Security Adviser | Roger A. Grimes » Easy work around for new Microsoft DNS zero-day

April 13, 2007 | Comments: (0)

Easy work around for new Microsoft DNS zero-day

TAGS: None

There is a new zero-day exploit that impacts all Windows servers running DNS. It's pretty bad.

http://www.microsoft.com/technet/security/advisory/935964.mspx

It requires RPC access to the DNS server, which is disallowed by most perimeter firewalls, but if someone worms it like MS-Blaster, then it could get a little ugly.

Fortunately, it only takes a 1-minute registry edit to fix with a temporary workaround. It's documented in the KB article. The fix disables remote DNS management over RPC, which means when the temp fix is enabled, you can't use a remote DNS MMC console to manage your DNS server. If that isn't a problem, apply the fix.

Dr. Jesper Johansson also has a nice alternative way to apply the reg edit across multiple DNS servers at once in his blog.

Update 4-15-07(Some new notes from Microsoft regarding the temp workaround):
Remote management of DNS server functionality using RPC will be disabled. DNS management tools, will fail to work remotely. Local and remote management through terminal services can be still used to manage your DNS Server configuration. This includes the DNS management MMC Snap-in, DNSCMD.exe, DNS WMI provider. Additional management and control functionality may be lost for applications or components that use affected ports.

DNS Server local administration and configuration may not work if the
server being managed has a computer name of 15 characters or longer and is selected by its computer name. To avoid this issue, use the Fully Qualified Domain Name (FQDN) of the computer being managed in the DNS administration tools.

Posted by Roger Grimes on April 13, 2007 12:25 PM

RATE THIS ARTICLE: