| Author | Messages | |
listmail
Posts:454
 | | 05/10/2007 8:58 AM |
| v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
P.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
LI.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
DIV.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
SPAN.gmailquote {
mso-style-name: gmail_quote
}
SPAN.EmailStyle20 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle21 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle22 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle23 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle24 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
The point is that there are lots of possible attack
vectors, you need to weigh them as accurately as possible and try to assign risk
to them and deal with them as such. If we took away every possible security
vector, all of our machines would be embedded in 6'x6' solid cubes of titanium.
So with the reality of the situation that you are not going to remove every
risk, we must define the level of risk and what we consider to be acceptable.
To me, opening the additional surface areas on DCs is far
more of a risk factor to me than insecure update capability. This isn't just DNS
on a DC, this is any additional services that don't directly provide auth/authz
but provide additional external interfaces or as I call it, attack surface. It
applies to services from MSFT as well as drivers, agents, and services from
other vendors. The security model of Windows is such that if you can get
something running locally, you have blown by a great deal if not most of the
security in place. The fact that most of these services seem to be running in
localsystem is just a great big step to help attack and increases risk further.
If you look at the risk level of say this published
vulnerability that started this thread, even MSFT considers the risk high enough
that they have to publish a bulletin about it; critical if I recall. I think if
non-secured DDNS is this insecure, we should see a security bulletin as well and
at the very least MSFT would disallow DCs from a client aspect from registering
to a non-secured DDNS or better yet, all of their DDNS server options would
offer secure updates. I am not saying there is no risk, but I am questioning
what therisk really is because the guidance doesn't seem to match the
concern and I don't want to believe that MSFT would let us hang our collective
asses that much into the breeze.
Looking at this, and again I don't expect you or anyone to
say this is the problem step by step, I don't see anything other than DOS that
is readily apparent or even apparent after looking at it for a while.There
absolutely could be something there but we are talking about a product with a
general product support groupΏ](i.e. admins) that can't even figure out
how a Domain Admin in one domain can compromise other domains in the same
forest, anything really subtle or requiring deep kerberos knowledge just isn't
coming up on myradar as something that is highly risky until I start
seeing at least some level of chatter about it in the places I lurk or seeing
some real level of concern out of MSFT.ObviouslyI could be
missing something and there could be a huge big boogie monster hiding behind it
that is jumping out in production orgs and hasbeen but if so, I would
expect the guidance to be MUCH stronger in regards to DDNS as well as the
commitment to providing it outside of ADI DDNS. Also I know a lot of very smart
people, I would expect more would be considerably more nervous about it if they
saw something I didn't.
And for everyone reading this... For the record, Eric has
been very clear that this is a real issue. My point is that a caldera (super
volcano) shooting up out of Yellowstone is also a real issue. How will you let
that force you to change what you do?
joe
Ώ] By this I mean general pool of admins and consultants.
There are quite a lot of bright folks who figured this out all by themselves but
they are dwarfed by the number of people who don't think it can be done and that
is with something that the number of people who have done this or seen it done
is really pretty high.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric
FleischmanSent: Thursday, May 10, 2007 12:30 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
The
point is just that you want to remove these things, not justify that because one
exists you can let them all in. And of course, some are easier than
others.
~Eric
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 8:52
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
I agree
that the DL isn't the appropriate place which is why I said that specifically.
:)
As for
the rest... Bad things can happen if I can do network tracing on your network.
You should assume that I can do bad things to your forest if I can trace your
network.
Where do
we stand now? No insecureDDNS and no network. :)
Or... I
just don't let you on my network. None of the other AD "experts" I have spoken
with seem so positive about their ability to compromise my forest just by me not
using ADI Secure DDNS.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007
11:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Bad
things can happen if I own your DNS. This DL is not an appropriate forum for
such a discussion. But you should assume that I can do bad things to your forest
if I own your DNS.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 6:47
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Oh true,
I am not completely on board with the necessity of secure updates. I hear a lot
of noise around it and how someone can own your forest with it but can't
visualize a realistic attack vector in that realm to gain access that likely
wouldn't be easier to manage in some other way. I'd like to think I am not a
complete retard in this but I just don't see it and I have yet to have found
anywhere anyone who could point to even an accidental attack which we used to
see on a regular basis with WINS and misconfigured SAMBA and I easily overcame
those SAMBA issues when encountered.
Certainly
I don't expect an open discussion about actual attack methodshere in this
forum because if there is something real out there that just hasn't made it onto
the RADAR of anyone who tends to write exploits against things such that they
have done anything around it. Other attacks on forests etc I have seen code
examples for and not just stuff I have written. And certainly I can't take my
lack of understanding of a possible hole there as it being safe, but I do look
at the global knowledge level here and how serious MSFT may or may not be about
secure updates (i..e only being offered with one config and it not being the
default OS config) andthen make some judgements on relative likelihood of
possible compromise and the numbers just don't come up as giving me much fear in
the realm of insecure updates.
In my
experience, the biggest threat to come through DNS other than the various and
numerousissues that have occurred through the years due toADI DNS
dork ups and bugs has been this recent DNS vuln which was far more dangerous to
environments running ADI DNS than any other environment. In fact if you ran ADI
DNS in an enterprise with distributed DNS Admin delegation, this issue was a
positively serious kick square in the balls for choosing that model.It
wasn't the idea that you get control of the DNS Service and then start pumping
in bad DNS entries, you had localsystem on the DC and just did whatever the heck
you felt like doing. Why take a nice scenic hack route past old windmill road
when the door to the gold is sitting wide open?
joe
P.S. And
sorry for this... Rocky, tried to respond to your email, but it bounced with a
550 access denied from netherworld.jws.com
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 6:49
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Totally
agree. If you are comparing AD integrated DNS with some other solution that also
does secure dynamic updates, that’s a great convo I’d love to be part of. But I
want to make sure…do we agree that secure dynamic updates (or no dynamic
updates, ie you manage it yourself) are a min bar requirement? I have not gotten
the sense that you really buy in to this argument yet.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 2:05
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
I don't
cut bait, I just don't agree that MSFT is the only company that knows how to do
some form of secure DDNS updates.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 3:37
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
The
argument for AD integrated DNS, as I understand it, is around dynamic update.
Replication is all well and good (maybe it is better than xfer, maybe not, I
really don’t know), but the secure dynamic update part is the goodness side of
it.
So,
how do you achieve this? I know joe cuts bait on dynamic updates….I’m of the
opinion (based on masses of PSS data over the last 7 years) that most customers
cannot do this. So how do you achieve it? Or do you just accept the lack of
security on this front?
After
we tease apart that one, I’d like to discuss your circular replication argument
further.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 9:44
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Eric,
Better
DNS servers? DNS is DNS, whether AD integrated or Primary, Secondary, its
basically the same. I am saying that for troubleshooting its just easier to have
primary/secondary and place your DNS where you need them, instead of having it
tied to a DC, and thus add another infrastructure role to the domain
controllers, when its not always needed.
I know
M$ wants you to do AD integrated DNS, since they think its the best thing since
sliced bread, but down in the trenches where the work gets done and the problems
get solved, its not always the best choice. I personally don't see why you need
to have your DNS and AD on the same replication scheme, if something breaks in
replication is it AD or is it DNS, you have no physical seperation of the two,
so you start going in loops.
