Re: DHCP security breach

all authenticated users can create RRs in DNS zones.

so if you configure your DHCP with a SIMPLE user account (not special) only
that account will be able to update the RRs (and all other security
principals in the ACL, which are admins and the DCs)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
<boomboom999@xxxxxxxxx> wrote in message
news:1150350124.426194.91760@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Roger,

I agree with you that theoretically I can preserve integrity of
important DNS records by preventing DHCP from rewriting them. But in
practice, what can I do?

Microsoft recommends to run DHCP under a low privilege account.
I am wondering why Microsoft omits in their docs any recommendations on
ACL that this account must have on DNS zones.

Suppose, I have one zone with 4000 workstations and 300 servers. The
DHCP server acts under a specific AD account. I do not want to tweak
ACLs on every single record in my DNS zone.

What permissions should I give to the DHCP account on my DNS zone?

May be something like this?

Domain Computers = Create child objects
CREATOR/OWNER = Full Control



.

Relevant Pages

  • Re: DNS Server Refuses Updates from DHCP
    ... DHCP scope properties for the DHCP server to authenticate with the ... Is the only requirement for the domain account that runs DHCP that it ... enter a dedicated user account credentials. ...
    (microsoft.public.windows.server.dns)
  • Re: Windows DNS Server and non-microsoft clients
    ... properties, select the Advanced tab, click the Credentials button, ... enter the credentials for a dedicated user account that should ... is optional and is a security risk if you give the account to many ... I have found that if DHCP registers for even the Domain members that are ...
    (microsoft.public.windows.server.dns)
  • Re: DNS Server Refuses Updates from DHCP
    ... By default the memebers of the Authenticated users have the Permissions to create all child objects under Dns Zone, and this is one of other groups with less permissions defined by default in the Zone properties. ... I guess that if you don't want to take MS advise you can create another AD account and give that account permissions to create all child objects under the zone properties and that should be enough. ... Would there be any way to run the DHCP service ...
    (microsoft.public.windows.server.dns)
  • Re: DHCP and private IPs
    ... It is some W2k3 server thingy, which doesn't get automatically the admin ... account for authorizing DHCP. ...
    (microsoft.public.windows.server.sbs)
  • Re: DHCP user gets Account Disabled error frequently
    ... account but later mention disjion/rejoin the pc to the domain which is the ... DHCP in of itself would have nothing to do with either. ... Dave Patrick ....Please no email replies - reply in newsgroup. ... this location that we have this problem and only with this one laptop. ...
    (microsoft.public.win2000.general)