular replication
argument further.
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
Edward
Sent: Wednesday, May 09, 2007 9:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
Eric,
Better
DNS servers? DNS is DNS, whether AD integrated or Primary, Secondary,
its basically the same. I am saying that for troubleshooting its just
easier to have primary/secondary and place your DNS where you need
them, instead of having it tied to a DC, and thus add another
infrastructure role to the domain controllers, when its not always
needed.
I
know M$ wants you to do AD integrated DNS, since they think its the
best thing since sliced bread, but down in the trenches where the work
gets done and the problems get solved, its not always the best choice.
I personally don't see why you need to have your DNS and AD on the same
replication scheme, if something breaks in replication is it AD or is
it DNS, you have no physical seperation of the two, so you start going
in loops.
And
given the flaws we keep getting each and every month, from Microsoft
land on this, that and the other service, or offering, the less you can
have on your DC' and Infrastructure systems and the better you hardnen
them from the start the better off you will be. This DNS RPC interface
issue was just an example, and I am sure the security researchers out
there are going to find more, and again makes admin lives harder, but
our systems more secure in the long run.
Also
it takes Microsoft how long to create a patch to fix this, but the
exploit code has been out for quite a while, and I am sure some hacker
has coded a working exploit by now, its probably in metasploit, ENCASE
and other Pentest products, so point and click and fire away at the
DC's with DNS, if you haven't protected yourself.
Just
my take on the situation, not saying that AD Integrated DNS isnt a
viable option, but think of this you wonder why Internet DNS in on
BIND, and its not AD integrated or even M$and its spread throughout
the world...
EZ
Edward
E. Ziots
Network
Engineer
Lifespan
Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security +
email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric
Fleischman
Sent: Wednesday, May 09, 2007 12:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
I
don’t yet get this logic, please explain it to me like I’m an idiot.
The
primary/secondary road ends up taking you to a place where you point
DCs at the subset of DNS servers you end up creating. How is this
better than having use AD integrated DNS, and pointing DCs to a subset
of anointed “better” DNS servers?
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
Edward
Sent: Wednesday, May 09, 2007 8:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
AD
and its replication and functions are dependent on DNS being correctly
configured. If you follow the logic of not having all your eggs in one
basket, then the following will make sense.
Why
would you want to have both your DNS and AD together on the same box,
and integrated into the AD replication, if something is broken in AD
replication scheme its going to affect your DNS as well, which also
affects alot more of your infrastructure.
Secondly,
it makes decommission of the DC's a little more of a task than it needs
to be, not impossible, and not a regular event in most environments,
but still again, infrastructure roles ( DHCP, WINS, DNS, DC) should be
seperate and redundant as per good network design ( PhysicalSite
redundancy is what I am driving at here)
These
are just my views, administrators will do what they feel comfortable
with but I have been running primary, secondary DNS tertiary DNS at a
third site for years and not had much problems with DNS replication,
uptime and minimal troubleshooting, plus I know if my primary site gets
hit I got critical infrastructure elsewhere that can continue to
service the organization in case of issues.
I
think in the age of DR, this isn't a bad way to go, and I am sure most
of the folks that still run BIND for there DNS services would probably
see the reasoning in it.
Z
Edward
E. Ziots
Network
Engineer
Lifespan
Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security +
email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Danny
Sent: Wednesday, May 09, 2007 10:50 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
Sorry to jump in
here, but I am understanding that you both are recommending to avoid
AD-integrated DNS where possible?
On 5/9/07, joe
wrote:
I can find no fault in that paragraph. :)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, Edward
Sent: Wednesday, May 09, 2007 8:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Funny part if you can call it a funny part is that your DC's wouldn't
have been vulnerable if you didn't have AD-Integrated DNS. Which limits
the attack surface quite a bit when you are dealing with say 2-3 DNS
servers instead of multiple DNS servers with DC responsibilites to
boot.
This is whay I am never in the favor of putting multiple infrastructure
roles on any one system, especially a DC.
Z
Edward E. Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +
email:eziots@lifespan.org
cell:401-639-3505
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, May 08, 2007 11:21 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Exchange one is the one I'm eyeing up this month.
IE7 has the printing fixes for IE7 included.
Don't forget the Word and Office patches for the workstations.... and
WSUS 3.0 is out ...and....
joe wrote:
> Nice and handy that it just so happened to be all wrapped up and
done
> for the May patch release so someone didn't have to get a knock on
the
> head inside of MSFT for two out of band patches in a month...
>
> Also nice to have DCs in a state of having unmanageable services
or
> exposed to exploits in enterprise environments I think.
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Susan
> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Tuesday, May 08, 2007 1:28 PM
> To: mailto:ActiveDir@mail.activedir.org
> Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
> Interface Could Allow Remote,Code Execution
>
> MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
> Remote Code Execution (935966)
> http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
> Max Severity: Critical
>
> List info : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
--
If you are a SBSer... you had better be reading
http://blogs.technet.com/sbs - the SBS Blog.
..and my blog is at www.sbsdiva.com....
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer
--
If you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog.
..and my blog is at www.sbsdiva.com....
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| EZiots
Posts:0
| | 05/10/2007 10:15 AM |
| I know Susan, I know...
Just been an extremely hellish week here, and the Microsoft
Advisories that I will be working on testing and deploying is about the last
thing I wanted to see. Don't worry the patches will be deployed and securing
will be on going until the end of Windows or my retirement, either or :)
I agree, MACs and Ubuntu and other slackware isnt the
solution, I agree if its code its got flaws, and those flaws will be
fixed...
Z
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]Sent: Thursday, May 10, 2007 10:00
AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
"which means one-less infrastructure system to patch"And THAT my
PatchMangement friend is a VERY dangerous attitude to take. That is going
to get us right back into a security mess with people seeing Ubuntu and Macs as
the security fix they are not.There's a BIND security list for a
reason. All systems are built by humans and run by humans and thus are
flawed.Ziots, Edward wrote:
v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
P.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
LI.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
DIV.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
SPAN.gmailquote {
mso-style-name: gmail_quote
}
SPAN.EmailStyle20 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle21 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle22 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle23 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
(Golf Clap) Way to go Joe. Deji, I replied to you
offline, I am sure you read and understood my comments.
I keep reading this discussion and all I hear is AD-Int
DNS is the best thing since slice bread, and its got new features. Other side,
we hear of what is happening in the trenches, how the RPC's problem with DNS
from last month was definitely a literal kick in the balls to those that
enabled AD-Int DNS.There was a nice elaborate and realistic discussion
of how to exploit the DNS problem with traditional attack methods, to trully
obtain evil results. And in the face of all this Deji, you still advocating
AD-Int DNS, and adding an addtional role to the DC's and with that adding
addtional risk, and possible unknown, undiscovered vulnerabilities in M$ DNS
service.
This is why I don't drink the M$ kool-aid or subscribe to
the rhetoric from Microsoft, because they are viewing solution and ideas
through there own idealistic eutopia and sorry for most customers that just
isn't coming close to reality. You have to know your own risks, and the best
way to mitigate them, the vendor can't do everything for you, nor should you
let them. Nor does everything the vendor say is correct, or even valid for
your organization, bussiness, or what-not.
I think we all have trully beat perverbal dead horse into
the ground, and we probably just need a topic change before it starts to
get a little out of control.
Checking out, I have a DHCP server to convert off Windows
today, which means one-less infrastructure system to patch, one less headache
to deal with. Probably soon DNS will be converted, I guess 2 out of 3 aint
bad.
Cheers,
EZ
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:eziots@lifespan.org
cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Thursday, May 10, 2007 8:23
AMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Topic shift Deji, try to keep up...
:)
Read back through the thread. I would say we should have
changed the subject but it never changed to "Why you shouldn't use ADI DNS" in
the first place so I find I am not concerned.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Akomolafe, DejiSent: Thursday, May 10, 2007
1:07 AMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
And will this be as a
result of integrating DNS into AD? I say no, because I know that you can still
do bad things regardless of the DNS flavor or its complete separation from AD.
This, to me, negates the argument that you should not AD-integrate DNS because
of security "issues".
Sincerely,
_____
(, / |
/)
/) /) /---|
(/_ ______ ___// _ // _ )
/ |_/(__(_) //
(_(_)(/_(_(_/(__(/_(_/
/)
(/ Microsoft MVP - Directory
Serviceswww.akomolafe.com- we know
IT-5.75, -3.23Do
you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon
From: Eric FleischmanSent: Wed
5/9/2007 8:34 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Bad
things can happen if I own your DNS. This DL is not an appropriate forum for
such a discussion. But you should assume that I can do bad things to your
forest if I own your DNS.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 6:47
PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Oh
true, I am not completely on board with the necessity of secure updates. I
hear a lot of noise around it and how someone can own your forest with it but
can't visualize a realistic attack vector in that realm to gain access that
likely wouldn't be easier to manage in some other way. I'd like to think I am
not a complete retard in this but I just don't see it and I have yet to have
found anywhere anyone who could point to even an accidental attack which we
used to see on a regular basis with WINS and misconfigured SAMBA and I easily
overcame those SAMBA issues when encountered.
Certainly
I don't expect an open discussion about actual attack methodshere in
this forum because if there is something real out there that just hasn't made
it onto the RADAR of anyone who tends to write exploits against things such
that they have done anything around it. Other attacks on forests etc I have
seen code examples for and not just stuff I have written. And certainly I
can't take my lack of understanding of a possible hole there as it being safe,
but I do look at the global knowledge level here and how serious MSFT may or
may not be about secure updates (i..e only being offered with one config and
it not being the default OS config) andthen make some judgements on
relative likelihood of possible compromise and the numbers just don't come up
as giving me much fear in the realm of insecure updates.
In my
experience, the biggest threat to come through DNS other than the various and
numerousissues that have occurred through the years due toADI DNS
dork ups and bugs has been this recent DNS vuln which was far more dangerous
to environments running ADI DNS than any other environment. In fact if you ran
ADI DNS in an enterprise with distributed DNS Admin delegation, this issue was
a positively serious kick square in the balls for choosing that model.It
wasn't the idea that you get control of the DNS Service and then start pumping
in bad DNS entries, you had localsystem on the DC and just did whatever the
heck you felt like doing. Why take a nice scenic hack route past old windmill
road when the door to the gold is sitting wide open?
joe
P.S.
And sorry for this... Rocky, tried to respond to your email, but it bounced
with a 550 access denied from netherworld.jws.com
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007
6:49 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Totally
agree. If you are comparing AD integrated DNS with some other solution that
also does secure dynamic updates, that’s a great convo I’d love to be part of.
But I want to make sure…do we agree that secure dynamic updates (or no dynamic
updates, ie you manage it yourself) are a min bar requirement? I have not
gotten the sense that you really buy in to this argument
yet.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 2:05
PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
I
don't cut bait, I just don't agree that MSFT is the only company that knows
how to do some form of secure DDNS updates.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007
3:37 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
The
argument for AD integrated DNS, as I understand it, is around dynamic update.
Replication is all well and good (maybe it is better than xfer, maybe not, I
really don’t know), but the secure dynamic update part is the goodness side of
it.
So,
how do you achieve this? I know joe cuts bait on dynamic updates….I’m of the
opinion (based on masses of PSS data over the last 7 years) that most
customers cannot do this. So how do you achieve it? Or do you just accept the
lack of security on this front?
After
we tease apart that one, I’d like to discuss your circular replication
argument further.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 9:44
AMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Eric,
Better
DNS servers? DNS is DNS, whether AD integrated or Primary, Secondary, its
basically the same. I am saying that for troubleshooting its just easier to
have primary/secondary and place your DNS where you need them, instead of
having it tied to a DC, and thus add another infrastructure role to the domain
controllers, when its not always needed.
I know
M$ wants you to do AD integrated DNS, since they think its the best thing
since sliced bread, but down in the trenches where the work gets done and the
problems get solved, its not always the best choice. I personally don't see
why you need to have your DNS and AD on the same replication scheme, if
something breaks in replication is it AD or is it DNS, you have no physical
seperation of the two, so you start going in loops.
And
given the flaws we keep getting each and every month, from Microsoft land on
this, that and the other service, or offering, the less you can have on your
DC' and Infrastructure systems and the better you hardnen them from the start
the better off you will be. This DNS RPC interface issue was just an example,
and I am sure the security researchers out there are going to find more, and
again makes admin lives harder, but our systems more secure in the long run.
Also
it takes Microsoft how long to create a patch to fix this, but the exploit
code has been out for quite a while, and I am sure some hacker has coded a
working exploit by now, its probably in metasploit, ENCASE and other Pentest
products, so point and click and fire away at the DC's with DNS, if you
haven't protected yourself.
Just
my take on the situation, not saying that AD Integrated DNS isnt a viable
option, but think of this you wonder why Internet DNS in on BIND, and its not
AD integrated or even M$and its spread throughout the world...
EZ
Edward E.
Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007
12:26 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
I
don’t yet get this logic, please explain it to me like I’m an
idiot.
The
primary/secondary road ends up taking you to a place where you point DCs at
the subset of DNS servers you end up creating. How is this better than having
use AD integrated DNS, and pointing DCs to a subset of anointed “better” DNS
servers?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:23
AMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
AD and
its replication and functions are dependent on DNS being correctly configured.
If you follow the logic of not having all your eggs in one basket, then the
following will make sense.
Why
would you want to have both your DNS and AD together on the same box, and
integrated into the AD replication, if something is broken in AD replication
scheme its going to affect your DNS as well, which also affects alot more of
your infrastructure.
Secondly,
it makes decommission of the DC's a little more of a task than it needs to be,
not impossible, and not a regular event in most environments, but still again,
infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate and redundant
as per good network design ( PhysicalSite redundancy is what I am
driving at here)
These
are just my views, administrators will do what they feel comfortable with but
I have been running primary, secondary DNS tertiary DNS at a third site for
years and not had much problems with DNS replication, uptime and minimal
troubleshooting, plus I know if my primary site gets hit I got critical
infrastructure elsewhere that can continue to service the organization in case
of issues.
I
think in the age of DR, this isn't a bad way to go, and I am sure most of the
folks that still run BIND for there DNS services would probably see the
reasoning in it.
Z
Edward E.
Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of DannySent: Wednesday, May 09, 2007 10:50
AMTo: ActiveDir@mail.activedir.orgSubject:
Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Sorry to jump in here, but I am
understanding that you both are recommending to avoid AD-integrated DNS where
possible?
On 5/9/07, joe wrote:
I can find no fault in that paragraph.
:)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Ziots, EdwardSent: Wednesday, May 09, 2007 8:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionFunny part if you can call it a funny part
is that your DC's wouldn't have been vulnerable if you didn't have
AD-Integrated DNS. Which limitsthe attack surface quite a bit when you are
dealing with say 2-3 DNSservers instead of multiple DNS servers with DC
responsibilites to boot. This is whay I am never in the favor of putting
multiple infrastructureroles on any one system, especially a
DC.ZEdward E. ZiotsNetwork EngineerLifespan
OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.orgcell:401-639-3505-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Tuesday, May 08,
2007 11:21 PM To: ActiveDir@mail.activedir.orgSubject: Re:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionExchange one is the one I'm eyeing up this
month. IE7 has the printing fixes for IE7 included.Don't
forget the Word and Office patches for the workstations.... andWSUS 3.0 is
out ...and....joe wrote:> Nice and handy that it just so
happened to be all wrapped up and done > for the May patch release so
someone didn't have to get a knock on the> head inside of MSFT for
two out of band patches in a month...>> Also nice to have DCs in
a state of having unmanageable services or > exposed to exploits in
enterprise environments I think.>> --> O'Reilly Active
Directory Third Edition -> http://www.joeware.net/win/ad3e.htm>>>
-----Original Message-----> From: ActiveDir-owner@mail.activedir.org>
[mailto:mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Susan> Bradley, CPA aka Ebitz - SBS Rocks [MVP]> Sent:
Tuesday, May 08, 2007 1:28 PM> To: mailto:ActiveDir@mail.activedir.org>
Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC>
Interface Could Allow Remote,Code Execution>> MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow> Remote Code
Execution (935966) > http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx>
Max Severity: Critical>> List info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx> List
archive: http://www.activedir.org/ma/default.aspx>>
List info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx> List
archive: http://www.activedir.org/ma/default.aspx>>--If
you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS
Blog...and my blog is at www.sbsdiva.com....List
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx List
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspxList
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx
-- CPDE - Certified Petroleum
Distribution Engineer CCBC - Certified Canadian Beer Consumer
--
If you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog.
..and my blog is at www.sbsdiva.com....List
info : http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx List archive:
http://www.activedir.org/ma/default.aspx | | | |
| efleis1
Posts:0
| | 05/10/2007 10:17 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
My comments were not at all specific to AD integrated DNS. They
were specific to dynamic update, whether or not you use it, and asking about
views on secure dynamic update. You can of course run your forest as you see
fit…it is not my place to put forth decrees. I’m telling you that secure dynamic
update, or no dynamic update, is the way I would go. How you choose to deploy
& operate your forest is up to you.
~Eric
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Ziots, Edward
Sent: Thursday, May 10, 2007 5:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
(Golf Clap) Way to go Joe. Deji, I replied to you offline, I
am sure you read and understood my comments.
I keep reading this discussion and all I hear is AD-Int DNS is the
best thing since slice bread, and its got new features. Other side, we hear of
what is happening in the trenches, how the RPC's problem with DNS from last
month was definitely a literal kick in the balls to those that enabled AD-Int
DNS.There was a nice elaborate and realistic discussion of how to exploit
the DNS problem with traditional attack methods, to trully obtain evil results.
And in the face of all this Deji, you still advocating AD-Int DNS, and adding
an addtional role to the DC's and with that adding addtional risk, and possible
unknown, undiscovered vulnerabilities in M$ DNS service.
This is why I don't drink the M$ kool-aid or subscribe to the
rhetoric from Microsoft, because they are viewing solution and ideas through
there own idealistic eutopia and sorry for most customers that just isn't
coming close to reality. You have to know your own risks, and the best way to
mitigate them, the vendor can't do everything for you, nor should you let them.
Nor does everything the vendor say is correct, or even valid for your
organization, bussiness, or what-not.
I think we all have trully beat perverbal dead horse into the
ground, and we probably just need a topic change before it starts to get
a little out of control.
Checking out, I have a DHCP server to convert off Windows today,
which means one-less infrastructure system to patch, one less headache to deal
with. Probably soon DNS will be converted, I guess 2 out of 3 aint bad.
Cheers,
EZ
Edward E.
Ziots
Network
Engineer
Lifespan
Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security +
email:eziots@lifespan.org
cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Thursday, May 10, 2007 8:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Topic shift Deji, try to keep up... :)
Read back through the thread. I would say we should have changed
the subject but it never changed to "Why you shouldn't use ADI DNS"
in the first place so I find I am not concerned.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
Sent: Thursday, May 10, 2007 1:07 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
And will this be as a result of integrating DNS into AD? I say no,
because I know that you can still do bad things regardless of the DNS flavor or
its complete separation from AD. This, to me, negates the argument that you
should not AD-integrate DNS because of security "issues".
Sincerely,
_____
(, / |
/)
/) /)
/---| (/_ ______ ___// _
// _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/)
(/
Microsoft MVP - Directory Services
www.akomolafe.com- we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon
From: Eric Fleischman
Sent: Wed 5/9/2007 8:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Bad things can happen if I own your DNS. This DL is not an
appropriate forum for such a discussion. But you should assume that I can do
bad things to your forest if I own your DNS.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of joe
Sent: Wednesday, May 09, 2007 6:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Oh true, I am not completely on board with the necessity of secure
updates. I hear a lot of noise around it and how someone can own your forest
with it but can't visualize a realistic attack vector in that realm to gain
access that likely wouldn't be easier to manage in some other way. I'd like to
think I am not a complete retard in this but I just don't see it and I have yet
to have found anywhere anyone who could point to even an accidental attack
which we used to see on a regular basis with WINS and misconfigured SAMBA and I
easily overcame those SAMBA issues when encountered.
