Press "Enter" to skip to content

Major Microsoft DNS bug allows ‘system’-level access, may bite some domain controllers

Forget the cursor flaw, last night's news from Microsoft is a nasty exploit in its Domain Name System (DNS) Server Service that would allow a malicious user to obtain SYSTEM rights. At first look this may not look like much of an issue—after all, most users do not run the DNS server component on their home machines—but for those of us in corporate IT, this is a nightmare. HangZhou Night Net

As you may know, Active Directory relies on DNS. It relies on DNS to the point that if you don't have a DNS server when you first create AD it prompts you to make your first Domain Controller a DNS server. Since a lot of folks set up their network with defaults, that means there are a heck of a lot of Domain Controllers out there vulnerable to this, which means not only would an evil net gremlin have access to your server, but they'd have access to some of the most sensitive information on your network, including the (highly encrypted) database that holds all your user information.

Microsoft does add some tips for preventing the exploit, but unfortunately they all have to do with locking down the RPC service on the server, which means you'd have no way to do remote administration. Since the problem is on DNS servers, they are very likely to be scattered geographically which means you'd be shooting yourself in the foot to protect your serversfrom the exploit.

Microsoft also recommends use of a firewall to block "All unsolicited inbound traffic on ports between 1024 to 5000." That's not a very good idea on a Domain Controller since it would kill all RPC, not to mention Remote Desktop and a host of other applications. There are other ways to prevent RPC access to the DNS Service listed in the Microsoft article.

Windows 2000 Server SP4, Windows Server 2003 SP1 and Windows Server 2003 SP2 are all affected. Look for an out-of-cycle security update for this problem soon.