And
given the flaws we keep getting each and every month, from Microsoft land on
this, that and the other service, or offering, the less you can have on your DC'
and Infrastructure systems and the better you hardnen them from the start the
better off you will be. This DNS RPC interface issue was just an example, and I
am sure the security researchers out there are going to find more, and again
makes admin lives harder, but our systems more secure in the long run.
Also it
takes Microsoft how long to create a patch to fix this, but the exploit code has
been out for quite a while, and I am sure some hacker has coded a working
exploit by now, its probably in metasploit, ENCASE and other Pentest products,
so point and click and fire away at the DC's with DNS, if you haven't protected
yourself.
Just my
take on the situation, not saying that AD Integrated DNS isnt a viable option,
but think of this you wonder why Internet DNS in on BIND, and its not AD
integrated or even M$and its spread throughout the world...
EZ
Edward E.
Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007
12:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
I
don’t yet get this logic, please explain it to me like I’m an
idiot.
The
primary/secondary road ends up taking you to a place where you point DCs at the
subset of DNS servers you end up creating. How is this better than having use AD
integrated DNS, and pointing DCs to a subset of anointed “better” DNS
servers?
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:23
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
AD and
its replication and functions are dependent on DNS being correctly configured.
If you follow the logic of not having all your eggs in one basket, then the
following will make sense.
Why
would you want to have both your DNS and AD together on the same box, and
integrated into the AD replication, if something is broken in AD replication
scheme its going to affect your DNS as well, which also affects alot more of
your infrastructure.
Secondly,
it makes decommission of the DC's a little more of a task than it needs to be,
not impossible, and not a regular event in most environments, but still again,
infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate and redundant as
per good network design ( PhysicalSite redundancy is what I am driving at
here)
These
are just my views, administrators will do what they feel comfortable with but I
have been running primary, secondary DNS tertiary DNS at a third site for years
and not had much problems with DNS replication, uptime and minimal
troubleshooting, plus I know if my primary site gets hit I got critical
infrastructure elsewhere that can continue to service the organization in case
of issues.
I think
in the age of DR, this isn't a bad way to go, and I am sure most of the folks
that still run BIND for there DNS services would probably see the reasoning in
it.
Z
Edward E.
Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of DannySent: Wednesday, May 09, 2007 10:50
AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Sorry to jump in here, but I am
understanding that you both are recommending to avoid AD-integrated DNS where
possible?
On 5/9/07, joe < listmail@joeware.net> wrote:
I can find no fault in that paragraph.
:)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:57 AMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionFunny part if you can call it a funny part is
that your DC's wouldn't have been vulnerable if you didn't have
AD-Integrated DNS. Which limitsthe attack surface quite a bit when you are
dealing with say 2-3 DNSservers instead of multiple DNS servers with DC
responsibilites to boot. This is whay I am never in the favor of putting
multiple infrastructureroles on any one system, especially a
DC.ZEdward E. ZiotsNetwork EngineerLifespan
OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.orgcell:401-639-3505-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Tuesday,
May 08, 2007 11:21 PM To: ActiveDir@mail.activedir.orgSubject:
Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionExchange one is the one I'm eyeing up this
month. IE7 has the printing fixes for IE7 included.Don't forget
the Word and Office patches for the workstations.... andWSUS 3.0 is out
...and....joe wrote:> Nice and handy that it just so happened to
be all wrapped up and done > for the May patch release so someone didn't
have to get a knock on the> head inside of MSFT for two out of band
patches in a month...>> Also nice to have DCs in a state of having
unmanageable services or > exposed to exploits in enterprise environments
I think.>> --> O'Reilly Active Directory Third Edition
-> http://www.joeware.net/win/ad3e.htm
>>> -----Original Message-----> From: ActiveDir-owner@mail.activedir.org>
[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Susan> Bradley, CPA
aka Ebitz - SBS Rocks [MVP]> Sent: Tuesday, May 08, 2007 1:28 PM>
To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS
RPC> Interface Could Allow Remote,Code Execution>>
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow> Remote
Code Execution (935966) > http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx>
Max Severity: Critical>> List info : http://www.activedir.org/List.aspx>
List FAQ: http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.activedir.org/ma/default.aspx>>
List info : http://www.activedir.org/List.aspx>
List FAQ: http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.activedir.org/ma/default.aspx>>--If
you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS
Blog...and my blog is at www.sbsdiva.com....List
info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspxList
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx
-- CPDE - Certified Petroleum
Distribution Engineer CCBC - Certified Canadian Beer Consumer | | | |
| listmail
Posts:454
| | 05/10/2007 8:58 AM |
| Yeah I just don't see a lot of Server Core SBS servers in
the near future... Well unless you count those Novell
boxes...
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]Sent: Thursday, May 10, 2007 1:41
AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Well server core isn't SBS friendly period....nor is SBS the poster
child of how to set up secure DNS.I was just asking more along the lines
if there was a similar listserve to BIND-User for the Windows
world.Akomolafe, Deji wrote:
>>>is there a
"DNS" only security listserve like BIND has?)
There is abunch of DNS-related
mailing lists on lists.oarci.netbutthey arenot
DNS-on-Windows-centric. And not typically SBS-friendly, if you know what I
mean ;)
Sincerely,
_____
(, / |
/)
/) /) /---|
(/_ ______ ___// _ // _ )
/ |_/(__(_) //
(_(_)(/_(_(_/(__(/_(_/
/)
(/ Microsoft MVP - Directory
Serviceswww.akomolafe.com- we know
IT-5.75, -3.23Do
you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon
From: Susan Bradley, CPA aka Ebitz - SBS Rocks
[MVP]Sent: Wed 5/9/2007 10:28 PMTo: ActiveDir@mail.activedir.orgSubject:
Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
http://iase.disa.mil/stigs/checklist/DNS-Checklist-V3R1-1.pdfVulnerability
Discussion:A vulnerability in the underlying operating system of a DNS
server could potentially impact notonly the DNS server but the entire
network infrastructure to include the Global Information
Grid(GIG).Checks: DNS0170Review the Operating System against the
appropriate OS STIG. For a Windows system thiswould mean an evaluation
with the Gold Disk; for a UNIX/LINUX system this would mean anevaluation
using the SRR scripts. STIG compliance means that all findings are either
closed, orthere is a POA&M to address any outstanding
vulnerabilities.Fixes: DNS0170The underlying Operating System of the
DNS server must be in compliance with the appropriateOS
STIG.Vulnerability Discussion:Whether running the latest version
of software or an earlier version, the administrator should beaware of the
vulnerabilities, exploits, security fixes, and patches for the version that is
inoperation in the enterprise.Check: DNS0190If the site is using
BIND, interview the SA to determine if they have subscribed to ISC’s
mailinglist called “bind-announce” (information on the Internet at http://www.isc.org/sw/bind/bindlists.php) for
vulnerabilities and software notifications.Fix: DNS0190If BIND is
utilized, the SA will subscribe to ISC’s mailing list called
“bind-announce”(information on the Internet at http://www.isc.org/sw/bind/bind-lists.php) for
vulnerabilities andsoftware notifications.Comments:.... looks
like keeping aware goes a long way to keeping a DNS server safe
(stupid question alert when DNS servers are on server core and what
not... is there a "DNS" only security listserve like BIND
has?)Akomolafe, Deji wrote:
v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
P.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
LI.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
DIV.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
SPAN.gmailquote {
mso-style-name: gmail_quote
}
SPAN.EmailStyle20 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle21 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle22 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle23 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
And will this be as a
result of integrating DNS into AD? I say no, because I know that you can
still do bad things regardless of the DNS flavor or its complete separation
from AD. This, to me, negates the argument that you should not AD-integrate
DNS because of security "issues".