Certainly I don't expect an open discussion about actual attack
methodshere in this forum because if there is something real out there
that just hasn't made it onto the RADAR of anyone who tends to write exploits
against things such that they have done anything around it. Other attacks on
forests etc I have seen code examples for and not just stuff I have written.
And certainly I can't take my lack of understanding of a possible hole there as
it being safe, but I do look at the global knowledge level here and how serious
MSFT may or may not be about secure updates (i..e only being offered with one
config and it not being the default OS config) andthen make some
judgements on relative likelihood of possible compromise and the numbers just
don't come up as giving me much fear in the realm of insecure updates.
In my experience, the biggest threat to come through DNS other than
the various and numerousissues that have occurred through the years due
toADI DNS dork ups and bugs has been this recent DNS vuln which was far
more dangerous to environments running ADI DNS than any other environment. In
fact if you ran ADI DNS in an enterprise with distributed DNS Admin delegation,
this issue was a positively serious kick square in the balls for choosing that
model.It wasn't the idea that you get control of the DNS Service and then
start pumping in bad DNS entries, you had localsystem on the DC and just did
whatever the heck you felt like doing. Why take a nice scenic hack route past
old windmill road when the door to the gold is sitting wide open?
joe
P.S. And sorry for this... Rocky, tried to respond to your email,
but it bounced with a 550 access denied from netherworld.jws.com
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric Fleischman
Sent: Wednesday, May 09, 2007 6:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Totally agree. If you are comparing AD integrated DNS with some
other solution that also does secure dynamic updates, that’s a great convo I’d
love to be part of. But I want to make sure…do we agree that secure dynamic
updates (or no dynamic updates, ie you manage it yourself) are a min bar
requirement? I have not gotten the sense that you really buy in to this
argument yet.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, May 09, 2007 2:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
I don't cut bait, I just don't agree that MSFT is the only company
that knows how to do some form of secure DDNS updates.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric Fleischman
Sent: Wednesday, May 09, 2007 3:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
The argument for AD integrated DNS, as I understand it, is
around dynamic update. Replication is all well and good (maybe it is better
than xfer, maybe not, I really don’t know), but the secure dynamic update part
is the goodness side of it.
So, how do you achieve this? I know joe cuts bait on dynamic
updates….I’m of the opinion (based on masses of PSS data over the last 7 years)
that most customers cannot do this. So how do you achieve it? Or do you just
accept the lack of security on this front?
After we tease apart that one, I’d like to discuss your circular
replication argument further.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Ziots, Edward
Sent: Wednesday, May 09, 2007 9:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Eric,
Better DNS servers? DNS is DNS, whether AD integrated or Primary,
Secondary, its basically the same. I am saying that for troubleshooting its
just easier to have primary/secondary and place your DNS where you need them,
instead of having it tied to a DC, and thus add another infrastructure role to
the domain controllers, when its not always needed.
I know M$ wants you to do AD integrated DNS, since they think its
the best thing since sliced bread, but down in the trenches where the work gets
done and the problems get solved, its not always the best choice. I personally
don't see why you need to have your DNS and AD on the same replication scheme,
if something breaks in replication is it AD or is it DNS, you have no physical
seperation of the two, so you start going in loops.
And given the flaws we keep getting each and every month, from
Microsoft land on this, that and the other service, or offering, the less you
can have on your DC' and Infrastructure systems and the better you hardnen them
from the start the better off you will be. This DNS RPC interface issue was
just an example, and I am sure the security researchers out there are going to
find more, and again makes admin lives harder, but our systems more secure in
the long run.
Also it takes Microsoft how long to create a patch to fix this, but
the exploit code has been out for quite a while, and I am sure some hacker has
coded a working exploit by now, its probably in metasploit, ENCASE and other
Pentest products, so point and click and fire away at the DC's with DNS, if you
haven't protected yourself.
Just my take on the situation, not saying that AD Integrated DNS
isnt a viable option, but think of this you wonder why Internet DNS in on BIND,
and its not AD integrated or even M$and its spread throughout the
world...
EZ
Edward E.
Ziots
Network
Engineer
Lifespan
Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security +
email:eziots@lifespan.org
cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric Fleischman
Sent: Wednesday, May 09, 2007 12:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
I don’t yet get this logic, please explain it to me like I’m an
idiot.
The primary/secondary road ends up taking you to a place where
you point DCs at the subset of DNS servers you end up creating. How is this
better than having use AD integrated DNS, and pointing DCs to a subset of
anointed “better” DNS servers?
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Ziots, Edward
Sent: Wednesday, May 09, 2007 8:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
AD and its replication and functions are dependent on DNS being
correctly configured. If you follow the logic of not having all your eggs in
one basket, then the following will make sense.
Why would you want to have both your DNS and AD together on the
same box, and integrated into the AD replication, if something is broken in AD
replication scheme its going to affect your DNS as well, which also affects
alot more of your infrastructure.
Secondly, it makes decommission of the DC's a little more of a task
than it needs to be, not impossible, and not a regular event in most environments,
but still again, infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate
and redundant as per good network design ( PhysicalSite redundancy is
what I am driving at here)
These are just my views, administrators will do what they feel comfortable
with but I have been running primary, secondary DNS tertiary DNS at a third
site for years and not had much problems with DNS replication, uptime and
minimal troubleshooting, plus I know if my primary site gets hit I got critical
infrastructure elsewhere that can continue to service the organization in case
of issues.
I think in the age of DR, this isn't a bad way to go, and I am sure
most of the folks that still run BIND for there DNS services would probably see
the reasoning in it.
Z
Edward E.
Ziots
Network
Engineer
Lifespan
Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security +
email:eziots@lifespan.org
cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Danny
Sent: Wednesday, May 09, 2007 10:50 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Sorry to jump in here, but I am
understanding that you both are recommending to avoid AD-integrated DNS where
possible?
On 5/9/07, joe
wrote:
I can find no fault in that paragraph. :)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, Edward
Sent: Wednesday, May 09, 2007 8:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Funny part if you can call it a funny part is that your DC's wouldn't
have been vulnerable if you didn't have AD-Integrated DNS. Which limits
the attack surface quite a bit when you are dealing with say 2-3 DNS
servers instead of multiple DNS servers with DC responsibilites to boot.
This is whay I am never in the favor of putting multiple infrastructure
roles on any one system, especially a DC.
Z
Edward E. Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +
email:eziots@lifespan.org
cell:401-639-3505
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, May 08, 2007 11:21 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Exchange one is the one I'm eyeing up this month.
IE7 has the printing fixes for IE7 included.
Don't forget the Word and Office patches for the workstations.... and
WSUS 3.0 is out ...and....
joe wrote:
> Nice and handy that it just so happened to be all wrapped up and done
> for the May patch release so someone didn't have to get a knock on the
> head inside of MSFT for two out of band patches in a month...
>
> Also nice to have DCs in a state of having unmanageable services or
> exposed to exploits in enterprise environments I think.
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Susan
> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Tuesday, May 08, 2007 1:28 PM
> To: mailto:ActiveDir@mail.activedir.org
> Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
> Interface Could Allow Remote,Code Execution
>
> MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
> Remote Code Execution (935966)
> http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
> Max Severity: Critical
>
> List info : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
--
If you are a SBSer... you had better be reading
http://blogs.technet.com/sbs
- the SBS Blog.
..and my blog is at www.sbsdiva.com....
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer | | | |
| sbradcpa
Posts:496
| | 05/10/2007 10:19 AM |
| Blackhat.com
Past presentation Embedded OS's and their security risks.
Presentation on how appliances are wonderful entry place for owning a
network as they get overlooked in the patch and maintenance (among
other things)
Watch it.
joe wrote:
v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
P.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
LI.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
DIV.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
SPAN.gmailquote {
mso-style-name: gmail_quote
}
SPAN.EmailStyle20 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle21 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle22 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle23 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
I think I have said similar
things but I chose a normal fork. :)
My favorite deployments have DNS
nowhere near Windows and running with a very dedicated and
knowledgeable DNS team.
At some point the message of "AD
is really dependent on DNS" became corrupted to be "AD and DNS go
together like peas and carrots". It simply isn't true. AD is even more
dependenton the network itself more than it needs DNS, does that mean
AD should be underpinning all of the switches and routers? Gosh I hope
not.
Ah an appliance helps, but
hopefully is still going to be monitored, it is likely just a *nix box
without a keyboard port and last I looked those folks still had patches
too. However being focused in a task, that helps dramatically. Just
like reducing the number of services running on DCs does. :)
--
O'Reilly Active Directory Third
Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
Edward
Sent: Thursday, May 10, 2007 9:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
Well the new DHCP is an
applicance, so yep I dont have to evaluate patches for the Win2k3
Windows box anymore, which means a little less pain, not like I dont
got 550+ more servers to address.
I can see that alot do go with
the M$ model, Bread and butter of things, but others don't.
DNS Infrastructure, has gone
from BIND, to M$ ( 2k and 2k3) just never to the AD-INT model, much
perfer to put DNS on other dedicated systems and troubleshoot
accordingly.
so back to the grind, its been a
fun discussion if nothing else, but you have to rip my eyes out with a
pitch fork before I go to AD-INT DNS...
Z
Edward E. Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security +
email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Thursday, May 10, 2007 9:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
> Checking
out, I have a DHCP server to convert off Windows today,
> which means one-less infrastructure
system to patch
Gosh I hope not, unless you mean it becomes
someone else's responsibility to patch it. Patches obviously aren't new
to Microsoft products, I recall patching my old RSTS/E systems but back
then a patch was often more of a manual process, you pulled out a raw
file editor and changed actual bytes in the file or you ran a special
tool to import a blob.
> one less headache to deal with.
I would accept, a different type of
headache. Again, this isn't about MSFT versus the world. Or vice versa.
> sorry for most customers that just
isn't coming close to reality
I am afraid I can't sit with this one very
well either. I would say that in fact most of MSFT customers live in
the MSFT reality and when you are talking about most of the MSFT
customers, you are talking about most of the world. We call it and
actually they call it the Bread and Butter. I mentioned it in one of my
other posts, for the bread and butter, full MSFT ADI DNS is very likely
the best answer for them because the level of understanding isn't such
that they could or even should spend the time building an alternate DNS
model. In terms of covering up details so folks without deep core
understanding can run things I think MSFT does an amazing. Look at
Kerberos, they made it a real going concern. Prior to that you either
needed to be dedicated to figuring out how to make it work or you
needed to be at an EDU and had all sorts of time to burn trying to make
it work and none of them solved the issues with multi-realm or
auto-ticket renewal or anything like that meaning it really wasn't a
feasible technology for the masses. Kerberos on *nix is not only
difficult, it can be downright painful. The same can be said of DNS,
most MSFT customers should not be mucking with it because most MSFT
customers don't have the background or understanding in it to muck with
it. These are the same customers who would almost certainly be working
just fine on WINS right now.
That being said, if you have DNS
understanding and especially if you are large and have a robust DNS
infrastructure that existed well before MSFT started playing there,
looking at moving from ADI and even MSFT DNS if you were ever even
there is a very valid thing to do.
joe
--
O'Reilly Active Directory Third
Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
Edward
Sent: Thursday, May 10, 2007 8:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
(Golf Clap) Way to go Joe.
Deji, I replied to you offline, I am sure you read and understood my
comments.
I keep reading this discussion
and all I hear is AD-Int DNS is the best thing since slice bread, and
its got new features. Other side, we hear of what is happening in the
trenches, how the RPC's problem with DNS from last month was definitely
a literal kick in the balls to those that enabled AD-Int DNS.There was
a nice elaborate and realistic discussion of how to exploit the DNS
problem with traditional attack methods, to trully obtain evil results.
And in the face of all this Deji, you still advocating AD-Int DNS, and
adding an addtional role to the DC's and with that adding addtional
risk, and possible unknown, undiscovered vulnerabilities in M$ DNS
service.
This is why I don't drink the M$
kool-aid or subscribe to the rhetoric from Microsoft, because they are
viewing solution and ideas through there own idealistic eutopia and
sorry for most customers that just isn't coming close to reality. You
have to know your own risks, and the best way to mitigate them, the
vendor can't do everything for you, nor should you let them. Nor does
everything the vendor say is correct, or even valid for your
organization, bussiness, or what-not.
I think we all have trully beat
perverbal dead horse into the ground, and we probably just need a topic
change before it starts to get a little out of control.
Checking out, I have a DHCP
server to convert off Windows today, which means one-less
infrastructure system to patch, one less headache to deal with.
Probably soon DNS will be converted, I guess 2 out of 3 aint bad.
Cheers,
EZ
Edward E. Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security +
email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Thursday, May 10, 2007 8:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
Topic shift Deji, try to keep
up... :)
Read back through the thread. I
would say we should have changed the subject but it never changed to
"Why you shouldn't use ADI DNS" in the first place so I find I am not
concerned.
--
O'Reilly Active Directory Third
Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Akomolafe,
Deji
Sent: Thursday, May 10, 2007 1:07 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
And will
this be as a result of integrating DNS into AD? I say no, because I
know that you can still do bad things regardless of the DNS flavor or
its complete separation from AD. This, to me, negates the argument that
you should not AD-integrate DNS because of security "issues".
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.com- we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were
worried about Yesterday? -anon
From: Eric Fleischman
Sent: Wed 5/9/2007 8:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
Bad
things can happen if I own your DNS. This DL is not an appropriate
forum for such a discussion. But you should assume that I can do bad
things to your forest if I own your DNS.
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, May 09, 2007 6:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
Oh
true, I am not completely on board with the necessity of secure
updates. I hear a lot of noise around it and how someone can own your
forest with it but can't visualize a realistic attack vector in that
realm to gain access that likely wouldn't be easier to manage in some
other way. I'd like to think I am not a complete retard in this but I
just don't see it and I have yet to have found anywhere anyone who
could point to even an accidental attack which we used to see on a
regular basis with WINS and misconfigured SAMBA and I easily overcame
those SAMBA issues when encountered.
Certainly
I don't expect an open discussion about actual attack methodshere in
this forum because if there is something real out there that just
hasn't made it onto the RADAR of anyone who tends to write exploits
against things such that they have done anything around it. Other
attacks on forests etc I have seen code examples for and not just stuff
I have written. And certainly I can't take my lack of understanding of
a possible hole there as it being safe, but I do look at the global
knowledge level here and how serious MSFT may or may not be about
secure updates (i..e only being offered with one config and it not
being the default OS config) andthen make some judgements on relative
likelihood of possible compromise and the numbers just don't come up as
giving me much fear in the realm of insecure updates.
In
my experience, the biggest threat to come through DNS other than the
various and numerousissues that have occurred through the years due
toADI DNS dork ups and bugs has been this recent DNS vuln which was
far more dangerous to environments running ADI DNS than any other
environment. In fact if you ran ADI DNS in an enterprise with
distributed DNS Admin delegation, this issue was a positively serious
kick square in the balls for choosing that model.It wasn't the idea
that you get control of the DNS Service and then start pumping in bad
DNS entries, you had localsystem on the DC and just did whatever the
heck you felt like doing. Why take a nice scenic hack route past old
windmill road when the door to the gold is sitting wide open?
joe
P.S.
And sorry for this... Rocky, tried to respond to your email, but it
bounced with a 550 access denied from netherworld.jws.com
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric
Fleischman
Sent: Wednesday, May 09, 2007 6:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
Totally
agree. If you are comparing AD integrated DNS with some other solution
that also does secure dynamic updates, that’s a great convo I’d love to
be part of. But I want to make sure…do we agree that secure dynamic
updates (or no dynamic updates, ie you manage it yourself) are a min
bar requirement? I have not gotten the sense that you really buy in to
this argument yet.
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, May 09, 2007 2:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
I
don't cut bait, I just don't agree that MSFT is the only company that
knows how to do some form of secure DDNS updates.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric
Fleischman
Sent: Wednesday, May 09, 2007 3:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
The
argument for AD integrated DNS, as I understand it, is around dynamic
update. Replication is all well and good (maybe it is better than xfer,
maybe not, I really don’t know), but the secure dynamic update part is
the goodness side of it.
So,
how do you achieve this? I know joe cuts bait on dynamic updates….I’m
of the opinion (based on masses of PSS data over the last 7 years) that
most customers cannot do this. So how do you achieve it? Or do you just
accept the lack of security on this front?
After
we tease apart that one, I’d like to discuss your circular replication
argument further.
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
Edward
Sent: Wednesday, May 09, 2007 9:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
Eric,
Better
DNS servers? DNS is DNS, whether AD integrated or Primary, Secondary,
its basically the same. I am saying that for troubleshooting its just
easier to have primary/secondary and place your DNS where you need
them, instead of having it tied to a DC, and thus add another
infrastructure role to the domain controllers, when its not always
needed.
I
know M$ wants you to do AD integrated DNS, since they think its the
best thing since sliced bread, but down in the trenches where the work
gets done and the problems get solved, its not always the best choice.
I personally don't see why you need to have your DNS and AD on the same
replication scheme, if something breaks in replication is it AD or is
it DNS, you have no physical seperation of the two, so you start going
in loops.
And
given the flaws we keep getting each and every month, from Microsoft
land on this, that and the other service, or offering, the less you can
have on your DC' and Infrastructure systems and the better you hardnen
them from the start the better off you will be. This DNS RPC interface
issue was just an example, and I am sure the security researchers out
there are going to find more, and again makes admin lives harder, but
our systems more secure in the long run.
Also
it takes Microsoft how long to create a patch to fix this, but the
exploit code has been out for quite a while, and I am sure some hacker
has coded a working exploit by now, its probably in metasploit, ENCASE
and other Pentest products, so point and click and fire away at the
DC's with DNS, if you haven't protected yourself.
Just
my take on the situation, not saying that AD Integrated DNS isnt a
viable option, but think of this you wonder why Internet DNS in on
BIND, and its not AD integrated or even M$and its spread throughout
the world...
EZ
Edward
E. Ziots
Network
Engineer
Lifespan
Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security +
email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric
Fleischman
Sent: Wednesday, May 09, 2007 12:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
I
don’t yet get this logic, please explain it to me like I’m an idiot.
The
primary/secondary road ends up taking you to a place where you point
DCs at the subset of DNS servers you end up creating. How is this
better than having use AD integrated DNS, and pointing DCs to a subset
of anointed “better” DNS servers?
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
Edward
Sent: Wednesday, May 09, 2007 8:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
AD
and its replication and functions are dependent on DNS being correctly
configured. If you follow the logic of not having all your eggs in one
basket, then the following will make sense.
Why
would you want to have both your DNS and AD together on the same box,
and integrated into the AD replication, if something is broken in AD
replication scheme its going to affect your DNS as well, which also
affects alot more of your infrastructure.
Secondly,
it makes decommission of the DC's a little more of a task than it needs
to be, not impossible, and not a regular event in most environments,
but still again, infrastructure roles ( DHCP, WINS, DNS, DC) should be
seperate and redundant as per good network design ( PhysicalSite
redundancy is what I am driving at here)
These
are just my views, administrators will do what they feel comfortable
with but I have been running primary, secondary DNS tertiary DNS at a
third site for years and not had much problems with DNS replication,
uptime and minimal troubleshooting, plus I know if my primary site gets
hit I got critical infrastructure elsewhere that can continue to
service the organization in case of issues.
I
think in the age of DR, this isn't a bad way to go, and I am sure most
of the folks that still run BIND for there DNS services would probably
see the reasoning in it.
