User sets up a fake looking OWA web page (owa just an example) login page on a machine. Sends a DNS update to your dns server that says the "mail.whatever.com" server's ip has changed to x.x.x.x (x.x.x.x being the ip of the users dummy machine). User then captures the login info of people logging into OWA (and if he\she is smart, forwards them off in the background to the real OWA server to not draw immediate attention). CEO\CFO, Joe Admin, Joe User's accounts are now compromised when they login to the OWA page.
Change OWA above for any web page that your users might log into and you can see why this could be a bad thing. A good place to start is to always have at least your servers and network gear set to static with no "dynamic updates". -----Original Message----- From: Ajay Kulsh [mailto:[EMAIL PROTECTED] Sent: Monday, January 07, 2008 6:14 PM To: NT System Admin Issues Subject: Re: DNS dynamic updates - Secure vs. Nonsecure Ken, That is the definition of nonsecure update - but how can this be harmful, if your network is physically secure? Jay ----- Original Message ----- From: "Ken Schaefer" <[EMAIL PROTECTED]> To: "NT System Admin Issues" <[email protected]> Sent: Monday, January 07, 2008 4:05 PM Subject: RE: DNS dynamic updates - Secure vs. Nonsecure Non-secure updates means that anyone can update a dynamic DNS entry, because there's no workstation level authentication required in order to update the entry. Anyone can create a new entry, and anyone can "update" and existing entry. Cheers Ken -----Original Message----- From: Ajay Kulsh [mailto:[EMAIL PROTECTED] Sent: Tuesday, 8 January 2008 7:45 AM To: NT System Admin Issues Subject: Re: DNS dynamic updates - Secure vs. Nonsecure Carl, Thanks for replying. I had gone thru that long article and still was not sure what is the harm in having nonsecure updates. Also that article does not say why secure updates might fail. That article also states that "secure dynamic updates functionality can be compromised if the following conditions are true: . You run a DHCP server on a Windows Server 2003-based domain controller and . The DHCP server is configured to perform registration of DNS records on behalf of its clients." As a consultant, I often find DHCP servers configured on DCs and they, by default, register DNS on behalf of clients, so Secure dynamic updates functionality is hardly used... Jay ----- Original Message ----- From: "Carl Webster" <[EMAIL PROTECTED]> To: "NT System Admin Issues" <[email protected]> Sent: Monday, January 07, 2008 12:21 PM Subject: Re: DNS dynamic updates - Secure vs. Nonsecure > > http://support.microsoft.com/kb/816592 > > > Webster > > ----- Original Message ---- > From: Ajay Kulsh <[EMAIL PROTECTED]> > Subject: DNS dynamic updates - Secure vs. Nonsecure > > Can anyone tell me what is the harm in having "Nonsecure" Dynamic DNS > updates in Windows 2003 DNS server, if any? For some reason, from some of > our subnets, clients (thru DHCP server or directly) cannot register their > A > and PTR records with the DNS server if we choose to have Secure Only > updates, so we have enable both Secure and Nonsecure. Has anyone had this > kind of problem before? Thanks. > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