Sincerely,
_____
(, / |
/)
/) /) /---|
(/_ ______ ___// _ // _ )
/ |_/(__(_) //
(_(_)(/_(_(_/(__(/_(_/
/)
(/ Microsoft MVP - Directory
Serviceswww.akomolafe.com- we know
IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: Eric FleischmanSent: Wed
5/9/2007 8:34 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Bad
things can happen if I own your DNS. This DL is not an appropriate forum for
such a discussion. But you should assume that I can do bad things to your
forest if I own your DNS.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of joeSent: Wednesday, May 09, 2007 6:47
PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Oh
true, I am not completely on board with the necessity of secure updates. I
hear a lot of noise around it and how someone can own your forest with it
but can't visualize a realistic attack vector in that realm to gain access
that likely wouldn't be easier to manage in some other way. I'd like to
think I am not a complete retard in this but I just don't see it and I have
yet to have found anywhere anyone who could point to even an accidental
attack which we used to see on a regular basis with WINS and misconfigured
SAMBA and I easily overcame those SAMBA issues when encountered.
Certainly
I don't expect an open discussion about actual attack methodshere in
this forum because if there is something real out there that just hasn't
made it onto the RADAR of anyone who tends to write exploits against things
such that they have done anything around it. Other attacks on forests etc I
have seen code examples for and not just stuff I have written. And certainly
I can't take my lack of understanding of a possible hole there as it being
safe, but I do look at the global knowledge level here and how serious MSFT
may or may not be about secure updates (i..e only being offered with one
config and it not being the default OS config) andthen make some
judgements on relative likelihood of possible compromise and the numbers
just don't come up as giving me much fear in the realm of insecure
updates.
In
my experience, the biggest threat to come through DNS other than the various
and numerousissues that have occurred through the years due
toADI DNS dork ups and bugs has been this recent DNS vuln which was
far more dangerous to environments running ADI DNS than any other
environment. In fact if you ran ADI DNS in an enterprise with distributed
DNS Admin delegation, this issue was a positively serious kick square in the
balls for choosing that model.It wasn't the idea that you get control
of the DNS Service and then start pumping in bad DNS entries, you had
localsystem on the DC and just did whatever the heck you felt like doing.
Why take a nice scenic hack route past old windmill road when the door to
the gold is sitting wide open?
joe
P.S.
And sorry for this... Rocky, tried to respond to your email, but it bounced
with a 550 access denied from netherworld.jws.com
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 6:49
PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Totally
agree. If you are comparing AD integrated DNS with some other solution that
also does secure dynamic updates, that’s a great convo I’d love to be part
of. But I want to make sure…do we agree that secure dynamic updates (or no
dynamic updates, ie you manage it yourself) are a min bar requirement? I
have not gotten the sense that you really buy in to this argument
yet.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of joeSent: Wednesday, May 09, 2007 2:05
PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
I
don't cut bait, I just don't agree that MSFT is the only company that knows
how to do some form of secure DDNS updates.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 3:37
PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
The
argument for AD integrated DNS, as I understand it, is around dynamic
update. Replication is all well and good (maybe it is better than xfer,
maybe not, I really don’t know), but the secure dynamic update part is the
goodness side of it.
So,
how do you achieve this? I know joe cuts bait on dynamic updates….I’m of the
opinion (based on masses of PSS data over the last 7 years) that most
customers cannot do this. So how do you achieve it? Or do you just accept
the lack of security on this front?
After
we tease apart that one, I’d like to discuss your circular replication
argument further.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 9:44
AMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Eric,
Better
DNS servers? DNS is DNS, whether AD integrated or Primary, Secondary, its
basically the same. I am saying that for troubleshooting its just easier to
have primary/secondary and place your DNS where you need them, instead of
having it tied to a DC, and thus add another infrastructure role to the
domain controllers, when its not always needed.
I
know M$ wants you to do AD integrated DNS, since they think its the best
thing since sliced bread, but down in the trenches where the work gets done
and the problems get solved, its not always the best choice. I personally
don't see why you need to have your DNS and AD on the same replication
scheme, if something breaks in replication is it AD or is it DNS, you have
no physical seperation of the two, so you start going in loops.
And
given the flaws we keep getting each and every month, from Microsoft land on
this, that and the other service, or offering, the less you can have on your
DC' and Infrastructure systems and the better you hardnen them from the
start the better off you will be. This DNS RPC interface issue was just an
example, and I am sure the security researchers out there are going to find
more, and again makes admin lives harder, but our systems more secure in the
long run.
Also
it takes Microsoft how long to create a patch to fix this, but the exploit
code has been out for quite a while, and I am sure some hacker has coded a
working exploit by now, its probably in metasploit, ENCASE and other Pentest
products, so point and click and fire away at the DC's with DNS, if you
haven't protected yourself.
Just
my take on the situation, not saying that AD Integrated DNS isnt a viable
option, but think of this you wonder why Internet DNS in on BIND, and its
not AD integrated or even M$and its spread throughout the world...
EZ
Edward
E. Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 12:26
PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
I
don’t yet get this logic, please explain it to me like I’m an
idiot.
The
primary/secondary road ends up taking you to a place where you point DCs at
the subset of DNS servers you end up creating. How is this better than
having use AD integrated DNS, and pointing DCs to a subset of anointed
“better” DNS servers?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:23
AMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
AD
and its replication and functions are dependent on DNS being correctly
configured. If you follow the logic of not having all your eggs in one
basket, then the following will make sense.
Why
would you want to have both your DNS and AD together on the same box, and
integrated into the AD replication, if something is broken in AD replication
scheme its going to affect your DNS as well, which also affects alot more of
your infrastructure.
Secondly,
it makes decommission of the DC's a little more of a task than it needs to
be, not impossible, and not a regular event in most environments, but still
again, infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate and
redundant as per good network design ( PhysicalSite redundancy is what
I am driving at here)
These
are just my views, administrators will do what they feel comfortable with
but I have been running primary, secondary DNS tertiary DNS at a third site
for years and not had much problems with DNS replication, uptime and minimal
troubleshooting, plus I know if my primary site gets hit I got critical
infrastructure elsewhere that can continue to service the organization in
case of issues.
I
think in the age of DR, this isn't a bad way to go, and I am sure most of
the folks that still run BIND for there DNS services would probably see the
reasoning in it.
Z
Edward
E. Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of DannySent: Wednesday, May 09, 2007 10:50
AMTo: ActiveDir@mail.activedir.orgSubject:
Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Sorry to jump in here, but I
am understanding that you both are recommending to avoid AD-integrated DNS
where possible?