Z
Edward
E. Ziots
Network
Engineer
Lifespan
Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security +
email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Danny
Sent: Wednesday, May 09, 2007 10:50 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
Sorry to jump in
here, but I am understanding that you both are recommending to avoid
AD-integrated DNS where possible?
On 5/9/07, joe
wrote:
I can find no fault in that paragraph. :)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, Edward
Sent: Wednesday, May 09, 2007 8:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Funny part if you can call it a funny part is that your DC's wouldn't
have been vulnerable if you didn't have AD-Integrated DNS. Which limits
the attack surface quite a bit when you are dealing with say 2-3 DNS
servers instead of multiple DNS servers with DC responsibilites to
boot.
This is whay I am never in the favor of putting multiple infrastructure
roles on any one system, especially a DC.
Z
Edward E. Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +
email:eziots@lifespan.org
cell:401-639-3505
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, May 08, 2007 11:21 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Exchange one is the one I'm eyeing up this month.
IE7 has the printing fixes for IE7 included.
Don't forget the Word and Office patches for the workstations.... and
WSUS 3.0 is out ...and....
joe wrote:
> Nice and handy that it just so happened to be all wrapped up and
done
> for the May patch release so someone didn't have to get a knock on
the
> head inside of MSFT for two out of band patches in a month...
>
> Also nice to have DCs in a state of having unmanageable services
or
> exposed to exploits in enterprise environments I think.
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Susan
> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Tuesday, May 08, 2007 1:28 PM
> To: mailto:ActiveDir@mail.activedir.org
> Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
> Interface Could Allow Remote,Code Execution
>
> MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
> Remote Code Execution (935966)
> http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
> Max Severity: Critical
>
> List info : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
--
If you are a SBSer... you had better be reading
http://blogs.technet.com/sbs - the SBS Blog.
..and my blog is at www.sbsdiva.com....
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer
--
If you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog.
..and my blog is at www.sbsdiva.com....
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| efleis1
Posts:0
| | 05/10/2007 12:29 PM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
The point is just that you want to remove these things, not
justify that because one exists you can let them all in. And of course, some
are easier than others.
~Eric
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of joe
Sent: Wednesday, May 09, 2007 8:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
I agree that the DL isn't the appropriate place which is why I said
that specifically. :)
As for the rest... Bad things can happen if I can do network
tracing on your network. You should assume that I can do bad things to your
forest if I can trace your network.
Where do we stand now? No insecureDDNS and no network. :)
Or... I just don't let you on my network. None of the other AD
"experts" I have spoken with seem so positive about their ability to
compromise my forest just by me not using ADI Secure DDNS.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric Fleischman
Sent: Wednesday, May 09, 2007 11:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Bad things can happen if I own your DNS. This DL is not an
appropriate forum for such a discussion. But you should assume that I can do
bad things to your forest if I own your DNS.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of joe
Sent: Wednesday, May 09, 2007 6:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Oh true, I am not completely on board with the necessity of secure
updates. I hear a lot of noise around it and how someone can own your forest
with it but can't visualize a realistic attack vector in that realm to gain
access that likely wouldn't be easier to manage in some other way. I'd like to
think I am not a complete retard in this but I just don't see it and I have yet
to have found anywhere anyone who could point to even an accidental attack
which we used to see on a regular basis with WINS and misconfigured SAMBA and I
easily overcame those SAMBA issues when encountered.
Certainly I don't expect an open discussion about actual attack
methodshere in this forum because if there is something real out there
that just hasn't made it onto the RADAR of anyone who tends to write exploits
against things such that they have done anything around it. Other attacks on
forests etc I have seen code examples for and not just stuff I have written.
And certainly I can't take my lack of understanding of a possible hole there as
it being safe, but I do look at the global knowledge level here and how serious
MSFT may or may not be about secure updates (i..e only being offered with one
config and it not being the default OS config) andthen make some
judgements on relative likelihood of possible compromise and the numbers just
don't come up as giving me much fear in the realm of insecure updates.
In my experience, the biggest threat to come through DNS other than
the various and numerousissues that have occurred through the years due
toADI DNS dork ups and bugs has been this recent DNS vuln which was far
more dangerous to environments running ADI DNS than any other environment. In
fact if you ran ADI DNS in an enterprise with distributed DNS Admin delegation,
this issue was a positively serious kick square in the balls for choosing that
model.It wasn't the idea that you get control of the DNS Service and then
start pumping in bad DNS entries, you had localsystem on the DC and just did
whatever the heck you felt like doing. Why take a nice scenic hack route past
old windmill road when the door to the gold is sitting wide open?
joe
P.S. And sorry for this... Rocky, tried to respond to your email,
but it bounced with a 550 access denied from netherworld.jws.com
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric Fleischman
Sent: Wednesday, May 09, 2007 6:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Totally agree. If you are comparing AD integrated DNS with some
other solution that also does secure dynamic updates, that’s a great convo I’d
love to be part of. But I want to make sure…do we agree that secure dynamic
updates (or no dynamic updates, ie you manage it yourself) are a min bar
requirement? I have not gotten the sense that you really buy in to this
argument yet.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of joe
Sent: Wednesday, May 09, 2007 2:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
I don't cut bait, I just don't agree that MSFT is the only company
that knows how to do some form of secure DDNS updates.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric Fleischman
Sent: Wednesday, May 09, 2007 3:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
The argument for AD integrated DNS, as I understand it, is
around dynamic update. Replication is all well and good (maybe it is better
than xfer, maybe not, I really don’t know), but the secure dynamic update part
is the goodness side of it.
So, how do you achieve this? I know joe cuts bait on dynamic
updates….I’m of the opinion (based on masses of PSS data over the last 7 years)
that most customers cannot do this. So how do you achieve it? Or do you just
accept the lack of security on this front?
After we tease apart that one, I’d like to discuss your circular
replication argument further.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Ziots, Edward
Sent: Wednesday, May 09, 2007 9:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Eric,
Better DNS servers? DNS is DNS, whether AD integrated or Primary,
Secondary, its basically the same. I am saying that for troubleshooting its
just easier to have primary/secondary and place your DNS where you need them,
instead of having it tied to a DC, and thus add another infrastructure role to
the domain controllers, when its not always needed.
I know M$ wants you to do AD integrated DNS, since they think its
the best thing since sliced bread, but down in the trenches where the work gets
done and the problems get solved, its not always the best choice. I personally
don't see why you need to have your DNS and AD on the same replication scheme,
if something breaks in replication is it AD or is it DNS, you have no physical
seperation of the two, so you start going in loops.
And given the flaws we keep getting each and every month, from
Microsoft land on this, that and the other service, or offering, the less you
can have on your DC' and Infrastructure systems and the better you hardnen them
from the start the better off you will be. This DNS RPC interface issue was
just an example, and I am sure the security researchers out there are going to
find more, and again makes admin lives harder, but our systems more secure in
the long run.
Also it takes Microsoft how long to create a patch to fix this, but
the exploit code has been out for quite a while, and I am sure some hacker has
coded a working exploit by now, its probably in metasploit, ENCASE and other
Pentest products, so point and click and fire away at the DC's with DNS, if you
haven't protected yourself.
Just my take on the situation, not saying that AD Integrated DNS
isnt a viable option, but think of this you wonder why Internet DNS in on BIND,
and its not AD integrated or even M$and its spread throughout the
world...
EZ
Edward E.
Ziots
Network
Engineer
Lifespan
Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security +
email:eziots@lifespan.org
cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric Fleischman
Sent: Wednesday, May 09, 2007 12:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
I don’t yet get this logic, please explain it to me like I’m an
idiot.
The primary/secondary road ends up taking you to a place where
you point DCs at the subset of DNS servers you end up creating. How is this
better than having use AD integrated DNS, and pointing DCs to a subset of
anointed “better” DNS servers?
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Ziots, Edward
Sent: Wednesday, May 09, 2007 8:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
AD and its replication and functions are dependent on DNS being
correctly configured. If you follow the logic of not having all your eggs in
one basket, then the following will make sense.
Why would you want to have both your DNS and AD together on the
same box, and integrated into the AD replication, if something is broken in AD
replication scheme its going to affect your DNS as well, which also affects
alot more of your infrastructure.
Secondly, it makes decommission of the DC's a little more of a task
than it needs to be, not impossible, and not a regular event in most
environments, but still again, infrastructure roles ( DHCP, WINS, DNS, DC)
should be seperate and redundant as per good network design (
PhysicalSite redundancy is what I am driving at here)
These are just my views, administrators will do what they feel
comfortable with but I have been running primary, secondary DNS tertiary DNS at
a third site for years and not had much problems with DNS replication, uptime
and minimal troubleshooting, plus I know if my primary site gets hit I got
critical infrastructure elsewhere that can continue to service the organization
in case of issues.
I think in the age of DR, this isn't a bad way to go, and I am sure
most of the folks that still run BIND for there DNS services would probably see
the reasoning in it.
Z
Edward E.
Ziots
Network
Engineer
Lifespan
Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security +
email:eziots@lifespan.org
cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Danny
Sent: Wednesday, May 09, 2007 10:50 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Sorry to jump in here, but I am
understanding that you both are recommending to avoid AD-integrated DNS where
possible?
On 5/9/07, joe < listmail@joeware.net> wrote:
I can find no fault in that paragraph. :)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, Edward
Sent: Wednesday, May 09, 2007 8:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Funny part if you can call it a funny part is that your DC's wouldn't
have been vulnerable if you didn't have AD-Integrated DNS. Which limits
the attack surface quite a bit when you are dealing with say 2-3 DNS
servers instead of multiple DNS servers with DC responsibilites to boot.
This is whay I am never in the favor of putting multiple infrastructure
roles on any one system, especially a DC.
Z
Edward E. Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +
email:eziots@lifespan.org
cell:401-639-3505
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, May 08, 2007 11:21 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Exchange one is the one I'm eyeing up this month.
IE7 has the printing fixes for IE7 included.
Don't forget the Word and Office patches for the workstations.... and
WSUS 3.0 is out ...and....
joe wrote:
> Nice and handy that it just so happened to be all wrapped up and done
> for the May patch release so someone didn't have to get a knock on the
> head inside of MSFT for two out of band patches in a month...
>
> Also nice to have DCs in a state of having unmanageable services or
> exposed to exploits in enterprise environments I think.
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Susan
> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Tuesday, May 08, 2007 1:28 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
> Interface Could Allow Remote,Code Execution
>
> MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
> Remote Code Execution (935966)
> http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
> Max Severity: Critical
>
> List info : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
--
If you are a SBSer... you had better be reading
http://blogs.technet.com/sbs - the
SBS Blog.
..and my blog is at www.sbsdiva.com....
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer | | | |
| amulnick
Posts:163
| | 05/11/2007 9:50 AM |
| That's the one I was looking for in this conversation. :)
DNS - is it a core part of AD or not? You'll have to answer that question prior to getting to the idea that it should be secure updates or not. Before you get too far down that road, please show me a company that has been in business longer than 10 years, has more than 5K machines and has them all using secure dns. More likely they have dummed down the zone to allow for "legacy" systems. Until that gets addressed, the secure dns idea is a dead end.
Once you get past all of that, the only two merits left are management and reliability.
In reverse order: reliability comes from the code being solid and the replication being strong. We get that in ADI dns, but we can get that elsewhere at no additional cost. Truth be told, we really get our best results when the l-admins know what they're doing. I run across very few that understand DNS well enough to operate it, let alone design the name resolution systems. Size seems to invert that result in that the larger shops have less of a handle on name resolution. Could be the years of abuse that they have had to endure. Could be the drinking and medications. At any rate, layer 8 is another discussion I'm sure. But the idea that your dns is solid comes from your design foundation.
Management: Hmm... management of ADI DNS is not very good for large environments. Let's be honest, it could be a lot better but I think that Microsoft never intended to have the best DNS on the market. It's free for crying out loud (well, included anyway). It could be better and everyone knows it. dnscmd? Um. Right. Auditing? Well, yes some things can be done, but it can be very difficult to manage in a large multi-writeable distributed environment especially for somebody used to a different topology. In the end, I think it just comes down to Microsoft making a dns server impelementation that's "good enough" and nothing more.
Will it work for you? I've seen some large companies make it work. But they did so by getting by making it more BIND like in it's use.
Go figure.
I have to say that it works fine. Or you could use another implementation at your discretion and shouldn't think much of it. I don't buy into the idea that it is more surface area for attack and therefore should be run on another platform or separate from my AD. I buy intothe idea that without dns I have no AD. It is therefore part of the service called active directory and should run on the same server if I choose. Without guilt.
Al
P.S. I do get the idea that it can lead to a compromise of the AD because it offers another avenue. But be honest, if that's your level of sophistication and you're on my network, I've got way bigger problems and you have much lower hanging fruit if I can't get that right.
On 5/10/07, joe wrote:
I think I have said similar things but I chose a normal fork. :)
My favorite deployments have DNS nowhere near Windows and running with a very dedicated and knowledgeable DNS team.
At some point the message of "AD is really dependent on DNS" became corrupted to be "AD and DNS go together like peas and carrots". It simply isn't true. AD is even more dependenton the network itself more than it needs DNS, does that mean AD should be underpinning all of the switches and routers? Gosh I hope not.
Ah an appliance helps, but hopefully is still going to be monitored, it is likely just a *nix box without a keyboard port and last I looked those folks still had patches too. However being focused in a task, that helps dramatically. Just like reducing the number of services running on DCs does. :)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, EdwardSent: Thursday, May 10, 2007 9:32 AM
To: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
Well the new DHCP is an applicance, so yep I dont have to evaluate patches for the Win2k3 Windows box anymore, which means a little less pain, not like I dont got 550+ more servers to address.
I can see that alot do go with the M$ model, Bread and butter of things, but others don't.
DNS Infrastructure, has gone from BIND, to M$ ( 2k and 2k3) just never to the AD-INT model, much perfer to put DNS on other dedicated systems and troubleshoot accordingly.
so back to the grind, its been a fun discussion if nothing else, but you have to rip my eyes out with a pitch fork before I go to AD-INT DNS...
Z
Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E
,CCA,Network+, Security + email:eziots@lifespan.org
cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of joeSent: Thursday, May 10, 2007 9:23 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
> Checking out, I have a DHCP server to convert off Windows today,
> which means one-less infrastructure system to patch
Gosh I hope not, unless you mean it becomes someone else's responsibility to patch it. Patches obviously aren't new to Microsoft products, I recall patching my old RSTS/E systems but back then a patch was often more of a manual process, you pulled out a raw file editor and changed actual bytes in the file or you ran a special tool to import a blob.
> one less headache to deal with.
I would accept, a different type of headache. Again, this isn't about MSFT versus the world. Or vice versa.
> sorry for most customers that just isn't coming close to reality
I am afraid I can't sit with this one very well either. I would say that in fact most of MSFT customers live in the MSFT reality and when you are talking about most of the MSFT customers, you are talking about most of the world. We call it and actually they call it the Bread and Butter. I mentioned it in one of my other posts, for the bread and butter, full MSFT ADI DNS is very likely the best answer for them because the level of understanding isn't such that they could or even should spend the time building an alternate DNS model. In terms of covering up details so folks without deep core understanding can run things I think MSFT does an amazing. Look at Kerberos, they made it a real going concern. Prior to that you either needed to be dedicated to figuring out how to make it work or you needed to be at an EDU and had all sorts of time to burn trying to make it work and none of them solved the issues with multi-realm or auto-ticket renewal or anything like that meaning it really wasn't a feasible technology for the masses. Kerberos on *nix is not only difficult, it can be downright painful. The same can be said of DNS, most MSFT customers should not be mucking with it because most MSFT customers don't have the background or understanding in it to muck with it. These are the same customers who would almost certainly be working just fine on WINS right now.
That being said, if you have DNS understanding and especially if you are large and have a robust DNS infrastructure that existed well before MSFT started playing there, looking at moving from ADI and even MSFT DNS if you were ever even there is a very valid thing to do.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, EdwardSent: Thursday, May 10, 2007 8:33 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
(Golf Clap) Way to go Joe. Deji, I replied to you offline, I am sure you read and understood my comments.
I keep reading this discussion and all I hear is AD-Int DNS is the best thing since slice bread, and its got new features. Other side, we hear of what is happening in the trenches, how the RPC's problem with DNS from last month was definitely a literal kick in the balls to those that enabled AD-Int DNS.There was a nice elaborate and realistic discussion of how to exploit the DNS problem with traditional attack methods, to trully obtain evil results. And in the face of all this Deji, you still advocating AD-Int DNS, and adding an addtional role to the DC's and with that adding addtional risk, and possible unknown, undiscovered vulnerabilities in M$ DNS service.
This is why I don't drink the M$ kool-aid or subscribe to the rhetoric from Microsoft, because they are viewing solution and ideas through there own idealistic eutopia and sorry for most customers that just isn't coming close to reality. You have to know your own risks, and the best way to mitigate them, the vendor can't do everything for you, nor should you let them. Nor does everything the vendor say is correct, or even valid for your organization, bussiness, or what-not.
I think we all have trully beat perverbal dead horse into the ground, and we probably just need a topic change before it starts to get a little out of control.
Checking out, I have a DHCP server to convert off Windows today, which means one-less infrastructure system to patch, one less headache to deal with. Probably soon DNS will be converted, I guess 2 out of 3 aint bad.
Cheers,
EZ
Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E
,CCA,Network+, Security + email:eziots@lifespan.org
cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of joeSent: Thursday, May 10, 2007 8:23 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
Topic shift Deji, try to keep up... :)
Read back through the thread. I would say we should have changed the subject but it never changed to "Why you shouldn't use ADI DNS" in the first place so I find I am not concerned.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Akomolafe, DejiSent: Thursday, May 10, 2007 1:07 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
And will this be as a result of integrating DNS into AD? I say no, because I know that you can still do bad things regardless of the DNS flavor or its complete separation from AD. This, to me, negates the argument that you should not AD-integrate DNS because of security "issues".
Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services
www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Eric FleischmanSent: Wed 5/9/2007 8:34 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
Bad things can happen if I own your DNS. This DL is not an appropriate forum for such a discussion. But you should assume that I can do bad things to your forest if I own your DNS.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joeSent: Wednesday, May 09, 2007 6:47 PM
To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
Oh true, I am not completely on board with the necessity of secure updates. I hear a lot of noise around it and how someone can own your forest with it but can't visualize a realistic attack vector in that realm to gain access that likely wouldn't be easier to manage in some other way. I'd like to think I am not a complete retard in this but I just don't see it and I have yet to have found anywhere anyone who could point to even an accidental attack which we used to see on a regular basis with WINS and misconfigured SAMBA and I easily overcame those SAMBA issues when encountered.
Certainly I don't expect an open discussion about actual attack methodshere in this forum because if there is something real out there that just hasn't made it onto the RADAR of anyone who tends to write exploits against things such that they have done anything around it. Other attacks on forests etc I have seen code examples for and not just stuff I have written. And certainly I can't take my lack of understanding of a possible hole there as it being safe, but I do look at the global knowledge level here and how serious MSFT may or may not be about secure updates (i..e only being offered with one config and it not being the default OS config) andthen make some judgements on relative likelihood of possible compromise and the numbers just don't come up as giving me much fear in the realm of insecure updates.
