Re: Clients can update records that has been registerd and are owned by DHCP server, why?

From: Ulrik (
Date: 02/10/04

Date: Tue, 10 Feb 2004 07:48:38 +0100

How can you tell if a dynamic update is unsecure or secure?
Is the awnser: When looking at a client record on properties, security the
client is added in the permisson list and has the right to 'write'.
(At the records that I'm looking at the owner it is system, but the client
is added as discribed above.)

Thank you all for the awnsers


"Roger Abell" <> wrote in message
> "Ulrik" <> wrote in message
> news:uhkr4sx7DHA.3860@tk2msftngp13.phx.gbl...
> > Yesterday:
> > Windows 2003 DNS (dynamic dns, only secure updates allowed)
> > Windows 2000 DHCP
> >
> > Today:
> > Windows 2003 DNS (dynamic dns, unsecure and secure updates are allowed)
> > Cisco CNR DHCP
> >
> > Yesterday we had a MS 2000 DHCP server that registered secure dynamic
> > records for the clients (mostly Windows 2000 clients).
> >
> > Today we have switched over to use a third part DHCP (political
> > Cisco CNR, and the clients will register them self (if the client can do
> > that, if not the DHCP server will register the client).
> >
> > Before the MS DHCP registered the records with secure updates in dns.
> > (When looking at a client a-recorde security the DHCP server was added
> > the permisson list and had the right to 'write')
> >
> > The strange thing is that after switching over to Cisco DHCP, clients
> > update their records even if the MS DHCP server is the owner (the server
> is
> > added in the permisson list and have the right to 'write').
> > Ques1: How can this happen? The client schould not be able to modify
> > record, if I'm not totaly wrong...
> >
> > Also, the record created when the client make a registration after
> a
> > ip from Cisco CNR is not a secure update and does not add the client
> > computer in the permission list (it register with an unsecure dns
> > Ques2: Why does the client not register with a secure record?
> >
> > Regards
> > Ulrik
> >
> Ques1:
> This can happen if the machine running the prior MS
> DHCP (and listed in the perms on the records) is in the
> DnsProxyUpdate group. That is what this group is
> defined to allow to happen.
> Ques2:
> Good question. Maybe things have changed, but I had
> thought Windows machines attempt secured updates and
> then unsecured if the first tried fails.
> --
> Roger Abell
> Microsoft MVP (Windows Server System: Security)
> MCSE (W2k3,W2k,Nt4) MCDBA

Relevant Pages

  • Re: In need of a "simple" secured tcp/ip protocol.
    ... If you have control over the code for both client and server and both ... If different clients belong to different security domains ... symmetric encryption with a protocol for secure key exchange. ...
  • Re: parameter order when calling a web service
    ... I intend to use some sort of security token to secure the service, ... I'm still in the initial process of developing a client to consume the ... WSE nor WCF run on NETCF yet. ...
  • [UNIX] Stack-Based Buffer Overflow Vulnerability in OpenBSDs DHCP Server
    ... Get your security news from a reliable source. ... OpenBSD's DHCP server, dhcpd, implements the Dynamic Host Configuration ... effectively implement egress and ingress filtering based on live client IP ...
  • Re: WSE 3.0 + UserNameToken without X.509 Cert/Kerberos + Signing + Encryption How?
    ... I still think that there is a lot of benefit for Secure Conversation ... message security and thefore it does not encrypt the message. ... between client and server using a UserNameToken that passes the UserName ... assuming the client request adds a proper UserNameToken... ...
  • Re: Another RWW versus VPN question
    ... A Pix does not itself make you more secure. ... VPN "can" make you more insecure. ... I have a client that recently had a programmer from a large security based ...