On 5/9/07, joe wrote:
I can find no fault in that paragraph.
:)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Ziots, EdwardSent: Wednesday, May 09, 2007 8:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionFunny part if you can call it a funny
part is that your DC's wouldn't have been vulnerable if you didn't have
AD-Integrated DNS. Which limitsthe attack surface quite a bit when you
are dealing with say 2-3 DNSservers instead of multiple DNS servers with
DC responsibilites to boot. This is whay I am never in the favor of
putting multiple infrastructureroles on any one system, especially a
DC.ZEdward E. ZiotsNetwork EngineerLifespan
OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.orgcell:401-639-3505-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Tuesday, May 08,
2007 11:21 PM To: ActiveDir@mail.activedir.orgSubject: Re:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionExchange one is the one I'm eyeing up
this month. IE7 has the printing fixes for IE7
included.Don't forget the Word and Office patches for the
workstations.... andWSUS 3.0 is out ...and....joe wrote:>
Nice and handy that it just so happened to be all wrapped up and done
> for the May patch release so someone didn't have to get a knock on
the> head inside of MSFT for two out of band patches in a
month...>> Also nice to have DCs in a state of having
unmanageable services or > exposed to exploits in enterprise
environments I think.>> --> O'Reilly Active Directory
Third Edition -> http://www.joeware.net/win/ad3e.htm>>>
-----Original Message-----> From: ActiveDir-owner@mail.activedir.org>
[mailto:mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Susan> Bradley, CPA aka Ebitz - SBS Rocks [MVP]>
Sent: Tuesday, May 08, 2007 1:28 PM> To: mailto:ActiveDir@mail.activedir.org>
Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC>
Interface Could Allow Remote,Code Execution>> MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow> Remote Code
Execution (935966) > http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx>
Max Severity: Critical>> List info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.activedir.org/ma/default.aspx>>
List info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.activedir.org/ma/default.aspx>>--If
you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS
Blog...and my blog is at http://www.sbsdiva.com/....List
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx List
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspxList
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx
-- CPDE - Certified Petroleum
Distribution Engineer CCBC - Certified Canadian Beer Consumer
--
If you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog.
..and my blog is at http://www.sbsdiva.com/....List
info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
--
If you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog.
..and my blog is at www.sbsdiva.com....List
info : http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx List archive:
http://www.activedir.org/ma/default.aspx | | | |
| listmail
Posts:454
| | 05/10/2007 9:23 AM |
| v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
P.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
LI.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
DIV.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
SPAN.gmailquote {
mso-style-name: gmail_quote
}
SPAN.EmailStyle20 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle21 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle22 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle23 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
> Checking out, I have a DHCP server to convert off Windows
today,
>
which means one-less infrastructure system to patch
Gosh I
hope not, unless you mean it becomes someone else's responsibility to patch it.
Patches obviously aren't new to Microsoft products, I recall patching my old
RSTS/E systems but back then a patch was often more of a manual process, you
pulled out a raw file editor and changed actual bytes in the file or you ran a
special tool to import a blob.
>
one less headache to deal with.
I
would accept, a different type of headache. Again, this isn't about MSFT versus
the world. Or vice versa.
>
sorry for most customers that just isn't coming close to
reality
I am
afraid I can't sit with this one very well either. I would say that in fact most
of MSFT customers live in the MSFT reality and when you are talking about most
of the MSFT customers, you are talking about most of the world. We call it and
actually they call it the Bread and Butter. I mentioned it in one of my other
posts, for the bread and butter, full MSFT ADI DNS is very likely the best
answer for them because the level of understanding isn't such that they could or
even should spend the time building an alternate DNS model. In terms of covering
up details so folks without deep core understanding can run things I think MSFT
does an amazing. Look at Kerberos, they made it a real going concern. Prior to
that you either needed to be dedicated to figuring out how to make it work or
you needed to be at an EDU and had all sorts of time to burn trying to make it
work and none of them solved the issues with multi-realm or auto-ticket renewal
or anything like that meaning it really wasn't a feasible technology for the
masses. Kerberos on *nix is not only difficult, it can be downright painful. The
same can be said of DNS, most MSFT customers should not be mucking with it
because most MSFT customers don't have the background or understanding in it to
muck with it. These are the same customers who would almost certainly be working
just fine on WINS right now.
That
being said, if you have DNS understanding and especially if you are large and
have a robust DNS infrastructure that existed well before MSFT started playing
there, looking at moving from ADI and even MSFT DNS if you were ever even there
is a very valid thing to do.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
EdwardSent: Thursday, May 10, 2007 8:33 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
(Golf Clap) Way to go Joe. Deji, I replied to you
offline, I am sure you read and understood my comments.
I keep reading this discussion and all I hear is AD-Int DNS
is the best thing since slice bread, and its got new features. Other side, we
hear of what is happening in the trenches, how the RPC's problem with DNS from
last month was definitely a literal kick in the balls to those that enabled
AD-Int DNS.There was a nice elaborate and realistic discussion of how to
exploit the DNS problem with traditional attack methods, to trully obtain evil
results. And in the face of all this Deji, you still advocating AD-Int DNS, and
adding an addtional role to the DC's and with that adding addtional risk, and
possible unknown, undiscovered vulnerabilities in M$ DNS service.
This is why I don't drink the M$ kool-aid or subscribe to
the rhetoric from Microsoft, because they are viewing solution and ideas through
there own idealistic eutopia and sorry for most customers that just isn't coming
close to reality. You have to know your own risks, and the best way to mitigate
them, the vendor can't do everything for you, nor should you let them. Nor does
everything the vendor say is correct, or even valid for your organization,
bussiness, or what-not.
I think we all have trully beat perverbal dead horse into
the ground, and we probably just need a topic change before it starts to
get a little out of control.
Checking out, I have a DHCP server to convert off Windows
today, which means one-less infrastructure system to patch, one less headache to
deal with. Probably soon DNS will be converted, I guess 2 out of 3 aint bad.
Cheers,
EZ
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
joeSent: Thursday, May 10, 2007 8:23 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Topic shift Deji, try to keep up... :)
Read back through the thread. I would say we should have
changed the subject but it never changed to "Why you shouldn't use ADI DNS" in
the first place so I find I am not concerned.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Akomolafe,
DejiSent: Thursday, May 10, 2007 1:07 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
And will this be as a result
of integrating DNS into AD? I say no, because I know that you can still do bad
things regardless of the DNS flavor or its complete separation from AD. This, to
me, negates the argument that you should not AD-integrate DNS because of
security "issues".
Sincerely,
_____
(, / |
/)
/) /) /---| (/_
______ ___// _ // _ )
/ |_/(__(_) //
(_(_)(/_(_(_/(__(/_(_/
/)
(/ Microsoft MVP - Directory
Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you
were worried about Yesterday?
