Re: DNS Server Refuses Updates from DHCP
- From: "Will" <westes-usc@xxxxxxxxxxxxxx>
- Date: Fri, 3 Nov 2006 22:18:59 -0800
"Kevin D. Goodknecht Sr. [MVP]" <admin@xxxxxxxxxxxxxx> wrote in message
news:uxre6s7$GHA.4844@xxxxxxxxxxxxxxxxxxxxxxx
Will wrote:
"Kevin D. Goodknecht Sr. [MVP]" <admin@xxxxxxxxxxxxxx> wrote in
message news:ep5Hi#0$GHA.4292@xxxxxxxxxxxxxxxxxxxxxxx
Will wrote:
I really hate to run services as domain accounts, since Microsoft
stores the passwords of such accounts in system memory as clear
text, and it's a common hacker trick when doing a buffer overload
on a service to grab those accounts and passwords and use them for
further attacks. Would there be any way to run the DHCP service
as one of the reserved accounts like Network Service?
You do not need to run the DHCP service as a domain account, right
click on the server in the DHCP console, select properties, select
the Advanced tab, click the credentials button, enter a dedicated
user account credentials. This user needs not be a member of any
special group, but all DHCP servers must use the same credentials,
and I recommend a strong non-expiring password. This account is used
by DHCP to take ownership of records it registers, so it can update
the record when the IP changes and remove the records when the lease
expires.
I also recommend adding Windows 2000 and Microsoft option 002, which
will release the lease when the client is shutdown. Windows clients
do not normally release their IP lease on shutdown and will attempt
to use the IP again when it starts.
Thanks for this additional information. Can you help me understand
what good is a local (non domain) account for the DHCP server in
helping to authenticate its privilege level to the domain controller?
Do not use a local non-domain account for the DHCP server to authenticate
with DNS, create a dedicated Domain user account with no special
priviledges.
Right, but my response was (per quoted section above) to your saying that I
did "NOT need to run the the DHCP service as a domain account....."
So now I am back to square one (top quoted section): I hate to run any
service accounts that are domain accounts, because if the service can be
compromised by a buffer overload, Windows stores the password in unencrypted
form in system memory and hackers use that fact to then gain entrance to a
domain. I had asked what is the minimum permission required for this
domain account to run the DHCP service.
Why are you bucking all recommendations by many users and Microsoft
themselves to use a dedicated user account to update DNS?
Because like 80% of Microsoft's default configurations, it isn't secure, and
that fact is often exploited by hackers. If I have no choice, then I have
no choice and I'll do it. So I would simply like to know what are the
minimum permissions that the DHCP account needs to have in the domain.
--
Will
.
- Follow-Ups:
- Re: DNS Server Refuses Updates from DHCP
- From: Jorge Silva
- Re: DNS Server Refuses Updates from DHCP
- References:
- DNS Server Refuses Updates from DHCP
- From: Will
- Re: DNS Server Refuses Updates from DHCP
- From: Jorge Silva
- Re: DNS Server Refuses Updates from DHCP
- From: Will
- Re: DNS Server Refuses Updates from DHCP
- From: Kevin D. Goodknecht Sr. [MVP]
- Re: DNS Server Refuses Updates from DHCP
- From: Will
- Re: DNS Server Refuses Updates from DHCP
- From: Kevin D. Goodknecht Sr. [MVP]
- DNS Server Refuses Updates from DHCP
- Prev by Date: Re: Slow initial local logon to Win2000 server
- Next by Date: cached DNS queries
- Previous by thread: Re: DNS Server Refuses Updates from DHCP
- Next by thread: Re: DNS Server Refuses Updates from DHCP
- Index(es):
Relevant Pages
|