In my experience, the biggest threat to come through DNS other than the various and numerousissues that have occurred through the years due toADI DNS dork ups and bugs has been this recent DNS vuln which was far more dangerous to environments running ADI DNS than any other environment. In fact if you ran ADI DNS in an enterprise with distributed DNS Admin delegation, this issue was a positively serious kick square in the balls for choosing that model.It wasn't the idea that you get control of the DNS Service and then start pumping in bad DNS entries, you had localsystem on the DC and just did whatever the heck you felt like doing. Why take a nice scenic hack route past old windmill road when the door to the gold is sitting wide open?
joe
P.S. And sorry for this... Rocky, tried to respond to your email, but it bounced with a 550 access denied from
netherworld.jws.com
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Eric FleischmanSent: Wednesday, May 09, 2007 6:49 PMTo: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
Totally agree. If you are comparing AD integrated DNS with some other solution that also does secure dynamic updates, that's a great convo I'd love to be part of. But I want to make sure…do we agree that secure dynamic updates (or no dynamic updates, ie you manage it yourself) are a min bar requirement? I have not gotten the sense that you really buy in to this argument yet.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joeSent: Wednesday, May 09, 2007 2:05 PM
To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
I don't cut bait, I just don't agree that MSFT is the only company that knows how to do some form of secure DDNS updates.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Eric FleischmanSent: Wednesday, May 09, 2007 3:37 PMTo: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
The argument for AD integrated DNS, as I understand it, is around dynamic update. Replication is all well and good (maybe it is better than xfer, maybe not, I really don't know), but the secure dynamic update part is the goodness side of it.
So, how do you achieve this? I know joe cuts bait on dynamic updates….I'm of the opinion (based on masses of PSS data over the last 7 years) that most customers cannot do this. So how do you achieve it? Or do you just accept the lack of security on this front?
After we tease apart that one, I'd like to discuss your circular replication argument further.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, EdwardSent:
Wednesday, May 09, 2007 9:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
Eric,
Better DNS servers? DNS is DNS, whether AD integrated or Primary, Secondary, its basically the same. I am saying that for troubleshooting its just easier to have primary/secondary and place your DNS where you need them, instead of having it tied to a DC, and thus add another infrastructure role to the domain controllers, when its not always needed.
I know M$ wants you to do AD integrated DNS, since they think its the best thing since sliced bread, but down in the trenches where the work gets done and the problems get solved, its not always the best choice. I personally don't see why you need to have your DNS and AD on the same replication scheme, if something breaks in replication is it AD or is it DNS, you have no physical seperation of the two, so you start going in loops.
And given the flaws we keep getting each and every month, from Microsoft land on this, that and the other service, or offering, the less you can have on your DC' and Infrastructure systems and the better you hardnen them from the start the better off you will be. This DNS RPC interface issue was just an example, and I am sure the security researchers out there are going to find more, and again makes admin lives harder, but our systems more secure in the long run.
Also it takes Microsoft how long to create a patch to fix this, but the exploit code has been out for quite a while, and I am sure some hacker has coded a working exploit by now, its probably in metasploit, ENCASE and other Pentest products, so point and click and fire away at the DC's with DNS, if you haven't protected yourself.
Just my take on the situation, not saying that AD Integrated DNS isnt a viable option, but think of this you wonder why Internet DNS in on BIND, and its not AD integrated or even M$and its spread throughout the world...
EZ
Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,
M.E,CCA,Network+, Security + email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Eric FleischmanSent: Wednesday, May 09, 2007 12:26 PMTo: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
I don't yet get this logic, please explain it to me like I'm an idiot.
The primary/secondary road ends up taking you to a place where you point DCs at the subset of DNS servers you end up creating. How is this better than having use AD integrated DNS, and pointing DCs to a subset of anointed "better" DNS servers?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, EdwardSent:
Wednesday, May 09, 2007 8:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
AD and its replication and functions are dependent on DNS being correctly configured. If you follow the logic of not having all your eggs in one basket, then the following will make sense.
Why would you want to have both your DNS and AD together on the same box, and integrated into the AD replication, if something is broken in AD replication scheme its going to affect your DNS as well, which also affects alot more of your infrastructure.
Secondly, it makes decommission of the DC's a little more of a task than it needs to be, not impossible, and not a regular event in most environments, but still again, infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate and redundant as per good network design ( PhysicalSite redundancy is what I am driving at here)
These are just my views, administrators will do what they feel comfortable with but I have been running primary, secondary DNS tertiary DNS at a third site for years and not had much problems with DNS replication, uptime and minimal troubleshooting, plus I know if my primary site gets hit I got critical infrastructure elsewhere that can continue to service the organization in case of issues.
I think in the age of DR, this isn't a bad way to go, and I am sure most of the folks that still run BIND for there DNS services would probably see the reasoning in it.
Z
Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,
M.E,CCA,Network+, Security + email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
DannySent: Wednesday, May 09, 2007 10:50 AMTo: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
Sorry to jump in here, but I am understanding that you both are recommending to avoid AD-integrated DNS where possible?
On 5/9/07, joe wrote:
I can find no fault in that paragraph. :)--O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm-----Original Message-----From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:57 AM
To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code ExecutionFunny part if you can call it a funny part is that your DC's wouldn't have been vulnerable if you didn't have AD-Integrated DNS. Which limitsthe attack surface quite a bit when you are dealing with say 2-3 DNS
servers instead of multiple DNS servers with DC responsibilites to boot. This is whay I am never in the favor of putting multiple infrastructureroles on any one system, especially a DC.ZEdward E. Ziots
Network EngineerLifespan OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.org
cell:401-639-3505-----Original Message-----From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, May 08, 2007 11:21 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code ExecutionExchange one is the one I'm eyeing up this month. IE7 has the printing fixes for IE7 included.Don't forget the Word and Office patches for the workstations.... and
WSUS 3.0 is out ...and....joe wrote:> Nice and handy that it just so happened to be all wrapped up and done > for the May patch release so someone didn't have to get a knock on the> head inside of MSFT for two out of band patches in a month...
>> Also nice to have DCs in a state of having unmanageable services or > exposed to exploits in enterprise environments I think.>> --> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm>>> -----Original Message-----> From:
ActiveDir-owner@mail.activedir.org> [mailto:
mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan> Bradley, CPA aka Ebitz - SBS Rocks [MVP]> Sent: Tuesday, May 08, 2007 1:28 PM> To:
mailto:ActiveDir@mail.activedir.org> Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC> Interface Could Allow Remote,Code Execution>> MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
> Remote Code Execution (935966) > http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
> Max Severity: Critical>> List info : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx> List archive:
http://www.activedir.org/ma/default.aspx>> List info : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx> List archive:
http://www.activedir.org/ma/default.aspx>>--If you are a SBSer... you had better be reading
http://blogs.technet.com/sbs - the SBS Blog...and my blog is at www.sbsdiva.com....List info :
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:
http://www.activedir.org/ma/default.aspx List info :
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:
http://www.activedir.org/ma/default.aspxList info :
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:
http://www.activedir.org/ma/default.aspx
-- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer | | | |
| amulnick
Posts:163
| | 05/11/2007 9:54 AM |
| Eric, I would appreciate some links to some of the risks of not using secure dynamic updates in an environment and how that should be expected to be handled. I've often heard the same, but the risk escapes me over that of regular dns. Secure would hopefully just prevent somebody from hijacking my dns record and using their own to redirect clients to something else. Ok. Classic attack vector is now closed down by having the records be secure update only.
Anything else?
Feel free to drop the links off-line. I don't care if it's the exploits but I am interested in the risks you see.
On 5/10/07, Eric Fleischman wrote:
My comments were not at all specific to AD integrated DNS. They were specific to dynamic update, whether or not you use it, and asking about views on secure dynamic update. You can of course run your forest as you see fit…it is not my place to put forth decrees. I'm telling you that secure dynamic update, or no dynamic update, is the way I would go. How you choose to deploy & operate your forest is up to you.
~Eric
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, EdwardSent:
Thursday, May 10, 2007 5:33 AM
To: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
(Golf Clap) Way to go Joe. Deji, I replied to you offline, I am sure you read and understood my comments.
I keep reading this discussion and all I hear is AD-Int DNS is the best thing since slice bread, and its got new features. Other side, we hear of what is happening in the trenches, how the RPC's problem with DNS from last month was definitely a literal kick in the balls to those that enabled AD-Int DNS.There was a nice elaborate and realistic discussion of how to exploit the DNS problem with traditional attack methods, to trully obtain evil results. And in the face of all this Deji, you still advocating AD-Int DNS, and adding an addtional role to the DC's and with that adding addtional risk, and possible unknown, undiscovered vulnerabilities in M$ DNS service.
This is why I don't drink the M$ kool-aid or subscribe to the rhetoric from Microsoft, because they are viewing solution and ideas through there own idealistic eutopia and sorry for most customers that just isn't coming close to reality. You have to know your own risks, and the best way to mitigate them, the vendor can't do everything for you, nor should you let them. Nor does everything the vendor say is correct, or even valid for your organization, bussiness, or what-not.
I think we all have trully beat perverbal dead horse into the ground, and we probably just need a topic change before it starts to get a little out of control.
Checking out, I have a DHCP server to convert off Windows today, which means one-less infrastructure system to patch, one less headache to deal with. Probably soon DNS will be converted, I guess 2 out of 3 aint bad.
Cheers,
EZ
Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,
M.E,CCA,Network+, Security + email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
joeSent: Thursday, May 10, 2007 8:23 AMTo: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
Topic shift Deji, try to keep up... :)
Read back through the thread. I would say we should have changed the subject but it never changed to "Why you shouldn't use ADI DNS" in the first place so I find I am not concerned.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Akomolafe, DejiSent: Thursday, May 10, 2007 1:07 AMTo: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
And will this be as a result of integrating DNS into AD? I say no, because I know that you can still do bad things regardless of the DNS flavor or its complete separation from AD. This, to me, negates the argument that you should not AD-integrate DNS because of security "issues".
Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services
www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Eric FleischmanSent: Wed 5/9/2007 8:34 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
Bad things can happen if I own your DNS. This DL is not an appropriate forum for such a discussion. But you should assume that I can do bad things to your forest if I own your DNS.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joeSent: Wednesday, May 09, 2007 6:47 PM
To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
Oh true, I am not completely on board with the necessity of secure updates. I hear a lot of noise around it and how someone can own your forest with it but can't visualize a realistic attack vector in that realm to gain access that likely wouldn't be easier to manage in some other way. I'd like to think I am not a complete retard in this but I just don't see it and I have yet to have found anywhere anyone who could point to even an accidental attack which we used to see on a regular basis with WINS and misconfigured SAMBA and I easily overcame those SAMBA issues when encountered.
Certainly I don't expect an open discussion about actual attack methodshere in this forum because if there is something real out there that just hasn't made it onto the RADAR of anyone who tends to write exploits against things such that they have done anything around it. Other attacks on forests etc I have seen code examples for and not just stuff I have written. And certainly I can't take my lack of understanding of a possible hole there as it being safe, but I do look at the global knowledge level here and how serious MSFT may or may not be about secure updates (i..e only being offered with one config and it not being the default OS config) andthen make some judgements on relative likelihood of possible compromise and the numbers just don't come up as giving me much fear in the realm of insecure updates.
In my experience, the biggest threat to come through DNS other than the various and numerousissues that have occurred through the years due toADI DNS dork ups and bugs has been this recent DNS vuln which was far more dangerous to environments running ADI DNS than any other environment. In fact if you ran ADI DNS in an enterprise with distributed DNS Admin delegation, this issue was a positively serious kick square in the balls for choosing that model.It wasn't the idea that you get control of the DNS Service and then start pumping in bad DNS entries, you had localsystem on the DC and just did whatever the heck you felt like doing. Why take a nice scenic hack route past old windmill road when the door to the gold is sitting wide open?
joe
P.S. And sorry for this... Rocky, tried to respond to your email, but it bounced with a 550 access denied from
netherworld.jws.com
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Eric FleischmanSent: Wednesday, May 09, 2007 6:49 PMTo: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
Totally agree. If you are comparing AD integrated DNS with some other solution that also does secure dynamic updates, that's a great convo I'd love to be part of. But I want to make sure…do we agree that secure dynamic updates (or no dynamic updates, ie you manage it yourself) are a min bar requirement? I have not gotten the sense that you really buy in to this argument yet.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joeSent: Wednesday, May 09, 2007 2:05 PM
To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
I don't cut bait, I just don't agree that MSFT is the only company that knows how to do some form of secure DDNS updates.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Eric FleischmanSent: Wednesday, May 09, 2007 3:37 PMTo: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
The argument for AD integrated DNS, as I understand it, is around dynamic update. Replication is all well and good (maybe it is better than xfer, maybe not, I really don't know), but the secure dynamic update part is the goodness side of it.
So, how do you achieve this? I know joe cuts bait on dynamic updates….I'm of the opinion (based on masses of PSS data over the last 7 years) that most customers cannot do this. So how do you achieve it? Or do you just accept the lack of security on this front?
After we tease apart that one, I'd like to discuss your circular replication argument further.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, EdwardSent:
Wednesday, May 09, 2007 9:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
Eric,
Better DNS servers? DNS is DNS, whether AD integrated or Primary, Secondary, its basically the same. I am saying that for troubleshooting its just easier to have primary/secondary and place your DNS where you need them, instead of having it tied to a DC, and thus add another infrastructure role to the domain controllers, when its not always needed.
I know M$ wants you to do AD integrated DNS, since they think its the best thing since sliced bread, but down in the trenches where the work gets done and the problems get solved, its not always the best choice. I personally don't see why you need to have your DNS and AD on the same replication scheme, if something breaks in replication is it AD or is it DNS, you have no physical seperation of the two, so you start going in loops.
And given the flaws we keep getting each and every month, from Microsoft land on this, that and the other service, or offering, the less you can have on your DC' and Infrastructure systems and the better you hardnen them from the start the better off you will be. This DNS RPC interface issue was just an example, and I am sure the security researchers out there are going to find more, and again makes admin lives harder, but our systems more secure in the long run.
Also it takes Microsoft how long to create a patch to fix this, but the exploit code has been out for quite a while, and I am sure some hacker has coded a working exploit by now, its probably in metasploit, ENCASE and other Pentest products, so point and click and fire away at the DC's with DNS, if you haven't protected yourself.
Just my take on the situation, not saying that AD Integrated DNS isnt a viable option, but think of this you wonder why Internet DNS in on BIND, and its not AD integrated or even M$and its spread throughout the world...
EZ
Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,
M.E,CCA,Network+, Security + email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Eric FleischmanSent: Wednesday, May 09, 2007 12:26 PMTo: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
I don't yet get this logic, please explain it to me like I'm an idiot.
The primary/secondary road ends up taking you to a place where you point DCs at the subset of DNS servers you end up creating. How is this better than having use AD integrated DNS, and pointing DCs to a subset of anointed "better" DNS servers?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, EdwardSent:
Wednesday, May 09, 2007 8:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
AD and its replication and functions are dependent on DNS being correctly configured. If you follow the logic of not having all your eggs in one basket, then the following will make sense.
Why would you want to have both your DNS and AD together on the same box, and integrated into the AD replication, if something is broken in AD replication scheme its going to affect your DNS as well, which also affects alot more of your infrastructure.
Secondly, it makes decommission of the DC's a little more of a task than it needs to be, not impossible, and not a regular event in most environments, but still again, infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate and redundant as per good network design ( PhysicalSite redundancy is what I am driving at here)
These are just my views, administrators will do what they feel comfortable with but I have been running primary, secondary DNS tertiary DNS at a third site for years and not had much problems with DNS replication, uptime and minimal troubleshooting, plus I know if my primary site gets hit I got critical infrastructure elsewhere that can continue to service the organization in case of issues.
I think in the age of DR, this isn't a bad way to go, and I am sure most of the folks that still run BIND for there DNS services would probably see the reasoning in it.
Z
Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,
M.E,CCA,Network+, Security + email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
DannySent: Wednesday, May 09, 2007 10:50 AMTo: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code Execution
Sorry to jump in here, but I am understanding that you both are recommending to avoid AD-integrated DNS where possible?
On 5/9/07, joe wrote:
I can find no fault in that paragraph. :)--O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm-----Original Message-----From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:57 AM
To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code ExecutionFunny part if you can call it a funny part is that your DC's wouldn't have been vulnerable if you didn't have AD-Integrated DNS. Which limitsthe attack surface quite a bit when you are dealing with say 2-3 DNS
servers instead of multiple DNS servers with DC responsibilites to boot. This is whay I am never in the favor of putting multiple infrastructureroles on any one system, especially a DC.ZEdward E. Ziots
Network EngineerLifespan OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.org
cell:401-639-3505-----Original Message-----From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, May 08, 2007 11:21 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code ExecutionExchange one is the one I'm eyeing up this month. IE7 has the printing fixes for IE7 included.Don't forget the Word and Office patches for the workstations.... and
WSUS 3.0 is out ...and....joe wrote:> Nice and handy that it just so happened to be all wrapped up and done > for the May patch release so someone didn't have to get a knock on the> head inside of MSFT for two out of band patches in a month...
>> Also nice to have DCs in a state of having unmanageable services or > exposed to exploits in enterprise environments I think.>> --> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm>>> -----Original Message-----> From:
ActiveDir-owner@mail.activedir.org> [mailto:
mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan> Bradley, CPA aka Ebitz - SBS Rocks [MVP]> Sent: Tuesday, May 08, 2007 1:28 PM> To:
mailto:ActiveDir@mail.activedir.org> Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC> Interface Could Allow Remote,Code Execution>> MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
> Remote Code Execution (935966) > http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
> Max Severity: Critical>> List info : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx> List archive:
http://www.activedir.org/ma/default.aspx>> List info : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx> List archive:
http://www.activedir.org/ma/default.aspx>>--If you are a SBSer... you had better be reading
http://blogs.technet.com/sbs - the SBS Blog...and my blog is at www.sbsdiva.com....List info :
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:
http://www.activedir.org/ma/default.aspx List info :
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:
http://www.activedir.org/ma/default.aspxList info :
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:
http://www.activedir.org/ma/default.aspx
-- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer | | | |
| sbradcpa
Posts:496
| | 05/11/2007 10:08 AM |
| DNS Threats & DNS
Weaknesses (DNSSEC - DNS Security Extensions):
http://www.dnssec.net/dns-threats.php
http://csrc.nist.gov/fasp/FASPDocs/network-security/NISTSecuringDNS.htm
Step 3 “ Restrict
dynamic updates to only authorized sources and be choosy about it.
Dynamic updates are both useful and dangerous. Useful because you can
keep your zone up-to-date, but risky since an authorized user can
completely change your zone to any thing they want, including erasing
it completely. If your needs dictate the use of dynamic updates, then
be sure to restrict its use a tightly as possible. This means use
individual IP addresses in the access control list. However, you now
have another reason to be sure that your border router or
firewall/proxy has strong anti-IP-address-spoofing rules in place. (See
BSP xx-xxx-xxxx Blocking Spoofed Source IP Address with Ingress
Filtering. This BSP is based on IETF RFC
2267, Network Ingress Filtering: ¦ Get your router/firewall
administrators to take a look at it.)
No Title:
http://csrc.nist.gov/fasp/FASPDocs/network-security/rfc2267.txt
No Title:
http://www.ietf.org/rfc/rfc3007.txt
Any zone permitting dynamic updates is inherently less secure than a
static secure zone maintained off line as recommended in RFC 2065. If
nothing else, secure dynamic update requires on line change to and
re-signing of the zone SOA resource record (RR) to increase the SOA
serial number. This means that compromise of the primary server host
could lead to arbitrary serial number changes. Isolation of dynamic RRs
to separate zones from those holding most static RRs can limit the
damage that could occur from breach of a dynamic zone's security.
No Title:
http://www.ietf.org/rfc/rfc2137.txt
Obviously not the great ~ but I googled in the meantime...
Al Mulnick wrote:
Eric, I would appreciate some links to some of the risks of not
using secure dynamic updates in an environment and how that should be
expected to be handled. I've often heard the same, but the risk escapes
me over that of regular dns. Secure would hopefully just prevent
somebody from hijacking my dns record and using their own to redirect
clients to something else. Ok. Classic attack vector is now closed down
by having the records be secure update only.