-anon
From: Eric FleischmanSent: Wed
5/9/2007 8:34 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Bad
things can happen if I own your DNS. This DL is not an appropriate forum for
such a discussion. But you should assume that I can do bad things to your forest
if I own your DNS.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 6:47
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Oh true,
I am not completely on board with the necessity of secure updates. I hear a lot
of noise around it and how someone can own your forest with it but can't
visualize a realistic attack vector in that realm to gain access that likely
wouldn't be easier to manage in some other way. I'd like to think I am not a
complete retard in this but I just don't see it and I have yet to have found
anywhere anyone who could point to even an accidental attack which we used to
see on a regular basis with WINS and misconfigured SAMBA and I easily overcame
those SAMBA issues when encountered.
Certainly
I don't expect an open discussion about actual attack methodshere in this
forum because if there is something real out there that just hasn't made it onto
the RADAR of anyone who tends to write exploits against things such that they
have done anything around it. Other attacks on forests etc I have seen code
examples for and not just stuff I have written. And certainly I can't take my
lack of understanding of a possible hole there as it being safe, but I do look
at the global knowledge level here and how serious MSFT may or may not be about
secure updates (i..e only being offered with one config and it not being the
default OS config) andthen make some judgements on relative likelihood of
possible compromise and the numbers just don't come up as giving me much fear in
the realm of insecure updates.
In my
experience, the biggest threat to come through DNS other than the various and
numerousissues that have occurred through the years due toADI DNS
dork ups and bugs has been this recent DNS vuln which was far more dangerous to
environments running ADI DNS than any other environment. In fact if you ran ADI
DNS in an enterprise with distributed DNS Admin delegation, this issue was a
positively serious kick square in the balls for choosing that model.It
wasn't the idea that you get control of the DNS Service and then start pumping
in bad DNS entries, you had localsystem on the DC and just did whatever the heck
you felt like doing. Why take a nice scenic hack route past old windmill road
when the door to the gold is sitting wide open?
joe
P.S. And
sorry for this... Rocky, tried to respond to your email, but it bounced with a
550 access denied from netherworld.jws.com
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 6:49
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Totally
agree. If you are comparing AD integrated DNS with some other solution that also
does secure dynamic updates, that’s a great convo I’d love to be part of. But I
want to make sure…do we agree that secure dynamic updates (or no dynamic
updates, ie you manage it yourself) are a min bar requirement? I have not gotten
the sense that you really buy in to this argument yet.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 2:05
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
I don't
cut bait, I just don't agree that MSFT is the only company that knows how to do
some form of secure DDNS updates.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 3:37
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
The
argument for AD integrated DNS, as I understand it, is around dynamic update.
Replication is all well and good (maybe it is better than xfer, maybe not, I
really don’t know), but the secure dynamic update part is the goodness side of
it.
So,
how do you achieve this? I know joe cuts bait on dynamic updates….I’m of the
opinion (based on masses of PSS data over the last 7 years) that most customers
cannot do this. So how do you achieve it? Or do you just accept the lack of
security on this front?
After
we tease apart that one, I’d like to discuss your circular replication argument
further.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 9:44
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Eric,
Better
DNS servers? DNS is DNS, whether AD integrated or Primary, Secondary, its
basically the same. I am saying that for troubleshooting its just easier to have
primary/secondary and place your DNS where you need them, instead of having it
tied to a DC, and thus add another infrastructure role to the domain
controllers, when its not always needed.
I know
M$ wants you to do AD integrated DNS, since they think its the best thing since
sliced bread, but down in the trenches where the work gets done and the problems
get solved, its not always the best choice. I personally don't see why you need
to have your DNS and AD on the same replication scheme, if something breaks in
replication is it AD or is it DNS, you have no physical seperation of the two,
so you start going in loops.
And
given the flaws we keep getting each and every month, from Microsoft land on
this, that and the other service, or offering, the less you can have on your DC'
and Infrastructure systems and the better you hardnen them from the start the
better off you will be. This DNS RPC interface issue was just an example, and I
am sure the security researchers out there are going to find more, and again
makes admin lives harder, but our systems more secure in the long run.
Also it
takes Microsoft how long to create a patch to fix this, but the exploit code has
been out for quite a while, and I am sure some hacker has coded a working
exploit by now, its probably in metasploit, ENCASE and other Pentest products,
so point and click and fire away at the DC's with DNS, if you haven't protected
yourself.
Just my
take on the situation, not saying that AD Integrated DNS isnt a viable option,
but think of this you wonder why Internet DNS in on BIND, and its not AD
integrated or even M$and its spread throughout the world...
EZ
Edward E.
Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007
12:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
I
don’t yet get this logic, please explain it to me like I’m an
idiot.
The
primary/secondary road ends up taking you to a place where you point DCs at the
subset of DNS servers you end up creating. How is this better than having use AD
integrated DNS, and pointing DCs to a subset of anointed “better” DNS
servers?
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 8:23
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
AD and
its replication and functions are dependent on DNS being correctly configured.
If you follow the logic of not having all your eggs in one basket, then the
following will make sense.
Why
would you want to have both your DNS and AD together on the same box, and
integrated into the AD replication, if something is broken in AD replication
scheme its going to affect your DNS as well, which also affects alot more of
your infrastructure.
Secondly,
it makes decommission of the DC's a little more of a task than it needs to be,
not impossible, and not a regular event in most environments, but still again,
infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate and redundant as
per good network design ( PhysicalSite redundancy is what I am driving at
here)
These
are just my views, administrators will do what they feel comfortable with but I
have been running primary, secondary DNS tertiary DNS at a third site for years
and not had much problems with DNS replication, uptime and minimal
troubleshooting, plus I know if my primary site gets hit I got critical
infrastructure elsewhere that can continue to service the organization in case
of issues.
I think
in the age of DR, this isn't a bad way to go, and I am sure most of the folks
that still run BIND for there DNS services would probably see the reasoning in
it.
Z
Edward E.
Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of DannySent: Wednesday, May 09, 2007 10:50
AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Sorry to jump in here, but I am
understanding that you both are recommending to avoid AD-integrated DNS where
possible?
On 5/9/07, joe wrote:
I can find no fault in that paragraph.
:)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
EdwardSent: Wednesday, May 09, 2007 8:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPCInterface Could Allow Remote,Code
ExecutionFunny part if you can call it a funny part is that your DC's
wouldn't have been vulnerable if you didn't have AD-Integrated DNS. Which
limitsthe attack surface quite a bit when you are dealing with say 2-3
DNSservers instead of multiple DNS servers with DC responsibilites to boot.
