The security risk I’m going to talk about today is quite common in Microsoft systems implementations especially when the systems are being managed by not a very experienced network administrator.
As you know if you are familiar with Microsoft DNS architecture, it allows dynamic updates of host (A) and Pointer (PTR) resource records in its DNS zones. These updates can occur either straight by the clients or by a DHCP server on their behalf upon the assignment of an IP address to the client.
When the DHCP Server updates resource records on behalf of the clients, the DHCP server becomes the owner of those records and only that DHCP Server can update the record again. Now there are issues here:
-If the DHCP Server fails for any reason, then the next DHCP Server can not update the previously-created resource records in the DNS just like the old server did.
-If we upgrade those legacy clients whose records were being updated by the DHCP to a version of Windows capable of performing dynamic update themselves, then again they will not be able to update since their records are owned by the DHCP Server.
So the solution is to add the DHCP Server to a security group called DNSUpdateProxy. Once you do so, then those resource records will not have any owners and this is a big security risk letting it be this way because in this case, any hackers having even remote access to the DNS server can query that server and take ownership of the records.
The worst thing about this condition is that the A or PTR record of the DHCP Server itself is even at risk. Suppose some hacker is able to take ownership of the A record of your DHCP Server in the DNS, then he is able to easily change the IP address to some other fake DHCP Server and redirect the clients to the fake DHCP Server and put the whole network at stake.
Now the solution to this configuration problem is by only creating a dedicated user account and adding it to the DHCP Server so that it will use this account to claim ownership for the A and PTR records of the resources inside the network. In order to create a dedicated user account, you just need to right click on the server in the DHCP console and select properties and then at the Advanced tab and after clicking on the credentials button, enter a dedicated user account credentials.
All the DHCP Servers must use these credentials. So just in case of any failure of the current DHCP Server, you only need to enter the same credentials for the new DHCP Server.
To get more information about the book click on the book below:
Wish you all the best