Anything else?
Feel free to drop the links off-line. I don't care if it's the
exploits but I am interested in the risks you see.
On 5/10/07, Eric Fleischman
wrote:
My
comments were not at all specific to AD integrated DNS. They were
specific to dynamic update, whether or not you use it, and asking about
views on secure dynamic update. You can of course run your forest as
you see fit¦it is not my place to put forth decrees. I'm telling you
that secure dynamic update, or no dynamic update, is the way I would
go. How you choose to deploy & operate your forest is up to you.
~Eric
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, Edward
Sent:
Thursday, May 10, 2007 5:33 AM
To: ActiveDir@mail.activedir.org
Subject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
(Golf Clap) Way to
go Joe. Deji, I replied to you offline, I am sure you read and
understood my comments.
I keep reading this
discussion and all I hear is AD-Int DNS is the best thing since slice
bread, and its got new features. Other side, we hear of what is
happening in the trenches, how the RPC's problem with DNS from last
month was definitely a literal kick in the balls to those that enabled
AD-Int DNS. There was a nice elaborate and realistic discussion of how
to exploit the DNS problem with traditional attack methods, to trully
obtain evil results. And in the face of all this Deji, you still
advocating AD-Int DNS, and adding an addtional role to the DC's and
with that adding addtional risk, and possible unknown, undiscovered
vulnerabilities in M$ DNS service.
This is why I don't
drink the M$ kool-aid or subscribe to the rhetoric from Microsoft,
because they are viewing solution and ideas through there own
idealistic eutopia and sorry for most customers that just isn't coming
close to reality. You have to know your own risks, and the best way to
mitigate them, the vendor can't do everything for you, nor should you
let them. Nor does everything the vendor say is correct, or even valid
for your organization, bussiness, or what-not.
I think we all have
trully beat perverbal dead horse into the ground, and we probably just
need a topic change before it starts to get a little out of control.
Checking out, I have
a DHCP server to convert off Windows today, which means one-less
infrastructure system to patch, one less headache to deal with.
Probably soon DNS will be converted, I guess 2 out of 3 aint bad.
Cheers,
EZ
Edward E. Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I,
M.E,CCA,Network+, Security +
email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joe
Sent: Thursday, May 10, 2007 8:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
Topic shift Deji,
try to keep up... :)
Read back through
the thread. I would say we should have changed the subject but it never
changed to "Why you shouldn't use ADI DNS" in the first place so I find
I am not concerned.
--
O'Reilly Active
Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Akomolafe, Deji
Sent: Thursday, May 10, 2007 1:07 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
And will this be as
a result of integrating DNS into AD? I say no, because I know that you
can still do bad things regardless of the DNS flavor or its complete
separation from AD. This, to me, negates the argument that you should
not AD-integrate DNS because of security "issues".
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP -
Directory Services
www.akomolafe.com - we
know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: Eric Fleischman
Sent: Wed 5/9/2007 8:34 PM
To:
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
Bad
things can happen if I own your DNS. This DL is not an appropriate
forum for such a discussion. But you should assume that I can do bad
things to your forest if I own your DNS.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joe
Sent: Wednesday, May 09, 2007 6:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
Oh true, I am not
completely on board with the necessity of secure updates. I hear a lot
of noise around it and how someone can own your forest with it but
can't visualize a realistic attack vector in that realm to gain access
that likely wouldn't be easier to manage in some other way. I'd like to
think I am not a complete retard in this but I just don't see it and I
have yet to have found anywhere anyone who could point to even an
accidental attack which we used to see on a regular basis with WINS and
misconfigured SAMBA and I easily overcame those SAMBA issues when
encountered.
Certainly I don't
expect an open discussion about actual attack methods here in this
forum because if there is something real out there that just hasn't
made it onto the RADAR of anyone who tends to write exploits against
things such that they have done anything around it. Other attacks on
forests etc I have seen code examples for and not just stuff I have
written. And certainly I can't take my lack of understanding of a
possible hole there as it being safe, but I do look at the global
knowledge level here and how serious MSFT may or may not be about
secure updates (i..e only being offered with one config and it not
being the default OS config) and then make some judgements on relative
likelihood of possible compromise and the numbers just don't come up as
giving me much fear in the realm of insecure updates.
In my experience,
the biggest threat to come through DNS other than the various and
numerous issues that have occurred through the years due to ADI DNS
dork ups and bugs has been this recent DNS vuln which was far more
dangerous to environments running ADI DNS than any other environment.
In fact if you ran ADI DNS in an enterprise with distributed DNS Admin
delegation, this issue was a positively serious kick square in the
balls for choosing that model. It wasn't the idea that you get control
of the DNS Service and then start pumping in bad DNS entries, you had
localsystem on the DC and just did whatever the heck you felt like
doing. Why take a nice scenic hack route past old windmill road when
the door to the gold is sitting wide open?
joe
P.S. And sorry for
this... Rocky, tried to respond to your email, but it bounced with a
550 access denied from
netherworld.jws.com
--
O'Reilly Active
Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric Fleischman
Sent: Wednesday, May 09, 2007 6:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
Totally
agree. If you are comparing AD integrated DNS with some other solution
that also does secure dynamic updates, that's a great convo I'd love to
be part of. But I want to make sure¦do we agree that secure dynamic
updates (or no dynamic updates, ie you manage it yourself) are a min
bar requirement? I have not gotten the sense that you really buy in to
this argument yet.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joe
Sent: Wednesday, May 09, 2007 2:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
I don't cut bait, I
just don't agree that MSFT is the only company that knows how to do
some form of secure DDNS updates.
--
O'Reilly Active
Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric Fleischman
Sent: Wednesday, May 09, 2007 3:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
The
argument for AD integrated DNS, as I understand it, is around dynamic
update. Replication is all well and good (maybe it is better than xfer,
maybe not, I really don't know), but the secure dynamic update part is
the goodness side of it.
So, how
do you achieve this? I know joe cuts bait on dynamic updates¦.I'm of
the opinion (based on masses of PSS data over the last 7 years) that
most customers cannot do this. So how do you achieve it? Or do you just
accept the lack of security on this front?
After we
tease apart that one, I'd like to discuss your circular replication
argument further.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, Edward
Sent:
Wednesday, May 09, 2007 9:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
Eric,
Better DNS servers?
DNS is DNS, whether AD integrated or Primary, Secondary, its basically
the same. I am saying that for troubleshooting its just easier to have
primary/secondary and place your DNS where you need them, instead of
having it tied to a DC, and thus add another infrastructure role to the
domain controllers, when its not always needed.
I know M$ wants you
to do AD integrated DNS, since they think its the best thing since
sliced bread, but down in the trenches where the work gets done and the
problems get solved, its not always the best choice. I personally don't
see why you need to have your DNS and AD on the same replication
scheme, if something breaks in replication is it AD or is it DNS, you
have no physical seperation of the two, so you start going in loops.
And given the flaws
we keep getting each and every month, from Microsoft land on this, that
and the other service, or offering, the less you can have on your DC'
and Infrastructure systems and the better you hardnen them from the
start the better off you will be. This DNS RPC interface issue was just
an example, and I am sure the security researchers out there are going
to find more, and again makes admin lives harder, but our systems more
secure in the long run.
Also it takes
Microsoft how long to create a patch to fix this, but the exploit code
has been out for quite a while, and I am sure some hacker has coded a
working exploit by now, its probably in metasploit, ENCASE and other
Pentest products, so point and click and fire away at the DC's with
DNS, if you haven't protected yourself.
Just my take on the
situation, not saying that AD Integrated DNS isnt a viable option, but
think of this you wonder why Internet DNS in on BIND, and its not AD
integrated or even M$ and its spread throughout the world...
EZ
Edward E. Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I,
M.E,CCA,Network+, Security +
email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric Fleischman
Sent: Wednesday, May 09, 2007 12:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
I don't
yet get this logic, please explain it to me like I'm an idiot.
The
primary/secondary road ends up taking you to a place where you point
DCs at the subset of DNS servers you end up creating. How is this
better than having use AD integrated DNS, and pointing DCs to a subset
of anointed "better" DNS servers?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, Edward
Sent:
Wednesday, May 09, 2007 8:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
AD and its
replication and functions are dependent on DNS being correctly
configured. If you follow the logic of not having all your eggs in one
basket, then the following will make sense.
Why would you want
to have both your DNS and AD together on the same box, and integrated
into the AD replication, if something is broken in AD replication
scheme its going to affect your DNS as well, which also affects alot
more of your infrastructure.
Secondly, it makes
decommission of the DC's a little more of a task than it needs to be,
not impossible, and not a regular event in most environments, but still
again, infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate
and redundant as per good network design ( Physical Site redundancy is
what I am driving at here)
These are just my
views, administrators will do what they feel comfortable with but I
have been running primary, secondary DNS tertiary DNS at a third site
for years and not had much problems with DNS replication, uptime and
minimal troubleshooting, plus I know if my primary site gets hit I got
critical infrastructure elsewhere that can continue to service the
organization in case of issues.
I think in the age
of DR, this isn't a bad way to go, and I am sure most of the folks that
still run BIND for there DNS services would probably see the reasoning
in it.
Z
Edward E. Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I,
M.E,CCA,Network+, Security +
email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Danny
Sent: Wednesday, May 09, 2007 10:50 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow Remote,Code Execution
Sorry to jump in here, but I am
understanding that you both are recommending to avoid AD-integrated DNS
where possible?
On 5/9/07, joe
wrote:
I can find no fault in that paragraph. :)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, Edward
Sent: Wednesday, May 09, 2007 8:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Funny part if you can call it a funny part is that your DC's wouldn't
have been vulnerable if you didn't have AD-Integrated DNS. Which limits
the attack surface quite a bit when you are dealing with say 2-3 DNS
servers instead of multiple DNS servers with DC responsibilites to
boot.
This is whay I am never in the favor of putting multiple infrastructure
roles on any one system, especially a DC.
Z
Edward E. Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +
email:eziots@lifespan.org
cell:401-639-3505
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, May 08, 2007 11:21 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
Interface Could Allow Remote,Code Execution
Exchange one is the one I'm eyeing up this month.
IE7 has the printing fixes for IE7 included.
Don't forget the Word and Office patches for the workstations.... and
WSUS 3.0 is out ...and....
joe wrote:
> Nice and handy that it just so happened to be all wrapped up and
done
> for the May patch release so someone didn't have to get a knock on
the
> head inside of MSFT for two out of band patches in a month...
>
> Also nice to have DCs in a state of having unmanageable services
or
> exposed to exploits in enterprise environments I think.
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:
mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan
> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Tuesday, May 08, 2007 1:28 PM
> To:
mailto:ActiveDir@mail.activedir.org
> Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC
> Interface Could Allow Remote,Code Execution
>
> MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
> Remote Code Execution (935966)
> http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
> Max Severity: Critical
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.activedir.org/ma/default.aspx
>
>
--
If you are a SBSer... you had better be reading
http://blogs.technet.com/sbs
- the SBS Blog.
..and my blog is at www.sbsdiva.com....
List info :
http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info :
http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info :
http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| listmail
Posts:824
| | 05/11/2007 11:00 AM |
| Two main things I've been able to work out (don't worry not
giving away the keys to the kingdom here).
1. DOS via creating garbage records or zilching out records
(what happens if every record in the zone is deleted?). This IMO is most likely
attack.
2. Similar to the issue with WINS being unauthenticated,
enabler for man in the middle. This wouldonly be the first step obviously.
Lots of other knowledge and capability required.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al
MulnickSent: Friday, May 11, 2007 9:54 PMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Eric, I would appreciate some links to some of the risks of not using
secure dynamic updates in an environment and how that should be expected to be
handled. I've often heard the same, but the risk escapes me over that of regular
dns. Secure would hopefully just prevent somebody from hijacking my dns
record and using their own to redirect clients to something else. Ok. Classic
attack vector is now closed down by having the records be secure update only.
Anything else?
Feel free to drop the links off-line. I don't care if it's the
exploits but I am interested in the risks you see.
On 5/10/07, Eric
Fleischman
wrote:
My comments were not at all
specific to AD integrated DNS. They were specific to dynamic update, whether
or not you use it, and asking about views on secure dynamic update. You can of
course run your forest as you see fit…it is not my place to put forth decrees.
I'm telling you that secure dynamic update, or no dynamic update, is the way I
would go. How you choose to deploy & operate your forest is up to you.
~Eric
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Ziots, EdwardSent: Thursday, May 10, 2007 5:33 AM
To: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
(Golf Clap) Way to go Joe.
Deji, I replied to you offline, I am sure you read and understood my comments.
I keep reading this discussion
and all I hear is AD-Int DNS is the best thing since slice bread, and its got
new features. Other side, we hear of what is happening in the trenches, how
the RPC's problem with DNS from last month was definitely a literal kick in
the balls to those that enabled AD-Int DNS.There was a nice elaborate
and realistic discussion of how to exploit the DNS problem with traditional
attack methods, to trully obtain evil results. And in the face of all this
Deji, you still advocating AD-Int DNS, and adding an addtional role to the
DC's and with that adding addtional risk, and possible unknown, undiscovered
vulnerabilities in M$ DNS service.
This is why I don't drink the M$
kool-aid or subscribe to the rhetoric from Microsoft, because they are viewing
solution and ideas through there own idealistic eutopia and sorry for most
customers that just isn't coming close to reality. You have to know your own
risks, and the best way to mitigate them, the vendor can't do everything for
you, nor should you let them. Nor does everything the vendor say is correct,
or even valid for your organization, bussiness, or what-not.
I think we all have trully beat
perverbal dead horse into the ground, and we probably just need a topic change
before it starts to get a little out of control.
Checking out, I have a DHCP
server to convert off Windows today, which means one-less infrastructure
system to patch, one less headache to deal with. Probably soon DNS will be
converted, I guess 2 out of 3 aint bad.
Cheers,
EZ
Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +
email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
joeSent: Thursday, May 10, 2007 8:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Topic shift Deji, try to keep
up... :)
Read back through the thread. I
would say we should have changed the subject but it never changed to "Why you
shouldn't use ADI DNS" in the first place so I find I am not concerned.
--
O'Reilly Active Directory Third
Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Akomolafe, DejiSent: Thursday, May 10, 2007 1:07
AMTo: ActiveDir@mail.activedir.org Subject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
And will this be as a result of
integrating DNS into AD? I say no, because I know that you can still do bad
things regardless of the DNS flavor or its complete separation from AD. This,
to me, negates the argument that you should not AD-integrate DNS because of
security "issues".
Sincerely,
_____
(, / |
/)
/) /) /---|
(/_ ______ ___// _ // _ )
/ |_/(__(_) //
(_(_)(/_(_(_/(__(/_(_/
/)
(/ Microsoft MVP - Directory Services
www.akomolafe.com- we know
IT-5.75, -3.23Do you now realize that
Today is the Tomorrow you were worried about Yesterday?
-anon
From: Eric
FleischmanSent: Wed 5/9/2007 8:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Bad things can happen if I
own your DNS. This DL is not an appropriate forum for such a discussion. But
you should assume that I can do bad things to your forest if I own your DNS.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
joeSent: Wednesday, May 09, 2007 6:47 PM To: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Oh true, I am not completely on
board with the necessity of secure updates. I hear a lot of noise around it
and how someone can own your forest with it but can't visualize a realistic
attack vector in that realm to gain access that likely wouldn't be easier to
manage in some other way. I'd like to think I am not a complete retard in this
but I just don't see it and I have yet to have found anywhere anyone who could
point to even an accidental attack which we used to see on a regular basis
with WINS and misconfigured SAMBA and I easily overcame those SAMBA issues
when encountered.
Certainly I don't expect an open
discussion about actual attack methodshere in this forum because if
there is something real out there that just hasn't made it onto the RADAR of
anyone who tends to write exploits against things such that they have done
anything around it. Other attacks on forests etc I have seen code examples for
and not just stuff I have written. And certainly I can't take my lack of
understanding of a possible hole there as it being safe, but I do look at the
global knowledge level here and how serious MSFT may or may not be about
secure updates (i..e only being offered with one config and it not being the
default OS config) andthen make some judgements on relative likelihood
of possible compromise and the numbers just don't come up as giving me much
fear in the realm of insecure updates.
In my experience, the biggest
threat to come through DNS other than the various and numerousissues
that have occurred through the years due toADI DNS dork ups and bugs has
been this recent DNS vuln which was far more dangerous to environments running
ADI DNS than any other environment. In fact if you ran ADI DNS in an
enterprise with distributed DNS Admin delegation, this issue was a positively
serious kick square in the balls for choosing that model.It wasn't the
idea that you get control of the DNS Service and then start pumping in bad DNS
entries, you had localsystem on the DC and just did whatever the heck you felt
like doing. Why take a nice scenic hack route past old windmill road when the
door to the gold is sitting wide open?
joe
P.S. And sorry for this...
Rocky, tried to respond to your email, but it bounced with a 550 access denied
from netherworld.jws.com
--
O'Reilly Active Directory Third
Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric
FleischmanSent: Wednesday, May 09, 2007 6:49 PMTo: ActiveDir@mail.activedir.org Subject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Totally agree. If you are
comparing AD integrated DNS with some other solution that also does secure
dynamic updates, that's a great convo I'd love to be part of. But I want to
make sure…do we agree that secure dynamic updates (or no dynamic updates, ie
you manage it yourself) are a min bar requirement? I have not gotten the sense
that you really buy in to this argument yet.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
joeSent: Wednesday, May 09, 2007 2:05 PM To: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
I don't cut bait, I just don't
agree that MSFT is the only company that knows how to do some form of secure
DDNS updates.
--
O'Reilly Active Directory Third
Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric
FleischmanSent: Wednesday, May 09, 2007 3:37 PMTo: ActiveDir@mail.activedir.org Subject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
The argument for AD
integrated DNS, as I understand it, is around dynamic update. Replication is
all well and good (maybe it is better than xfer, maybe not, I really don't
know), but the secure dynamic update part is the goodness side of it.
So, how do you achieve this?
I know joe cuts bait on dynamic updates….I'm of the opinion (based on masses
of PSS data over the last 7 years) that most customers cannot do this. So how
do you achieve it? Or do you just accept the lack of security on this front?
After we tease apart that
one, I'd like to discuss your circular replication argument
further.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Ziots, EdwardSent: Wednesday, May 09, 2007 9:44
AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Eric,
Better DNS servers? DNS is DNS,
whether AD integrated or Primary, Secondary, its basically the same. I am
saying that for troubleshooting its just easier to have primary/secondary and
place your DNS where you need them, instead of having it tied to a DC, and
thus add another infrastructure role to the domain controllers, when its not
always needed.
I know M$ wants you to do AD
integrated DNS, since they think its the best thing since sliced bread, but
down in the trenches where the work gets done and the problems get solved, its
not always the best choice. I personally don't see why you need to have your
DNS and AD on the same replication scheme, if something breaks in replication
is it AD or is it DNS, you have no physical seperation of the two, so you
start going in loops.
And given the flaws we keep
getting each and every month, from Microsoft land on this, that and the other
service, or offering, the less you can have on your DC' and Infrastructure
systems and the better you hardnen them from the start the better off you will
be. This DNS RPC interface issue was just an example, and I am sure the
security researchers out there are going to find more, and again makes admin
lives harder, but our systems more secure in the long run.
Also it takes Microsoft how long
to create a patch to fix this, but the exploit code has been out for quite a
while, and I am sure some hacker has coded a working exploit by now, its
probably in metasploit, ENCASE and other Pentest products, so point and click
and fire away at the DC's with DNS, if you haven't protected yourself.