This is whay I am never in the favor of putting multiple
infrastructureroles on any one system, especially a
DC.ZEdward E. ZiotsNetwork EngineerLifespan
OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.orgcell:401-639-3505-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan
Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Tuesday, May 08, 2007 11:21
PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPCInterface Could Allow Remote,Code
ExecutionExchange one is the one I'm eyeing up this month. IE7
has the printing fixes for IE7 included.Don't forget the Word and Office
patches for the workstations.... andWSUS 3.0 is out ...and....joe
wrote:> Nice and handy that it just so happened to be all wrapped up and
done > for the May patch release so someone didn't have to get a knock on
the> head inside of MSFT for two out of band patches in a
month...>> Also nice to have DCs in a state of having unmanageable
services or > exposed to exploits in enterprise environments I
think.>> --> O'Reilly Active Directory Third Edition
-> http://www.joeware.net/win/ad3e.htm>>>
-----Original Message-----> From: ActiveDir-owner@mail.activedir.org> [mailto:mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Susan> Bradley, CPA aka Ebitz - SBS Rocks [MVP]> Sent: Tuesday,
May 08, 2007 1:28 PM> To: mailto:ActiveDir@mail.activedir.org> Subject:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC> Interface Could
Allow Remote,Code Execution>> MS07-029: Vulnerability in Windows
DNS RPC Interface Could Allow> Remote Code Execution (935966) > http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx>
Max Severity: Critical>> List info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: http://www.activedir.org/ma/default.aspx>> List
info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: http://www.activedir.org/ma/default.aspx>>--If
you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog...and my
blog is at www.sbsdiva.com....List info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspx List
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspxList
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspx
-- CPDE - Certified Petroleum
Distribution Engineer CCBC - Certified Canadian Beer Consumer | | | |
| habr
Posts:25
| | 05/10/2007 9:24 AM |
| STIG ID: DNS0415 [Page 47 of
141] of that document Ώ]
Looks like Deji is OK to
me.
RH
Ώ] Where in Blue Blazes
do you find all this stuff Susan ?!
______________________________________________________________
-----Original Message-----From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]Sent: 10 May, 2007 1:29
AMTo: ActiveDir@mail.activedir.orgSubject: Re:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Executionhttp://iase.disa.mil/stigs/checklist/DNS-Checklist-V3R1-1.pdfVulnerability
Discussion:A vulnerability in the underlying operating system of a DNS
server could potentially impact notonly the DNS server but the entire
network infrastructure to include the Global Information
Grid(GIG).Checks: DNS0170Review the Operating System against the
appropriate OS STIG. For a Windows system thiswould mean an evaluation
with the Gold Disk; for a UNIX/LINUX system this would mean anevaluation
using the SRR scripts. STIG compliance means that all findings are either
closed, orthere is a POA&M to address any outstanding
vulnerabilities.Fixes: DNS0170The underlying Operating System of the
DNS server must be in compliance with the appropriateOS
STIG.Vulnerability Discussion:Whether running the latest version
of software or an earlier version, the administrator should beaware of the
vulnerabilities, exploits, security fixes, and patches for the version that is
inoperation in the enterprise.Check: DNS0190If the site is using
BIND, interview the SA to determine if they have subscribed to ISCs
mailinglist called bind-announce (information on the Internet at http://www.isc.org/sw/bind/bindlists.php)
for vulnerabilities and software notifications.Fix: DNS0190If BIND is
utilized, the SA will subscribe to ISCs mailing list called
bind-announce(information on the Internet at http://www.isc.org/sw/bind/bind-lists.php)
for vulnerabilities andsoftware notifications.Comments:....
looks like keeping aware goes a long way to keeping a DNS server safe
(stupid question alert when DNS servers are on server core and what
not... is there a "DNS" only security listserve like BIND
has?)Akomolafe, Deji wrote:
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
And will this be as a
result of integrating DNS into AD? I say no, because I know that you can
still do bad things regardless of the DNS flavor or its complete separation
from AD. This, to me, negates the argument that you should not AD-integrate
DNS because of security "issues".
Sincerely,
_____
(, / |
/)
/) /) /---|
(/_ ______ ___// _ // _ )
/ |_/(__(_) //
(_(_)(/_(_(_/(__(/_(_/
/)
(/ Microsoft MVP - Directory
Serviceswww.akomolafe.com- we know
IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: Eric FleischmanSent: Wed
5/9/2007 8:34 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Bad
things can happen if I own your DNS. This DL is not an appropriate forum for
such a discussion. But you should assume that I can do bad things to your
forest if I own your DNS.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 6:47
PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Oh
true, I am not completely on board with the necessity of secure updates. I
hear a lot of noise around it and how someone can own your forest with it
but can't visualize a realistic attack vector in that realm to gain access
that likely wouldn't be easier to manage in some other way. I'd like to
think I am not a complete retard in this but I just don't see it and I have
yet to have found anywhere anyone who could point to even an accidental
attack which we used to see on a regular basis with WINS and misconfigured
SAMBA and I easily overcame those SAMBA issues when encountered.
Certainly
I don't expect an open discussion about actual attack methodshere in
this forum because if there is something real out there that just hasn't
made it onto the RADAR of anyone who tends to write exploits against things
such that they have done anything around it. Other attacks on forests etc I
have seen code examples for and not just stuff I have written. And certainly
I can't take my lack of understanding of a possible hole there as it being
safe, but I do look at the global knowledge level here and how serious MSFT
may or may not be about secure updates (i..e only being offered with one
config and it not being the default OS config) andthen make some
judgements on relative likelihood of possible compromise and the numbers
just don't come up as giving me much fear in the realm of insecure
updates.
In
my experience, the biggest threat to come through DNS other than the various
and numerousissues that have occurred through the years due
toADI DNS dork ups and bugs has been this recent DNS vuln which was
far more dangerous to environments running ADI DNS than any other
environment. In fact if you ran ADI DNS in an enterprise with distributed
DNS Admin delegation, this issue was a positively serious kick square in the
balls for choosing that model.It wasn't the idea that you get control
of the DNS Service and then start pumping in bad DNS entries, you had
localsystem on the DC and just did whatever the heck you felt like doing.
Why take a nice scenic hack route past old windmill road when the door to
the gold is sitting wide open?
joe
P.S.
And sorry for this... Rocky, tried to respond to your email, but it bounced
with a 550 access denied from netherworld.jws.com
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007
6:49 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Totally
agree. If you are comparing AD integrated DNS with some other solution that
also does secure dynamic updates, thats a great convo Id love to be part
of. But I want to make sure
do we agree that secure dynamic updates (or no
dynamic updates, ie you manage it yourself) are a min bar requirement? I
have not gotten the sense that you really buy in to this argument
yet.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 2:05
PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
I
don't cut bait, I just don't agree that MSFT is the only company that knows
how to do some form of secure DDNS updates.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007
3:37 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
The
argument for AD integrated DNS, as I understand it, is around dynamic
update. Replication is all well and good (maybe it is better than xfer,
maybe not, I really dont know), but the secure dynamic update part is the
goodness side of it.
So,
how do you achieve this? I know joe cuts bait on dynamic updates
.Im of the
opinion (based on masses of PSS data over the last 7 years) that most
customers cannot do this. So how do you achieve it? Or do you just accept
the lack of security on this front?
After
we tease apart that one, Id like to discuss your circular replication
argument further.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007
9:44 AMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Eric,
Better
DNS servers? DNS is DNS, whether AD integrated or Primary, Secondary, its
basically the same. I am saying that for troubleshooting its just easier to
have primary/secondary and place your DNS where you need them, instead of
having it tied to a DC, and thus add another infrastructure role to the
domain controllers, when its not always needed.
I
know M$ wants you to do AD integrated DNS, since they think its the best
thing since sliced bread, but down in the trenches where the work gets done
and the problems get solved, its not always the best choice. I personally
don't see why you need to have your DNS and AD on the same replication
scheme, if something breaks in replication is it AD or is it DNS, you have
no physical seperation of the two, so you start going in loops.
