Re: Clients can update records that has been registerd and are owned by DHCP server, why?

From: Ulrik (ulrix_at_hotmail.com)
Date: 02/10/04


Date: Tue, 10 Feb 2004 07:48:38 +0100

How can you tell if a dynamic update is unsecure or secure?
Is the awnser: When looking at a client record on properties, security the
client is added in the permisson list and has the right to 'write'.
(At the records that I'm looking at the owner it is system, but the client
is added as discribed above.)

Thank you all for the awnsers

/Ulrik

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23jlYMj37DHA.2720@TK2MSFTNGP09.phx.gbl...
> "Ulrik" <ulrix@hotmail.com> wrote in message
> news:uhkr4sx7DHA.3860@tk2msftngp13.phx.gbl...
> > Yesterday:
> > Windows 2003 DNS (dynamic dns, only secure updates allowed)
> > Windows 2000 DHCP
> >
> > Today:
> > Windows 2003 DNS (dynamic dns, unsecure and secure updates are allowed)
> > Cisco CNR DHCP
> >
> > Yesterday we had a MS 2000 DHCP server that registered secure dynamic
DNS
> > records for the clients (mostly Windows 2000 clients).
> >
> > Today we have switched over to use a third part DHCP (political
decision),
> > Cisco CNR, and the clients will register them self (if the client can do
> > that, if not the DHCP server will register the client).
> >
> > Before the MS DHCP registered the records with secure updates in dns.
> > (When looking at a client a-recorde security the DHCP server was added
in
> > the permisson list and had the right to 'write')
> >
> > The strange thing is that after switching over to Cisco DHCP, clients
can
> > update their records even if the MS DHCP server is the owner (the server
> is
> > added in the permisson list and have the right to 'write').
> > Ques1: How can this happen? The client schould not be able to modify
this
> > record, if I'm not totaly wrong...
> >
> > Also, the record created when the client make a registration after
getting
> a
> > ip from Cisco CNR is not a secure update and does not add the client
> > computer in the permission list (it register with an unsecure dns
record).
> > Ques2: Why does the client not register with a secure record?
> >
> > Regards
> > Ulrik
> >
>
> Ques1:
> This can happen if the machine running the prior MS
> DHCP (and listed in the perms on the records) is in the
> DnsProxyUpdate group. That is what this group is
> defined to allow to happen.
> Ques2:
> Good question. Maybe things have changed, but I had
> thought Windows machines attempt secured updates and
> then unsecured if the first tried fails.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server System: Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
>
>