Just my take on the situation,
not saying that AD Integrated DNS isnt a viable option, but think of this you
wonder why Internet DNS in on BIND, and its not AD integrated or even
M$and its spread throughout the world...
EZ
Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +
email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric
FleischmanSent: Wednesday, May 09, 2007 12:26 PMTo: ActiveDir@mail.activedir.org Subject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
I don't yet get this logic,
please explain it to me like I'm an idiot.
The primary/secondary road
ends up taking you to a place where you point DCs at the subset of DNS servers
you end up creating. How is this better than having use AD integrated DNS, and
pointing DCs to a subset of anointed "better" DNS servers?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Ziots, EdwardSent: Wednesday, May 09, 2007 8:23
AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
AD and its replication and
functions are dependent on DNS being correctly configured. If you follow the
logic of not having all your eggs in one basket, then the following will make
sense.
Why would you want to have both
your DNS and AD together on the same box, and integrated into the AD
replication, if something is broken in AD replication scheme its going to
affect your DNS as well, which also affects alot more of your infrastructure.
Secondly, it makes decommission
of the DC's a little more of a task than it needs to be, not impossible, and
not a regular event in most environments, but still again, infrastructure
roles ( DHCP, WINS, DNS, DC) should be seperate and redundant as per good
network design ( PhysicalSite redundancy is what I am driving at here)
These are just my views,
administrators will do what they feel comfortable with but I have been running
primary, secondary DNS tertiary DNS at a third site for years and not had much
problems with DNS replication, uptime and minimal troubleshooting, plus I know
if my primary site gets hit I got critical infrastructure elsewhere that can
continue to service the organization in case of issues.
I think in the age of DR, this
isn't a bad way to go, and I am sure most of the folks that still run BIND for
there DNS services would probably see the reasoning in it.
Z
Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +
email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
DannySent: Wednesday, May 09, 2007 10:50 AMTo: ActiveDir@mail.activedir.org Subject: Re:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Sorry to jump in here, but I am understanding
that you both are recommending to avoid AD-integrated DNS where possible?
On 5/9/07, joe wrote:
I can find no fault in that paragraph. :)--O'Reilly Active
Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original
Message-----From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
EdwardSent: Wednesday, May 09, 2007 8:57 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code ExecutionFunny part if you can call it a funny part is
that your DC's wouldn't have been vulnerable if you didn't have
AD-Integrated DNS. Which limitsthe attack surface quite a bit when you are
dealing with say 2-3 DNS servers instead of multiple DNS servers with DC
responsibilites to boot. This is whay I am never in the favor of putting
multiple infrastructureroles on any one system, especially a
DC.ZEdward E. Ziots Network EngineerLifespan
OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.org
cell:401-639-3505-----Original Message-----From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan
Bradley,CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, May 08, 2007
11:21 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code ExecutionExchange one is the one I'm eyeing up this month.
IE7 has the printing fixes for IE7 included.Don't forget the
Word and Office patches for the workstations.... and WSUS 3.0 is out
...and....joe wrote:> Nice and handy that it just so happened
to be all wrapped up and done > for the May patch release so someone
didn't have to get a knock on the> head inside of MSFT for two out
of band patches in a month... >> Also nice to have DCs in a
state of having unmanageable services or > exposed to exploits in
enterprise environments I think.>> --> O'Reilly Active
Directory Third Edition - > http://www.joeware.net/win/ad3e.htm>>>
-----Original Message-----> From: ActiveDir-owner@mail.activedir.org> [mailto:
mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan>
Bradley, CPA aka Ebitz - SBS Rocks [MVP]> Sent: Tuesday, May 08, 2007
1:28 PM> To: mailto:ActiveDir@mail.activedir.org> Subject:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC> Interface Could
Allow Remote,Code Execution>> MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow > Remote Code Execution (935966) >
http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
> Max Severity: Critical>> List info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx> List archive:
http://www.activedir.org/ma/default.aspx>>
List info : http://www.activedir.org/List.aspx > List
FAQ: http://www.activedir.org/ListFAQ.aspx> List archive:
http://www.activedir.org/ma/default.aspx>>--If
you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog...and my
blog is at www.sbsdiva.com....List info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspx List
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspxList
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspx
-- CPDE - Certified Petroleum Distribution
Engineer CCBC - Certified Canadian Beer Consumer | | | |
| listmail
Posts:824
| | 05/12/2007 12:18 PM |
| > DNS - is it a
core part of AD or not?
Easy.
Absolutely not. DNS is a dependency of AD, it isn't a core part of AD. It is an
application that can use AD, it isn't a core part of AD. LDAP is a core part of
AD. GPOs aremore of a core part of AD than DNS is and GPOs absolutely
aren't a core part of AD. You cannot have GPOs without AD (at least right
now...), DNS... well shoot that works even on non-MSFT platforms.
>
Before you get too far down
that road, please show me a
> company that has been in
business longer than 10 years,
> has more than 5K machines and
has them all using secure dns.
In the
truly big companies, they often don't allow any dynamic updates EXCEPT for DCs.
In fact, a common mechanism is to use static A records and only dynamic updates
for SRV and other AD functional records.
>
management of ADI DNS is not
very good for large environments
Amen.
>
I think it just comes down to
Microsoft making a dns server
> impelementation that's "good
enough" and nothing more.
Its
for Susan's customers, its for the bread and butter folks, its for the folks who
hear the words Name Resolution and dive for cover. The funny thing, to
me,is that all the people that complained about WINS are just SOL with DNS
if there are issues... Luckily, it doesn't encounter quite as many issues as
some people have had with WINS. Me, I didn't have issues with WINS except for
SAMBA machines registering as DCs and I always knew that within 2 minutes of it
occurring and was fixed within 5 minutes on almost every occasion.
Would
be nice if they just added the simple ability to specify which IP addresses can
write to DDNS like some other implementations. That one simple thing could
alleviate a great deal of the whole issue around secure DDNS and having to use
ADI DNS to use it.
>
I've got way bigger problems
and you have much lower hanging fruit if I can't get that right.
Actually, that is the pretty much the opinion Dean and
I came to after quite a bit of discussion. But we were drinking so you can't
listen to us...
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al
MulnickSent: Friday, May 11, 2007 9:50 PMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
That's the one I was looking for in this conversation. :)
DNS - is it a core part of AD or not? You'll have to answer that
question prior to getting to the idea that it should be secure updates or not.
Before you get too far down that road, please show me a company that has been in
business longer than 10 years, has more than 5K machines and has them all using
secure dns. More likely they have dummed down the zone to allow for
"legacy" systems. Until that gets addressed, the secure dns idea is a dead end.
Once you get past all of that, the only two merits left are management and
reliability.
In reverse order: reliability comes from the code being solid and the
replication being strong. We get that in ADI dns, but we can get that
elsewhere at no additional cost. Truth be told, we really get our best
results when the l-admins know what they're doing. I run across very few
that understand DNS well enough to operate it, let alone design the name
resolution systems. Size seems to invert that result in that the larger shops
have less of a handle on name resolution. Could be the years of abuse that
they have had to endure. Could be the drinking and medications. At any rate,
layer 8 is another discussion I'm sure. But the idea that your dns is solid
comes from your design foundation.
Management: Hmm... management of ADI DNS is not very good for large
environments. Let's be honest, it could be a lot better but I think that
Microsoft never intended to have the best DNS on the market. It's free for
crying out loud (well, included anyway). It could be better and everyone
knows it. dnscmd? Um. Right. Auditing? Well, yes some
things can be done, but it can be very difficult to manage in a large
multi-writeable distributed environment especially for somebody used to a
different topology. In the end, I think it just comes down to Microsoft making a
dns server impelementation that's "good enough" and nothing more.
Will it work for you? I've seen some large companies make it work.
But they did so by getting by making it more BIND like in it's use.
Go figure.
I have to say that it works fine. Or you could use another
implementation at your discretion and shouldn't think much of it. I don't buy
into the idea that it is more surface area for attack and therefore should be
run on another platform or separate from my AD. I buy intothe idea
that without dns I have no AD. It is therefore part of the service called
active directory and should run on the same server if I choose. Without guilt.
Al
P.S. I do get the idea that it can lead to a compromise of the AD because
it offers another avenue. But be honest, if that's your level of
sophistication and you're on my network, I've got way bigger problems and you
have much lower hanging fruit if I can't get that right.
On 5/10/07, joe
wrote:
I think I
have said similar things but I chose a normal fork. :)
My
favorite deployments have DNS nowhere near Windows and running with a very
dedicated and knowledgeable DNS team.
At some
point the message of "AD is really dependent on DNS" became corrupted to be
"AD and DNS go together like peas and carrots". It simply isn't true. AD is
even more dependenton the network itself more than it needs DNS, does
that mean AD should be underpinning all of the switches and routers? Gosh I
hope not.
Ah an
appliance helps, but hopefully is still going to be monitored, it is likely
just a *nix box without a keyboard port and last I looked those folks still
had patches too. However being focused in a task, that helps dramatically.
Just like reducing the number of services running on DCs does. :)
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto: ActiveDir-owner@mail.activedir.org] On Behalf Of
Ziots, EdwardSent: Thursday, May 10, 2007 9:32 AM
To: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Well the
new DHCP is an applicance, so yep I dont have to evaluate patches for the
Win2k3 Windows box anymore, which means a little less pain, not like I dont
got 550+ more servers to address.
I can see
that alot do go with the M$ model, Bread and butter of things, but others
don't.
DNS
Infrastructure, has gone from BIND, to M$ ( 2k and 2k3) just never to the
AD-INT model, much perfer to put DNS on other dedicated systems and
troubleshoot accordingly.
so back to
the grind, its been a fun discussion if nothing else, but you have to rip my
eyes out with a pitch fork before I go to AD-INT DNS...
Z
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E
,CCA,Network+, Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of
joeSent: Thursday, May 10, 2007 9:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
>
Checking out, I have a DHCP server
to convert off Windows today,
> which means one-less
infrastructure system to patch
Gosh I hope not, unless you
mean it becomes someone else's responsibility to patch it. Patches obviously
aren't new to Microsoft products, I recall patching my old RSTS/E systems but
back then a patch was often more of a manual process, you pulled out a raw
file editor and changed actual bytes in the file or you ran a special tool to
import a blob.
> one less headache to
deal with.
I would accept, a different
type of headache. Again, this isn't about MSFT versus the world. Or vice
versa.
> sorry for most customers
that just isn't coming close to reality
I am afraid I can't sit with
this one very well either. I would say that in fact most of MSFT customers
live in the MSFT reality and when you are talking about most of the MSFT
customers, you are talking about most of the world. We call it and actually
they call it the Bread and Butter. I mentioned it in one of my other posts,
for the bread and butter, full MSFT ADI DNS is very likely the best answer for
them because the level of understanding isn't such that they could or even
should spend the time building an alternate DNS model. In terms of covering up
details so folks without deep core understanding can run things I think MSFT
does an amazing. Look at Kerberos, they made it a real going concern. Prior to
that you either needed to be dedicated to figuring out how to make it work or
you needed to be at an EDU and had all sorts of time to burn trying to make it
work and none of them solved the issues with multi-realm or auto-ticket
renewal or anything like that meaning it really wasn't a feasible technology
for the masses. Kerberos on *nix is not only difficult, it can be downright
painful. The same can be said of DNS, most MSFT customers should not be
mucking with it because most MSFT customers don't have the background or
understanding in it to muck with it. These are the same customers who would
almost certainly be working just fine on WINS right now.
That being said, if you have
DNS understanding and especially if you are large and have a robust DNS
infrastructure that existed well before MSFT started playing there, looking at
moving from ADI and even MSFT DNS if you were ever even there is a very valid
thing to do.
joe
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
EdwardSent: Thursday, May 10, 2007 8:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
(Golf
Clap) Way to go Joe. Deji, I replied to you offline, I am sure you read
and understood my comments.
I keep
reading this discussion and all I hear is AD-Int DNS is the best thing since
slice bread, and its got new features. Other side, we hear of what is
happening in the trenches, how the RPC's problem with DNS from last month was
definitely a literal kick in the balls to those that enabled AD-Int
DNS.There was a nice elaborate and realistic discussion of how to
exploit the DNS problem with traditional attack methods, to trully obtain evil
results. And in the face of all this Deji, you still advocating AD-Int DNS,
and adding an addtional role to the DC's and with that adding addtional risk,
and possible unknown, undiscovered vulnerabilities in M$ DNS service.
This is
why I don't drink the M$ kool-aid or subscribe to the rhetoric from Microsoft,
because they are viewing solution and ideas through there own idealistic
eutopia and sorry for most customers that just isn't coming close to reality.
You have to know your own risks, and the best way to mitigate them, the vendor
can't do everything for you, nor should you let them. Nor does everything the
vendor say is correct, or even valid for your organization, bussiness, or
what-not.
I think we
all have trully beat perverbal dead horse into the ground, and we probably
just need a topic change before it starts to get a little out of
control.
Checking
out, I have a DHCP server to convert off Windows today, which means one-less
infrastructure system to patch, one less headache to deal with. Probably soon
DNS will be converted, I guess 2 out of 3 aint bad.
Cheers,
EZ
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E
,CCA,Network+, Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of
joeSent: Thursday, May 10, 2007 8:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Topic
shift Deji, try to keep up... :)
Read back
through the thread. I would say we should have changed the subject but it
never changed to "Why you shouldn't use ADI DNS" in the first place so I find
I am not concerned.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Akomolafe,
DejiSent: Thursday, May 10, 2007 1:07 AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
And will this be as a
result of integrating DNS into AD? I say no, because I know that you can still
do bad things regardless of the DNS flavor or its complete separation from AD.
This, to me, negates the argument that you should not AD-integrate DNS because
of security "issues".
Sincerely,
_____
(, / |
/)
/) /) /---|
(/_ ______ ___// _ // _ )
/ |_/(__(_) //
(_(_)(/_(_(_/(__(/_(_/
/)
(/ Microsoft MVP - Directory
Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you
were worried about Yesterday? -anon
From: Eric FleischmanSent: Wed
5/9/2007 8:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Bad things can happen if I
own your DNS. This DL is not an appropriate forum for such a discussion. But
you should assume that I can do bad things to your forest if I own your DNS.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
joeSent: Wednesday, May 09, 2007 6:47 PM To: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Oh true, I am not completely on
board with the necessity of secure updates. I hear a lot of noise around it
and how someone can own your forest with it but can't visualize a realistic
attack vector in that realm to gain access that likely wouldn't be easier to
manage in some other way. I'd like to think I am not a complete retard in this
but I just don't see it and I have yet to have found anywhere anyone who could
point to even an accidental attack which we used to see on a regular basis
with WINS and misconfigured SAMBA and I easily overcame those SAMBA issues
when encountered.
Certainly I don't expect an open
discussion about actual attack methodshere in this forum because if
there is something real out there that just hasn't made it onto the RADAR of
anyone who tends to write exploits against things such that they have done
anything around it. Other attacks on forests etc I have seen code examples for
and not just stuff I have written. And certainly I can't take my lack of
understanding of a possible hole there as it being safe, but I do look at the
global knowledge level here and how serious MSFT may or may not be about
secure updates (i..e only being offered with one config and it not being the
default OS config) andthen make some judgements on relative likelihood
of possible compromise and the numbers just don't come up as giving me much
fear in the realm of insecure updates.
In my experience, the biggest
threat to come through DNS other than the various and numerousissues
that have occurred through the years due toADI DNS dork ups and bugs has
been this recent DNS vuln which was far more dangerous to environments running
ADI DNS than any other environment. In fact if you ran ADI DNS in an
enterprise with distributed DNS Admin delegation, this issue was a positively
serious kick square in the balls for choosing that model.It wasn't the
idea that you get control of the DNS Service and then start pumping in bad DNS
entries, you had localsystem on the DC and just did whatever the heck you felt
like doing. Why take a nice scenic hack route past old windmill road when the
door to the gold is sitting wide open?
joe
P.S. And sorry for this...
Rocky, tried to respond to your email, but it bounced with a 550 access denied
from netherworld.jws.com
--
O'Reilly Active Directory Third
Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric
FleischmanSent: Wednesday, May 09, 2007 6:49 PMTo: ActiveDir@mail.activedir.org Subject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Totally agree. If you are
comparing AD integrated DNS with some other solution that also does secure
dynamic updates, that's a great convo I'd love to be part of. But I want to
make sure…do we agree that secure dynamic updates (or no dynamic updates, ie
you manage it yourself) are a min bar requirement? I have not gotten the sense
that you really buy in to this argument yet.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
joeSent: Wednesday, May 09, 2007 2:05 PM To: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
I don't cut bait, I just don't
agree that MSFT is the only company that knows how to do some form of secure
DDNS updates.
--
O'Reilly Active Directory Third
Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric
FleischmanSent: Wednesday, May 09, 2007 3:37 PMTo: ActiveDir@mail.activedir.org Subject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
The argument for AD
integrated DNS, as I understand it, is around dynamic update. Replication is
all well and good (maybe it is better than xfer, maybe not, I really don't
know), but the secure dynamic update part is the goodness side of it.
So, how do you achieve this?
I know joe cuts bait on dynamic updates….I'm of the opinion (based on masses
of PSS data over the last 7 years) that most customers cannot do this. So how
do you achieve it? Or do you just accept the lack of security on this front?
After we tease apart that
one, I'd like to discuss your circular replication argument
further.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Ziots, EdwardSent: Wednesday, May 09, 2007 9:44
AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Eric,
Better DNS servers? DNS is DNS,
whether AD integrated or Primary, Secondary, its basically the same. I am
saying that for troubleshooting its just easier to have primary/secondary and
place your DNS where you need them, instead of having it tied to a DC, and
thus add another infrastructure role to the domain controllers, when its not
always needed.
I know M$ wants you to do AD
integrated DNS, since they think its the best thing since sliced bread, but
down in the trenches where the work gets done and the problems get solved, its
not always the best choice. I personally don't see why you need to have your
DNS and AD on the same replication scheme, if something breaks in replication
is it AD or is it DNS, you have no physical seperation of the two, so you
start going in loops.
And given the flaws we keep
getting each and every month, from Microsoft land on this, that and the other
service, or offering, the less you can have on your DC' and Infrastructure
systems and the better you hardnen them from the start the better off you will
be. This DNS RPC interface issue was just an example, and I am sure the
security researchers out there are going to find more, and again makes admin
lives harder, but our systems more secure in the long run.
Also it takes Microsoft how long
to create a patch to fix this, but the exploit code has been out for quite a
while, and I am sure some hacker has coded a working exploit by now, its
probably in metasploit, ENCASE and other Pentest products, so point and click
and fire away at the DC's with DNS, if you haven't protected yourself.
Just my take on the situation,
not saying that AD Integrated DNS isnt a viable option, but think of this you
wonder why Internet DNS in on BIND, and its not AD integrated or even
M$and its spread throughout the world...
EZ
Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +
email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric
FleischmanSent: Wednesday, May 09, 2007 12:26 PMTo: ActiveDir@mail.activedir.org Subject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
I don't yet get this logic,
please explain it to me like I'm an idiot.
The primary/secondary road
ends up taking you to a place where you point DCs at the subset of DNS servers
you end up creating. How is this better than having use AD integrated DNS, and
pointing DCs to a subset of anointed "better" DNS servers?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Ziots, EdwardSent: Wednesday, May 09, 2007 8:23
AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
AD and its replication and
functions are dependent on DNS being correctly configured. If you follow the
logic of not having all your eggs in one basket, then the following will make
sense.
Why would you want to have both
your DNS and AD together on the same box, and integrated into the AD
replication, if something is broken in AD replication scheme its going to
affect your DNS as well, which also affects alot more of your infrastructure.