And
given the flaws we keep getting each and every month, from Microsoft land on
this, that and the other service, or offering, the less you can have on your
DC' and Infrastructure systems and the better you hardnen them from the
start the better off you will be. This DNS RPC interface issue was just an
example, and I am sure the security researchers out there are going to find
more, and again makes admin lives harder, but our systems more secure in the
long run.
Also
it takes Microsoft how long to create a patch to fix this, but the exploit
code has been out for quite a while, and I am sure some hacker has coded a
working exploit by now, its probably in metasploit, ENCASE and other Pentest
products, so point and click and fire away at the DC's with DNS, if you
haven't protected yourself.
Just
my take on the situation, not saying that AD Integrated DNS isnt a viable
option, but think of this you wonder why Internet DNS in on BIND, and its
not AD integrated or even M$and its spread throughout the world...
EZ
Edward
E. Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007
12:26 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
I
dont yet get this logic, please explain it to me like Im an
idiot.
The
primary/secondary road ends up taking you to a place where you point DCs at
the subset of DNS servers you end up creating. How is this better than
having use AD integrated DNS, and pointing DCs to a subset of anointed
better DNS servers?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007
8:23 AMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
AD
and its replication and functions are dependent on DNS being correctly
configured. If you follow the logic of not having all your eggs in one
basket, then the following will make sense.
Why
would you want to have both your DNS and AD together on the same box, and
integrated into the AD replication, if something is broken in AD replication
scheme its going to affect your DNS as well, which also affects alot more of
your infrastructure.
Secondly,
it makes decommission of the DC's a little more of a task than it needs to
be, not impossible, and not a regular event in most environments, but still
again, infrastructure roles ( DHCP, WINS, DNS, DC) should be seperate and
redundant as per good network design ( PhysicalSite redundancy is what
I am driving at here)
These
are just my views, administrators will do what they feel comfortable with
but I have been running primary, secondary DNS tertiary DNS at a third site
for years and not had much problems with DNS replication, uptime and minimal
troubleshooting, plus I know if my primary site gets hit I got critical
infrastructure elsewhere that can continue to service the organization in
case of issues.
I
think in the age of DR, this isn't a bad way to go, and I am sure most of
the folks that still run BIND for there DNS services would probably see the
reasoning in it.
Z
Edward
E. Ziots Network
Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+,
Security + email:eziots@lifespan.org
cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of DannySent: Wednesday, May 09, 2007 10:50
AMTo: ActiveDir@mail.activedir.orgSubject:
Re: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could
Allow Remote,Code Execution
Sorry to jump in here, but I
am understanding that you both are recommending to avoid AD-integrated DNS
where possible?
On 5/9/07, joe wrote:
I can find no fault in that paragraph.
:)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Ziots, EdwardSent: Wednesday, May 09, 2007 8:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionFunny part if you can call it a funny
part is that your DC's wouldn't have been vulnerable if you didn't have
AD-Integrated DNS. Which limitsthe attack surface quite a bit when you
are dealing with say 2-3 DNSservers instead of multiple DNS servers with
DC responsibilites to boot. This is whay I am never in the favor of
putting multiple infrastructureroles on any one system, especially a
DC.ZEdward E. ZiotsNetwork EngineerLifespan
OrganizationMCSE,MCSA,MCP+I, M.E,CCA,Network+, Security +email:eziots@lifespan.orgcell:401-639-3505-----Original
Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Tuesday, May 08,
2007 11:21 PM To: ActiveDir@mail.activedir.orgSubject: Re:
[ActiveDir] MS07-029: Vulnerability in Windows DNS RPCInterface Could
Allow Remote,Code ExecutionExchange one is the one I'm eyeing up
this month. IE7 has the printing fixes for IE7
included.Don't forget the Word and Office patches for the
workstations.... andWSUS 3.0 is out ...and....joe wrote:>
Nice and handy that it just so happened to be all wrapped up and done
> for the May patch release so someone didn't have to get a knock on
the> head inside of MSFT for two out of band patches in a
month...>> Also nice to have DCs in a state of having
unmanageable services or > exposed to exploits in enterprise
environments I think.>> --> O'Reilly Active Directory
Third Edition -> http://www.joeware.net/win/ad3e.htm>>>
-----Original Message-----> From: ActiveDir-owner@mail.activedir.org>
[mailto:mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Susan> Bradley, CPA aka Ebitz - SBS Rocks [MVP]>
Sent: Tuesday, May 08, 2007 1:28 PM> To: mailto:ActiveDir@mail.activedir.org>
Subject: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC>
Interface Could Allow Remote,Code Execution>> MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow> Remote Code
Execution (935966) > http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx>
Max Severity: Critical>> List info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.activedir.org/ma/default.aspx>>
List info : http://www.activedir.org/List.aspx> List
FAQ: http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.activedir.org/ma/default.aspx>>--If
you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS
Blog...and my blog is at www.sbsdiva.com....List
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx List
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspxList
info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx
-- CPDE - Certified Petroleum
Distribution Engineer CCBC - Certified Canadian Beer Consumer
--
If you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog.
..and my blog is at www.sbsdiva.com....List
info : http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx List archive:
http://www.activedir.org/ma/default.aspx | | | |
| EZiots
Posts:31
| | 05/10/2007 9:32 AM |
| v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
P.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
LI.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
DIV.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
SPAN.gmailquote {
mso-style-name: gmail_quote
}
SPAN.EmailStyle20 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle21 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle22 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle23 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
Well the new DHCP is an applicance, so yep I dont have to
evaluate patches for the Win2k3 Windows box anymore, which means a little less
pain, not like I dont got 550+ more servers to address.
I can see that alot do go with the M$ model, Bread and
butter of things, but others don't.
DNS Infrastructure, has gone from BIND, to M$ ( 2k and 2k3)
just never to the AD-INT model, much perfer to put DNS on other dedicated
systems and troubleshoot accordingly.
so back to the grind, its been a fun discussion if nothing
else, but you have to rip my eyes out with a pitch fork before I go to AD-INT
DNS...
Z
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
joeSent: Thursday, May 10, 2007 9:23 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
> Checking out, I have a DHCP server to convert off Windows
today,
>
which means one-less infrastructure system to patch
Gosh I
hope not, unless you mean it becomes someone else's responsibility to patch it.
Patches obviously aren't new to Microsoft products, I recall patching my old
RSTS/E systems but back then a patch was often more of a manual process, you
pulled out a raw file editor and changed actual bytes in the file or you ran a
special tool to import a blob.
>
one less headache to deal with.
I
would accept, a different type of headache. Again, this isn't about MSFT versus
the world. Or vice versa.
>
sorry for most customers that just isn't coming close to
reality
I am
afraid I can't sit with this one very well either. I would say that in fact most
of MSFT customers live in the MSFT reality and when you are talking about most
of the MSFT customers, you are talking about most of the world. We call it and
actually they call it the Bread and Butter. I mentioned it in one of my other
posts, for the bread and butter, full MSFT ADI DNS is very likely the best
answer for them because the level of understanding isn't such that they could or
even should spend the time building an alternate DNS model. In terms of covering
up details so folks without deep core understanding can run things I think MSFT
does an amazing. Look at Kerberos, they made it a real going concern. Prior to
that you either needed to be dedicated to figuring out how to make it work or
you needed to be at an EDU and had all sorts of time to burn trying to make it
work and none of them solved the issues with multi-realm or auto-ticket renewal
or anything like that meaning it really wasn't a feasible technology for the
masses. Kerberos on *nix is not only difficult, it can be downright painful. The
same can be said of DNS, most MSFT customers should not be mucking with it
because most MSFT customers don't have the background or understanding in it to
muck with it. These are the same customers who would almost certainly be working
just fine on WINS right now.
That
being said, if you have DNS understanding and especially if you are large and
have a robust DNS infrastructure that existed well before MSFT started playing
there, looking at moving from ADI and even MSFT DNS if you were ever even there
is a very valid thing to do.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots,
EdwardSent: Thursday, May 10, 2007 8:33 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
(Golf Clap) Way to go Joe. Deji, I replied to you
offline, I am sure you read and understood my comments.
I keep reading this discussion and all I hear is AD-Int DNS
is the best thing since slice bread, and its got new features. Other side, we
hear of what is happening in the trenches, how the RPC's problem with DNS from
last month was definitely a literal kick in the balls to those that enabled
AD-Int DNS.There was a nice elaborate and realistic discussion of how to
exploit the DNS problem with traditional attack methods, to trully obtain evil
results. And in the face of all this Deji, you still advocating AD-Int DNS, and
adding an addtional role to the DC's and with that adding addtional risk, and
possible unknown, undiscovered vulnerabilities in M$ DNS service.
This is why I don't drink the M$ kool-aid or subscribe to
the rhetoric from Microsoft, because they are viewing solution and ideas through
there own idealistic eutopia and sorry for most customers that just isn't coming
close to reality. You have to know your own risks, and the best way to mitigate
them, the vendor can't do everything for you, nor should you let them. Nor does
everything the vendor say is correct, or even valid for your organization,
bussiness, or what-not.
I think we all have trully beat perverbal dead horse into
the ground, and we probably just need a topic change before it starts to
get a little out of control.
Checking out, I have a DHCP server to convert off Windows
today, which means one-less infrastructure system to patch, one less headache to
deal with. Probably soon DNS will be converted, I guess 2 out of 3 aint bad.
Cheers,
EZ
Edward E. Ziots Network Engineer Lifespan
Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:eziots@lifespan.org cell:401-639-3505
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
joeSent: Thursday, May 10, 2007 8:23 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Topic shift Deji, try to keep up... :)
Read back through the thread. I would say we should have
changed the subject but it never changed to "Why you shouldn't use ADI DNS" in
the first place so I find I am not concerned.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Akomolafe,
DejiSent: Thursday, May 10, 2007 1:07 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MS07-029:
Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
And will this be as a result
of integrating DNS into AD? I say no, because I know that you can still do bad
things regardless of the DNS flavor or its complete separation from AD. This, to
me, negates the argument that you should not AD-integrate DNS because of
security "issues".
Sincerely,
_____
(, / |
/)
/) /) /---| (/_
______ ___// _ // _ )
/ |_/(__(_) //
(_(_)(/_(_(_/(__(/_(_/
/)
(/ Microsoft MVP - Directory
Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you
were worried about Yesterday?
-anon
From: Eric FleischmanSent: Wed
5/9/2007 8:34 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow
Remote,Code Execution
Bad
things can happen if I own your DNS. This DL is not an appropriate forum for
such a discussion. But you should assume that I can do bad things to your forest
if I own your DNS.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 6:47
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Oh true,
I am not completely on board with the necessity of secure updates. I hear a lot
of noise around it and how someone can own your forest with it but can't
visualize a realistic attack vector in that realm to gain access that likely
wouldn't be easier to manage in some other way. I'd like to think I am not a
complete retard in this but I just don't see it and I have yet to have found
anywhere anyone who could point to even an accidental attack which we used to
see on a regular basis with WINS and misconfigured SAMBA and I easily overcame
those SAMBA issues when encountered.
Certainly
I don't expect an open discussion about actual attack methodshere in this
forum because if there is something real out there that just hasn't made it onto
the RADAR of anyone who tends to write exploits against things such that they
have done anything around it. Other attacks on forests etc I have seen code
examples for and not just stuff I have written. And certainly I can't take my
lack of understanding of a possible hole there as it being safe, but I do look
at the global knowledge level here and how serious MSFT may or may not be about
secure updates (i..e only being offered with one config and it not being the
default OS config) andthen make some judgements on relative likelihood of
possible compromise and the numbers just don't come up as giving me much fear in
the realm of insecure updates.
In my
experience, the biggest threat to come through DNS other than the various and
numerousissues that have occurred through the years due toADI DNS
dork ups and bugs has been this recent DNS vuln which was far more dangerous to
environments running ADI DNS than any other environment. In fact if you ran ADI
DNS in an enterprise with distributed DNS Admin delegation, this issue was a
positively serious kick square in the balls for choosing that model.It
wasn't the idea that you get control of the DNS Service and then start pumping
in bad DNS entries, you had localsystem on the DC and just did whatever the heck
you felt like doing. Why take a nice scenic hack route past old windmill road
when the door to the gold is sitting wide open?
joe
P.S. And
sorry for this... Rocky, tried to respond to your email, but it bounced with a
550 access denied from netherworld.jws.com
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 6:49
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Totally
agree. If you are comparing AD integrated DNS with some other solution that also
does secure dynamic updates, that’s a great convo I’d love to be part of. But I
want to make sure…do we agree that secure dynamic updates (or no dynamic
updates, ie you manage it yourself) are a min bar requirement? I have not gotten
the sense that you really buy in to this argument yet.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joeSent: Wednesday, May 09, 2007 2:05
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
I don't
cut bait, I just don't agree that MSFT is the only company that knows how to do
some form of secure DDNS updates.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Eric FleischmanSent: Wednesday, May 09, 2007 3:37
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
The
argument for AD integrated DNS, as I understand it, is around dynamic update.
Replication is all well and good (maybe it is better than xfer, maybe not, I
really don’t know), but the secure dynamic update part is the goodness side of
it.
So,
how do you achieve this? I know joe cuts bait on dynamic updates….I’m of the
opinion (based on masses of PSS data over the last 7 years) that most customers
cannot do this. So how do you achieve it? Or do you just accept the lack of
security on this front?
After
we tease apart that one, I’d like to discuss your circular replication argument
further.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Ziots, EdwardSent: Wednesday, May 09, 2007 9:44
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote,Code
Execution
Eric,
Better
DNS servers? DNS is DNS, whether AD integrated or Primary, Secondary, its
basically the same. I am saying that for troubleshooting its just easier to have
primary/secondary and place your DNS where you need them, instead of having it
tied to a DC, and thus add another infrastructure role to the domain
controllers, when its not always needed.
I know
M$ wants you to do AD integrated DNS, since they think its the best thing since
sliced bread, but down in the trenches where the work gets done and the problems
get solved, its not always the best choice. I personally don't see why you need
to have your DNS and AD on the same replication scheme, if something breaks in
replication is it AD or is it DNS, y |
|
|