Secondly, it makes decommission
of the DC's a little more of a task than it needs to be, not impossible, and
not a regular event in most environments, but still again, infrastructure
roles ( DHCP, WINS, DNS, DC) should be seperate and redundant as per good
network design ( PhysicalSite redundancy is what I am driving at here)
These are just my views,
administrators will do what they feel comfortable with but I have been running
primary, secondary DNS tertiary DNS at a third site for years and not had much
problems with DNS replication, uptime and minimal troubleshooting, plus I know
if my primary site gets hit I got critical infrastructure elsewhere that can
continue to service the organization in case of issues.
I think in the age of DR, this
isn't a bad way to go, and I am sure most of the folks that still run BIND for
there DNS services would probably see the reasoning in it.
Z
Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +
email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
DannySent: Wednesday, May 09, 2007 10:50 AMTo: ActiveDir@mail.activedir.org Subject: Re:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Sorry to jump in here, but I am understanding
that you both are recommending to avoid AD-integrated DNS where possible?
On 5/9/07, joe wrote:
I can find no fault in that paragraph. :)--O'Reilly Active
Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original
Message-----From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
EdwardSent: Wednesday, May 09, 2007 8:57 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code ExecutionFunny part if you can call it a funny part is
that your DC's wouldn't have been vulnerable if you didn't have
AD-Integrated DNS. Which limitsthe attack surface quite a bit when you are
dealing with say 2-3 DNS servers instead of multiple DNS servers with DC
responsibilites to boot. This is whay I am never in the favor of putting
multiple infrastructureroles on any one system, especially a
DC.ZEdward E. Ziots Network EngineerLifespan
OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.org
cell:401-639-3505-----Original Message-----From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan
Bradley,CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, May 08, 2007
11:21 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code ExecutionExchange one is the one I'm eyeing up this month.
IE7 has the printing fixes for IE7 included.Don't forget the
Word and Office patches for the workstations.... and WSUS 3.0 is out
...and....joe wrote:> Nice and handy that it just so happened
to be all wrapped up and done > for the May patch release so someone
didn't have to get a knock on the> head inside of MSFT for two out
of band patches in a month... >> Also nice to have DCs in a
state of having unmanageable services or > exposed to exploits in
enterprise environments I think.>> --> O'Reilly Active
Directory Third Edition - > http://www.joeware.net/win/ad3e.htm>>>
-----Original Message-----> From: ActiveDir-owner@mail.activedir.org> [mailto:
mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan>
Bradley, CPA aka Ebitz - SBS Rocks [MVP]> Sent: Tuesday, May 08, 2007
1:28 PM> To: mailto:ActiveDir@mail.activedir.org> Subject:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC> Interface Could
Allow Remote,Code Execution>> MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow > Remote Code Execution (935966) >
http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
> Max Severity: Critical>> List info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx> List archive:
http://www.activedir.org/ma/default.aspx>>
List info : http://www.activedir.org/List.aspx > List
FAQ: http://www.activedir.org/ListFAQ.aspx> List archive:
http://www.activedir.org/ma/default.aspx>>--If
you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog...and my
blog is at www.sbsdiva.com....List info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspx List
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspxList
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspx
-- CPDE - Certified Petroleum Distribution
Engineer CCBC - Certified Canadian Beer Consumer | | | |
| davewade
Posts:119
| | 05/14/2007 6:18 AM |
| Al,
Perhaps one point to note is that I would guess
that many folks rolled out this DNS when AD was new and BINDs auto dynamic update capability was untested. At the time AD DNS was the safe solid choice. We
have now moved on so perhaps its time to re-evaluate, but in 2000 I think AD DNS
was the right choice.
Dave.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al
MulnickSent: 12 May 2007 02:50To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
That's the one I was looking for in this conversation. :)
DNS - is it a core part of AD or not? You'll have to answer that
question prior to getting to the idea that it should be secure updates or not.
Before you get too far down that road, please show me a company that has been
in business longer than 10 years, has more than 5K machines and has them all
using secure dns. More likely they have dummed down the zone to allow
for "legacy" systems. Until that gets addressed, the secure dns idea is a dead
end.
Once you get past all of that, the only two merits left are management
and reliability.
In reverse order: reliability comes from the code being solid and the
replication being strong. We get that in ADI dns, but we can get that
elsewhere at no additional cost. Truth be told, we really get our best
results when the l-admins know what they're doing. I run across very few
that understand DNS well enough to operate it, let alone design the name resolution systems. Size seems to invert that result in that the larger shops
have less of a handle on name resolution. Could be the years of abuse
that they have had to endure. Could be the drinking and medications. At any
rate, layer 8 is another discussion I'm sure. But the idea that your dns is
solid comes from your design foundation.
Management: Hmm... management of ADI DNS is not very good for large environments. Let's be honest, it could be a lot better but I think that Microsoft never intended to have the best DNS on the market. It's free for
crying out loud (well, included anyway). It could be better and everyone
knows it. dnscmd? Um. Right. Auditing? Well, yes some
things can be done, but it can be very difficult to manage in a large
multi-writeable distributed environment especially for somebody used to a different topology. In the end, I think it just comes down to Microsoft making
a dns server impelementation that's "good enough" and nothing more.
Will it work for you? I've seen some large companies make it work.
But they did so by getting by making it more BIND like in it's use.
Go figure.
I have to say that it works fine. Or you could use another
implementation at your discretion and shouldn't think much of it. I don't buy
into the idea that it is more surface area for attack and therefore should be
run on another platform or separate from my AD. I buy intothe idea
that without dns I have no AD. It is therefore part of the service called active directory and should run on the same server if I choose. Without
guilt.
Al
P.S. I do get the idea that it can lead to a compromise of the AD because
it offers another avenue. But be honest, if that's your level of
sophistication and you're on my network, I've got way bigger problems and you
have much lower hanging fruit if I can't get that right.
On 5/10/07, joe
wrote:
I think
I have said similar things but I chose a normal fork. :)
My
favorite deployments have DNS nowhere near Windows and running with a very
dedicated and knowledgeable DNS team.
At some
point the message of "AD is really dependent on DNS" became corrupted to be
"AD and DNS go together like peas and carrots". It simply isn't true. AD is
even more dependenton the network itself more than it needs DNS, does
that mean AD should be underpinning all of the switches and routers? Gosh I
hope not.
Ah an
appliance helps, but hopefully is still going to be monitored, it is likely
just a *nix box without a keyboard port and last I looked those folks still
had patches too. However being focused in a task, that helps dramatically.
Just like reducing the number of services running on DCs does. :)
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto: ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, EdwardSent: Thursday, May 10, 2007 9:32 AM
To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Well the
new DHCP is an applicance, so yep I dont have to evaluate patches for the
Win2k3 Windows box anymore, which means a little less pain, not like I dont
got 550+ more servers to address.
I can
see that alot do go with the M$ model, Bread and butter of things, but others don't.
DNS
Infrastructure, has gone from BIND, to M$ ( 2k and 2k3) just never to the
AD-INT model, much perfer to put DNS on other dedicated systems and
troubleshoot accordingly.
so back
to the grind, its been a fun discussion if nothing else, but you have to rip
my eyes out with a pitch fork before I go to AD-INT DNS...
Z
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E ,CCA,Network+, Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of
joeSent: Thursday, May 10, 2007 9:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
>
Checking out, I have a DHCP
server to convert off Windows today,
> which means one-less
infrastructure system to patch
Gosh I hope not, unless you
mean it becomes someone else's responsibility to patch it. Patches obviously
aren't new to Microsoft products, I recall patching my old RSTS/E systems
but back then a patch was often more of a manual process, you pulled out a
raw file editor and changed actual bytes in the file or you ran a special
tool to import a blob.
> one less headache to
deal with.
I would accept, a different
type of headache. Again, this isn't about MSFT versus the world. Or vice
versa.
> sorry for most
customers that just isn't coming close to reality
I am afraid I can't sit
with this one very well either. I would say that in fact most of MSFT customers live in the MSFT reality and when you are talking about most of
the MSFT customers, you are talking about most of the world. We call it and
actually they call it the Bread and Butter. I mentioned it in one of my other posts, for the bread and butter, full MSFT ADI DNS is very likely the
best answer for them because the level of understanding isn't such that they
could or even should spend the time building an alternate DNS model. In terms of covering up details so folks without deep core understanding can
run things I think MSFT does an amazing. Look at Kerberos, they made it a
real going concern. Prior to that you either needed to be dedicated to figuring out how to make it work or you needed to be at an EDU and had all
sorts of time to burn trying to make it work and none of them solved the
issues with multi-realm or auto-ticket renewal or anything like that meaning
it really wasn't a feasible technology for the masses. Kerberos on *nix is
not only difficult, it can be downright painful. The same can be said of
DNS, most MSFT customers should not be mucking with it because most MSFT
customers don't have the background or understanding in it to muck with it.
These are the same customers who would almost certainly be working just fine
on WINS right now.
That being said, if you
have DNS understanding and especially if you are large and have a robust DNS
infrastructure that existed well before MSFT started playing there, looking
at moving from ADI and even MSFT DNS if you were ever even there is a very
valid thing to do.
joe
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
EdwardSent: Thursday, May 10, 2007 8:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
(Golf
Clap) Way to go Joe. Deji, I replied to you offline, I am sure you
read and understood my comments.
I keep
reading this discussion and all I hear is AD-Int DNS is the best thing since
slice bread, and its got new features. Other side, we hear of what is happening in the trenches, how the RPC's problem with DNS from last month
was definitely a literal kick in the balls to those that enabled AD-Int DNS.There was a nice elaborate and realistic discussion of how to
exploit the DNS problem with traditional attack methods, to trully obtain
evil results. And in the face of all this Deji, you still advocating AD-Int
DNS, and adding an addtional role to the DC's and with that adding addtional
risk, and possible unknown, undiscovered vulnerabilities in M$ DNS service.
This is
why I don't drink the M$ kool-aid or subscribe to the rhetoric from
Microsoft, because they are viewing solution and ideas through there own
idealistic eutopia and sorry for most customers that just isn't coming close
to reality. You have to know your own risks, and the best way to mitigate
them, the vendor can't do everything for you, nor should you let them. Nor
does everything the vendor say is correct, or even valid for your
organization, bussiness, or what-not.
I think
we all have trully beat perverbal dead horse into the ground, and we
probably just need a topic change before it starts to get a little out
of control.
Checking
out, I have a DHCP server to convert off Windows today, which means one-less
infrastructure system to patch, one less headache to deal with. Probably
soon DNS will be converted, I guess 2 out of 3 aint bad.
Cheers,
EZ
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E ,CCA,Network+, Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of
joeSent: Thursday, May 10, 2007 8:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Topic
shift Deji, try to keep up... :)
Read
back through the thread. I would say we should have changed the subject but
it never changed to "Why you shouldn't use ADI DNS" in the first place so I
find I am not concerned.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Akomolafe, DejiSent: Thursday, May 10, 2007 1:07 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
And will this be as a
result of integrating DNS into AD? I say no, because I know that you can
still do bad things regardless of the DNS flavor or its complete separation
from AD. This, to me, negates the argument that you should not AD-integrate
DNS because of security "issues".
Sincerely,
_____
(, / |
/)
/) /) /---| (/_ ______ ___// _ // _ )
/ |_/(__(_) //
(_(_)(/_(_(_/(__(/_(_/
/)
(/ Microsoft MVP - Directory
Serviceswww.akomolafe.com- we know
IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: Eric FleischmanSent: Wed
5/9/2007 8:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Bad things can happen if I
own your DNS. This DL is not an appropriate forum for such a discussion. But
you should assume that I can do bad things to your forest if I own your DNS.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joeSent: Wednesday, May 09, 2007 6:47 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Oh true, I am not completely
on board with the necessity of secure updates. I hear a lot of noise around
it and how someone can own your forest with it but can't visualize a
realistic attack vector in that realm to gain access that likely wouldn't be
easier to manage in some other way. I'd like to think I am not a complete
retard in this but I just don't see it and I have yet to have found anywhere
anyone who could point to even an accidental attack which we used to see on
a regular basis with WINS and misconfigured SAMBA and I easily overcame those SAMBA issues when encountered.
Certainly I don't expect an
open discussion about actual attack methodshere in this forum because
if there is something real out there that just hasn't made it onto the RADAR
of anyone who tends to write exploits against things such that they have
done anything around it. Other attacks on forests etc I have seen code examples for and not just stuff I have written. And certainly I can't take
my lack of understanding of a possible hole there as it being safe, but I do
look at the global knowledge level here and how serious MSFT may or may not
be about secure updates (i..e only being offered with one config and it not
being the default OS config) andthen make some judgements on relative
likelihood of possible compromise and the numbers just don't come up as giving me much fear in the realm of insecure updates.
In my experience, the biggest
threat to come through DNS other than the various and numerousissues
that have occurred through the years due toADI DNS dork ups and bugs
has been this recent DNS vuln which was far more dangerous to environments
running ADI DNS than any other environment. In fact if you ran ADI DNS in an
enterprise with distributed DNS Admin delegation, this issue was a
positively serious kick square in the balls for choosing that model.It
wasn't the idea that you get control of the DNS Service and then start pumping in bad DNS entries, you had localsystem on the DC and just did whatever the heck you felt like doing. Why take a nice scenic hack route
past old windmill road when the door to the gold is sitting wide open?
joe
P.S. And sorry for this...
Rocky, tried to respond to your email, but it bounced with a 550 access denied from netherworld.jws.com
--
O'Reilly Active Directory
Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 6:49
PMTo: ActiveDir@mail.activedir.org Subject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Totally agree. If you are
comparing AD integrated DNS with some other solution that also does secure
dynamic updates, that's a great convo I'd love to be part of. But I want to
make sure…do we agree that secure dynamic updates (or no dynamic updates, ie
you manage it yourself) are a min bar requirement? I have not gotten the
sense that you really buy in to this argument yet.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joeSent: Wednesday, May 09, 2007 2:05 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
I don't cut bait, I just don't
agree that MSFT is the only company that knows how to do some form of secure
DDNS updates.
--
O'Reilly Active Directory
Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 3:37
PMTo: ActiveDir@mail.activedir.org Subject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
The argument for AD integrated DNS, as I understand it, is around dynamic update. Replication is
all well and good (maybe it is better than xfer, maybe not, I really don't
know), but the secure dynamic update part is the goodness side of it.
So, how do you achieve
this? I know joe cuts bait on dynamic updates….I'm of the opinion (based on
masses of PSS data over the last 7 years) that most customers cannot do this. So how do you achieve it? Or do you just accept the lack of security
on this front?
After we tease apart that
one, I'd like to discuss your circular replication argument
further.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 9:44
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Eric,
Better DNS servers? DNS is
DNS, whether AD integrated or Primary, Secondary, its basically the same. I
am saying that for troubleshooting its just easier to have primary/secondary
and place your DNS where you need them, instead of having it tied to a DC,
and thus add another infrastructure role to the domain controllers, when its
not always needed.
I know M$ wants you to do AD
integrated DNS, since they think its the best thing since sliced bread, but
down in the trenches where the work gets done and the problems get solved,
its not always the best choice. I personally don't see why you need to have
your DNS and AD on the same replication scheme, if something breaks in replication is it AD or is it DNS, you have no physical seperation of the
two, so you start going in loops.
And given the flaws we keep
getting each and every month, from Microsoft land on this, that and the other service, or offering, the less you can have on your DC' and
Infrastructure systems and the better you hardnen them from the start the
better off you will be. This DNS RPC interface issue was just an example,
and I am sure the security researchers out there are going to find more, and
again makes admin lives harder, but our systems more secure in the long run.
Also it takes Microsoft how
long to create a patch to fix this, but the exploit code has been out for
quite a while, and I am sure some hacker has coded a working exploit by now,
its probably in metasploit, ENCASE and other Pentest products, so point and
click and fire away at the DC's with DNS, if you haven't protected yourself.
Just my take on the situation,
not saying that AD Integrated DNS isnt a viable option, but think of this
you wonder why Internet DNS in on BIND, and its not AD integrated or even
M$and its spread throughout the world...
EZ
Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +
email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 12:26
PMTo: ActiveDir@mail.activedir.org Subject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
I don't yet get this logic,
please explain it to me like I'm an idiot.
The primary/secondary road
ends up taking you to a place where you point DCs at the subset of DNS servers you end up creating. How is this better than having use AD
integrated DNS, and pointing DCs to a subset of anointed "better" DNS servers?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:23
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
AD and its replication and
functions are dependent on DNS being correctly configured. If you follow the
logic of not having all your eggs in one basket, then the following will
make sense.
Why would you want to have
both your DNS and AD together on the same box, and integrated into the AD
replication, if something is broken in AD replication scheme its going to
affect your DNS as well, which also affects alot more of your
infrastructure.
Secondly, it makes
decommission of the DC's a little more of a task than it needs to be, not
impossible, and not a regular event in most environments, but still again,
infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate and redundant
as per good network design ( PhysicalSite redundancy is what I am driving at here)
These are just my views,
administrators will do what they feel comfortable with but I have been running primary, secondary DNS tertiary DNS at a third site for years and
not had much problems with DNS replication, uptime and minimal
troubleshooting, plus I know if my primary site gets hit I got critical infrastructure elsewhere that can continue to service the organization in
case of issues.
I think in the age of DR, this
isn't a bad way to go, and I am sure most of the folks that still run BIND
for there DNS services would probably see the reasoning in it.
Z
Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +
email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of DannySent: Wednesday, May 09, 2007 10:50 AMTo: ActiveDir@mail.activedir.org Subject: Re:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Sorry to jump in here, but I am understanding
that you both are recommending to avoid AD-integrated DNS where
possible?
On 5/9/07, joe wrote:
I can find no fault in that paragraph. :)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original
Message-----From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
EdwardSent: Wednesday, May 09, 2007 8:57 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code ExecutionFunny part if you can call it a funny part is
that your DC's wouldn't have been vulnerable if you didn't have
AD-Integrated DNS. Which limitsthe attack surface quite a bit when you
are dealing with say 2-3 DNS servers instead of multiple DNS servers
with DC responsibilites to boot. This is whay I am never in the favor of
putting multiple infrastructureroles on any one system, especially a
DC.ZEdward E. Ziots Network EngineerLifespan
OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.org
cell:401-639-3505-----Original Message-----From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan
Bradley,CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, May 08, 2007
11:21 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code ExecutionExchange one is the one I'm eyeing up this month. IE7 has the printing fixes for IE7 included.Don't
forget the Word and Office patches for the workstations.... and WSUS 3.0
is out ...and....joe wrote:> Nice and handy that it just so
happened to be all wrapped up and done > for the May patch release so
someone didn't have to get a knock on the> head inside of MSFT
for two out of band patches in a month... >> Also nice to have
DCs in a state of having unmanageable services or > exposed to exploits in enterprise environments I think.>> -->
O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm>>>
-----Original Message-----> From: ActiveDir-owner@mail.activedir.org> [mailto:
mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan>
Bradley, CPA aka Ebitz - SBS Rocks [MVP]> Sent: Tuesday, May 08, 2007
1:28 PM> To: mailto:ActiveDir@mail.activedir.org> Subject:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC> Interface
Could Allow Remote,Code Execution>> MS07-029: Vulnerability in
Windows DNS RPC Interface Could Allow > Remote Code Execution
(935966) > http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
> Max Severity: Critical>> List info :
http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: http://www.activedir.org/ma/default.aspx>>
List info : http://www.activedir.org/List.aspx > List
FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: http://www.activedir.org/ma/default.aspx>>--If
you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog...and
my blog is at www.sbsdiva.com....List info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspxList
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspx
-- CPDE - Certified Petroleum Distribution
Engineer CCBC - Certified Canadian Beer Consumer
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act.
If you receive this email in error please notify Stockport e-Services via email.query@stockport.gov.uk and then permanently remove it from your system.
Thank you.
http://www.stockport.gov.uk
********************************************************************** | | | |
| amulnick
Posts:163
| | 05/14/2007 12:04 PM |
| I can think of several shops I've been in that it is not possible to use secure, dynamic updates. Here's my thoughts:AD DNS may still be a valid approach. If you're a Microsoft only shop, then why wouldn't you use it? Integrated? Sure. That way you get the better replication (xfer has been problematic in environments where integrated has worked quite well) and better, shinier authentication for a host to update it's own record. That might prove useful to you in preventing people from taking over your forest as ~ alluded to (OT: Kind of like the artist formerly known as Prince, right? We know who I'm talking about anyway.)
But what if you introduce one *nix machine? Whoops. It doesn't understand how to update it's record securely. Well, it might, but it has no way to do that because, oh yeah, it has no account with which to do this. If you were to configure accounts for each one and run the dns updates under that account, then you'd still have a problem where that shared account/password is going to get out and about or you'll outstrip the complexity factor vs. doing the records manually. Either way, you'll thereby dilute your security stance. But I digress.
One host is manageable via manual methods. Very few are able to manually manage 300+ *nix hosts well. Nor should they. That's why dynamic updates were invented if I recall correctly. So now you have to look for a solution of tradeoffs. Do I sub the AD domain and make a separate domain for *nix so I can have easier authenticated dynamic dns records? Do I just host it all on a *nix host and be done with it? Both? Do I dumb down one system and keep my administrivia low? What's the tradeoffs for security? Does that impact my reliability and is it worth it?
Those questions have been around since the beginning because dynamic update was a selling point for Microsoft DNS. Microsoft DNS is pretty good. Some would say good enough. And it does work well for the domain controllers at the very least. But BIND can do the same thing for you. It is DNS after all and although the requirements call for dynamic dns, it's not really needed if you really must do it differently. (note: supported could be a different conversation)
BIND is pretty good. Some might say it's good enough (seem familiar?) To be honest, I've never found a time when I had to go exclusively with either. Security of updates aside, I've yet to see an environment outside of the lab where that's practical. Now or in 2000.
In the end, the security of secure updates is a consideration and nothing more because if it doesn't work in my environment I have already created a DoS and really didn't need somebody else to come along and do it for me.
Al On 5/14/07, Dave Wade wrote:
Al,
Perhaps one point to note is that I would guess
that many folks rolled out this DNS when AD was new and BINDs auto dynamic update capability was untested. At the time AD DNS was the safe solid choice. We
have now moved on so perhaps its time to re-evaluate, but in 2000 I think AD DNS
was the right choice.
Dave.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al
MulnickSent: 12 May 2007 02:50To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
That's the one I was looking for in this conversation. :)
DNS - is it a core part of AD or not? You'll have to answer that
question prior to getting to the idea that it should be secure updates or not.
Before you get too far down that road, please show me a company that has been
in business longer than 10 years, has more than 5K machines and has them all
using secure dns. More likely they have dummed down the zone to allow
for "legacy" systems. Until that gets addressed, the secure dns idea is a dead
end.
Once you get past all of that, the only two merits left are management
and reliability.
In reverse order: reliability comes from the code being solid and the
replication being strong. We get that in ADI dns, but we can get that
elsewhere at no additional cost. Truth be told, we really get our best
results when the l-admins know what they're doing. I run across very few
that understand DNS well enough to operate it, let alone design the name resolution systems. Size seems to invert that result in that the larger shops
have less of a handle on name resolution. Could be the years of abuse
that they have had to endure. Could be the drinking and medications. At any
rate, layer 8 is another discussion I'm sure. But the idea that your dns is
solid comes from your design foundation.
Management: Hmm... management of ADI DNS is not very good for large environments. Let's be honest, it could be a lot better but I think that Microsoft never intended to have the best DNS on the market. It's free for
crying out loud (well, included anyway). It could be better and everyone
knows it. dnscmd? Um. Right. Auditing? Well, yes some
things can be done, but it can be very difficult to manage in a large
multi-writeable distributed environment especially for somebody used to a different topology. In the end, I think it just comes down to Microsoft making
a dns server impelementation that's "good enough" and nothing more.
Will it work for you? I've seen some large companies make it work.
But they did so by getting by making it more BIND like in it's use.
Go figure.
I have to say that it works fine. Or you could use another
implementation at your discretion and shouldn't think much of it. I don't buy
into the idea that it is more surface area for attack and therefore should be
run on another platform or separate from my AD. I buy intothe idea
that without dns I have no AD. It is therefore part of the service called active directory and should run on the same server if I choose. Without
guilt.
Al
P.S. I do get the idea that it can lead to a compromise of the AD because
it offers another avenue. But be honest, if that's your level of
sophistication and you're on my network, I've got way bigger problems and you
have much lower hanging fruit if I can't get that right.
On 5/10/07, joe
wrote:
I think
I have said similar things but I chose a normal fork. :)
My
favorite deployments have DNS nowhere near Windows and running with a very
dedicated and knowledgeable DNS team.
At some
point the message of "AD is really dependent on DNS" became corrupted to be
"AD and DNS go together like peas and carrots". It simply isn't true. AD is
even more dependenton the network itself more than it needs DNS, does
that mean AD should be underpinning all of the switches and routers? Gosh I
hope not.
Ah an
appliance helps, but hopefully is still going to be monitored, it is likely
just a *nix box without a keyboard port and last I looked those folks still
had patches too. However being focused in a task, that helps dramatically.
Just like reducing the number of services running on DCs does. :)
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, EdwardSent:
Thursday, May 10, 2007 9:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Well the
new DHCP is an applicance, so yep I dont have to evaluate patches for the
Win2k3 Windows box anymore, which means a little less pain, not like I dont
got 550+ more servers to address.
I can
see that alot do go with the M$ model, Bread and butter of things, but others don't.
DNS
Infrastructure, has gone from BIND, to M$ ( 2k and 2k3) just never to the
AD-INT model, much perfer to put DNS on other dedicated systems and
troubleshoot accordingly.
so back
to the grind, its been a fun discussion if nothing else, but you have to rip
my eyes out with a pitch fork before I go to AD-INT DNS...
Z
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E ,CCA,Network+, Security +
email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of
joeSent: Thursday, May 10, 2007 9:23 AMTo: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
>
Checking out, I have a DHCP
server to convert off Windows today,
> which means one-less
infrastructure system to patch
Gosh I hope not, unless you
mean it becomes someone else's responsibility to patch it. Patches obviously
aren't new to Microsoft products, I recall patching my old RSTS/E systems
but back then a patch was often more of a manual process, you pulled out a
raw file editor and changed actual bytes in the file or you ran a special
tool to import a blob.
> one less headache to
deal with.
I would accept, a different
type of headache. Again, this isn't about MSFT versus the world. Or vice
versa.
> sorry for most
customers that just isn't coming close to reality
I am afraid I can't sit
with this one very well either. I would say that in fact most of MSFT customers live in the MSFT reality and when you are talking about most of
the MSFT customers, you are talking about most of the world. We call it and
actually they call it the Bread and Butter. I mentioned it in one of my other posts, for the bread and butter, full MSFT ADI DNS is very likely the
best answer for them because the level of understanding isn't such that they
could or even should spend the time building an alternate DNS model. In terms of covering up details so folks without deep core understanding can
run things I think MSFT does an amazing. Look at Kerberos, they made it a
real going concern. Prior to that you either needed to be dedicated to figuring out how to make it work or you needed to be at an EDU and had all
sorts of time to burn trying to make it work and none of them solved the
issues with multi-realm or auto-ticket renewal or anything like that meaning
it really wasn't a feasible technology for the masses. Kerberos on *nix is
not only difficult, it can be downright painful. The same can be said of
DNS, most MSFT customers should not be mucking with it because most MSFT
customers don't have the background or understanding in it to muck with it.
These are the same customers who would almost certainly be working just fine
on WINS right now.
That being said, if you
have DNS understanding and especially if you are large and have a robust DNS
infrastructure that existed well before MSFT started playing there, looking
at moving from ADI and even MSFT DNS if you were ever even there is a very
valid thing to do.
joe
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
EdwardSent: Thursday, May 10, 2007 8:33 AMTo: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
(Golf
Clap) Way to go Joe. Deji, I replied to you offline, I am sure you
read and understood my comments.
I keep
reading this discussion and all I hear is AD-Int DNS is the best thing since
slice bread, and its got new features. Other side, we hear of what is happening in the trenches, how the RPC's problem with DNS from last month
was definitely a literal kick in the balls to those that enabled AD-Int DNS.There was a nice elaborate and realistic discussion of how to
exploit the DNS problem with traditional attack methods, to trully obtain
evil results. And in the face of all this Deji, you still advocating AD-Int
DNS, and adding an addtional role to the DC's and with that adding addtional
risk, and possible unknown, undiscovered vulnerabilities in M$ DNS service.
This is
why I don't drink the M$ kool-aid or subscribe to the rhetoric from
Microsoft, because they are viewing solution and ideas through there own
idealistic eutopia and sorry for most customers that just isn't coming close
to reality. You have to know your own risks, and the best way to mitigate
them, the vendor can't do everything for you, nor should you let them. Nor
does everything the vendor say is correct, or even valid for your
organization, bussiness, or what-not.
I think
we all have trully beat perverbal dead horse into the ground, and we
probably just need a topic change before it starts to get a little out
of control.
Checking
out, I have a DHCP server to convert off Windows today, which means one-less
infrastructure system to patch, one less headache to deal with. Probably
soon DNS will be converted, I guess 2 out of 3 aint bad.
Cheers,
EZ
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E ,CCA,Network+, Security +
email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of
joeSent: Thursday, May 10, 2007 8:23 AMTo: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Topic
shift Deji, try to keep up... :)
Read
back through the thread. I would say we should have changed the subject but
it never changed to "Why you shouldn't use ADI DNS" in the first place so I
find I am not concerned.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Akomolafe, DejiSent: Thursday, May 10, 2007 1:07 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
And will this be as a
result of integrating DNS into AD? I say no, because I know that you can
still do bad things regardless of the DNS flavor or its complete separation
from AD. This, to me, negates the argument that you should not AD-integrate
DNS because of security "issues".
Sincerely,
_____
(, / |
/)
/) /) /---| (/_ ______ ___// _ // _ )
/ |_/(__(_) //
(_(_)(/_(_(_/(__(/_(_/
/)
(/ Microsoft MVP - Directory
Serviceswww.akomolafe.com- we know
IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: Eric FleischmanSent: Wed
5/9/2007 8:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Bad things can happen if I
own your DNS. This DL is not an appropriate forum for such a discussion. But
you should assume that I can do bad things to your forest if I own your DNS.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joeSent: Wednesday, May 09, 2007 6:47 PM
To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Oh true, I am not completely
on board with the necessity of secure updates. I hear a lot of noise around
it and how someone can own your forest with it but can't visualize a
realistic attack vector in that realm to gain access that likely wouldn't be
easier to manage in some other way. I'd like to think I am not a complete
retard in this but I just don't see it and I have yet to have found anywhere
anyone who could point to even an accidental attack which we used to see on
a regular basis with WINS and misconfigured SAMBA and I easily overcame those SAMBA issues when encountered.
Certainly I don't expect an
open discussion about actual attack methodshere in this forum because
if there is something real out there that just hasn't made it onto the RADAR
of anyone who tends to write exploits against things such that they have
done anything around it. Other attacks on forests etc I have seen code examples for and not just stuff I have written. And certainly I can't take
my lack of understanding of a possible hole there as it being safe, but I do
look at the global knowledge level here and how serious MSFT may or may not
be about secure updates (i..e only being offered with one config and it not
being the default OS config) andthen make some judgements on relative
likelihood of possible compromise and the numbers just don't come up as giving me much fear in the realm of insecure updates.
In my experience, the biggest
threat to come through DNS other than the various and numerousissues
that have occurred through the years due toADI DNS dork ups and bugs
has been this recent DNS vuln which was far more dangerous to environments
running ADI DNS than any other environment. In fact if you ran ADI DNS in an
enterprise with distributed DNS Admin delegation, this issue was a
positively serious kick square in the balls for choosing that model.It
wasn't the idea that you get control of the DNS Service and then start pumping in bad DNS entries, you had localsystem on the DC and just did whatever the heck you felt like doing. Why take a nice scenic hack route
past old windmill road when the door to the gold is sitting wide open?
joe
P.S. And sorry for this...
Rocky, tried to respond to your email, but it bounced with a 550 access denied from netherworld.jws.com
--
O'Reilly Active Directory
Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Eric FleischmanSent: Wednesday, May 09, 2007 6:49
PMTo: ActiveDir@mail.activedir.org Subject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Totally agree. If you are
comparing AD integrated DNS with some other solution that also does secure
dynamic updates, that's a great convo I'd love to be part of. But I want to
make sure…do we agree that secure dynamic updates (or no dynamic updates, ie
you manage it yourself) are a min bar requirement? I have not gotten the
sense that you really buy in to this argument yet.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joeSent: Wednesday, May 09, 2007 2:05 PM
To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
I don't cut bait, I just don't
agree that MSFT is the only company that knows how to do some form of secure
DDNS updates.
--
O'Reilly Active Directory
Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Eric FleischmanSent: Wednesday, May 09, 2007 3:37
PMTo: ActiveDir@mail.activedir.org Subject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
The argument for AD integrated DNS, as I understand it, is around dynamic update. Replication is
all well and good (maybe it is better than xfer, maybe not, I really don't
know), but the secure dynamic update part is the goodness side of it.
So, how do you achieve
this? I know joe cuts bait on dynamic updates….I'm of the opinion (based on
masses of PSS data over the last 7 years) that most customers cannot do this. So how do you achieve it? Or do you just accept the lack of security
on this front?
After we tease apart that
one, I'd like to discuss your circular replication argument
further.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, EdwardSent:
Wednesday, May 09, 2007 9:44
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Eric,
Better DNS servers? DNS is
DNS, whether AD integrated or Primary, Secondary, its basically the same. I
am saying that for troubleshooting its just easier to have primary/secondary
and place your DNS where you need them, instead of having it tied to a DC,
and thus add another infrastructure role to the domain controllers, when its
not always needed.
I know M$ wants you to do AD
integrated DNS, since they think its the best thing since sliced bread, but
down in the trenches where the work gets done and the problems get solved,
its not always the best choice. I personally don't see why you need to have
your DNS and AD on the same replication scheme, if something breaks in replication is it AD or is it DNS, you have no physical seperation of the
two, so you start going in loops.
And given the flaws we keep
getting each and every month, from Microsoft land on this, that and the other service, or offering, the less you can have on your DC' and
Infrastructure systems and the better you hardnen them from the start the
better off you will be. This DNS RPC interface issue was just an example,
and I am sure the security researchers out there are going to find more, and
again makes admin lives harder, but our systems more secure in the long run.
Also it takes Microsoft how
long to create a patch to fix this, but the exploit code has been out for
quite a while, and I am sure some hacker has coded a working exploit by now,
its probably in metasploit, ENCASE and other Pentest products, so point and
click and fire away at the DC's with DNS, if you haven't protected yourself.
Just my take on the situation,
not saying that AD Integrated DNS isnt a viable option, but think of this
you wonder why Internet DNS in on BIND, and its not AD integrated or even
M$and its spread throughout the world...
EZ
Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,
M.E,CCA,Network+, Security +
email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Eric FleischmanSent: Wednesday, May 09, 2007 12:26
PMTo: ActiveDir@mail.activedir.org Subject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
I don't yet get this logic,
please explain it to me like I'm an idiot.
The primary/secondary road
ends up taking you to a place where you point DCs at the subset of DNS servers you end up creating. How is this better than having use AD
integrated DNS, and pointing DCs to a subset of anointed "better" DNS servers?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, EdwardSent:
Wednesday, May 09, 2007 8:23
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
AD and its replication and
functions are dependent on DNS being correctly configured. If you follow the
logic of not having all your eggs in one basket, then the following will
make sense.
Why would you want to have
both your DNS and AD together on the same box, and integrated into the AD
replication, if something is broken in AD replication scheme its going to
affect your DNS as well, which also affects alot more of your
infrastructure.
Secondly, it makes
decommission of the DC's a little more of a task than it needs to be, not
impossible, and not a regular event in most environments, but still again,
infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate and redundant
as per good network design ( PhysicalSite redundancy is what I am driving at here)
These are just my views,
administrators will do what they feel comfortable with but I have been running primary, secondary DNS tertiary DNS at a third site for years and
not had much problems with DNS replication, uptime and minimal
troubleshooting, plus I know if my primary site gets hit I got critical infrastructure elsewhere that can continue to service the organization in
case of issues.
I think in the age of DR, this
isn't a bad way to go, and I am sure most of the folks that still run BIND
for there DNS services would probably see the reasoning in it.
Z
Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,
M.E,CCA,Network+, Security +
email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
DannySent: Wednesday, May 09, 2007 10:50 AMTo: ActiveDir@mail.activedir.org
Subject: Re:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Sorry to jump in here, but I am understanding
that you both are recommending to avoid AD-integrated DNS where
possible?
On 5/9/07, joe wrote:
I can find no fault in that paragraph. :)--O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm-----Original
Message-----From: ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
EdwardSent: Wednesday, May 09, 2007 8:57 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code ExecutionFunny part if you can call it a funny part is
that your DC's wouldn't have been vulnerable if you didn't have
AD-Integrated DNS. Which limitsthe attack surface quite a bit when you
are dealing with say 2-3 DNS servers instead of multiple DNS servers
with DC responsibilites to boot. This is whay I am never in the favor of
putting multiple infrastructureroles on any one system, especially a
DC.ZEdward E. Ziots Network EngineerLifespan
OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.org
cell:401-639-3505-----Original Message-----From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan
Bradley,CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, May 08, 2007
11:21 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code ExecutionExchange one is the one I'm eyeing up this month. IE7 has the printing fixes for IE7 included.Don't
forget the Word and Office patches for the workstations.... and WSUS 3.0
is out ...and....joe wrote:> Nice and handy that it just so
happened to be all wrapped up and done > for the May patch release so
someone didn't have to get a knock on the> head inside of MSFT
for two out of band patches in a month... >> Also nice to have
DCs in a state of having unmanageable services or > exposed to exploits in enterprise environments I think.>> -->
O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm>
>>
-----Original Message-----> From: ActiveDir-owner@mail.activedir.org> [mailto:
mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan>
Bradley, CPA aka Ebitz - SBS Rocks [MVP]> Sent: Tuesday, May 08, 2007
1:28 PM> To: mailto:ActiveDir@mail.activedir.org> Subject:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC> Interface
Could Allow Remote,Code Execution>> MS07-029: Vulnerability in
Windows DNS RPC Interface Could Allow > Remote Code Execution
(935966) > http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
> Max Severity: Critical>> List info :
http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx> List archive:
http://www.activedir.org/ma/default.aspx>>
List info : http://www.activedir.org/List.aspx > List
FAQ: http://www.activedir.org/ListFAQ.aspx> List archive:
http://www.activedir.org/ma/default.aspx>>--If
you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog...and
my blog is at www.sbsdiva.com....List info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive:
http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx
List
FAQ: http://www.activedir.org/ListFAQ.aspxList archive:
http://www.activedir.org/ma/default.aspxList
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive:
http://www.activedir.org/ma/default.aspx
-- CPDE - Certified Petroleum Distribution
Engineer CCBC - Certified Canadian Beer Consumer
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act.
If you receive this email in error please notify Stockport e-Services via email.query@stockport.gov.uk
and then permanently remove it from your system.
Thank you.
http://www.stockport.gov.uk
********************************************************************** | | | |
|
|