Security Adviser | Roger A. Grimes » April 2007

April 13, 2007 | Comments: (0)

Easy work around for new Microsoft DNS zero-day

TAGS: None

There is a new zero-day exploit that impacts all Windows servers running DNS. It's pretty bad.

http://www.microsoft.com/technet/security/advisory/935964.mspx

It requires RPC access to the DNS server, which is disallowed by most perimeter firewalls, but if someone worms it like MS-Blaster, then it could get a little ugly.

Fortunately, it only takes a 1-minute registry edit to fix with a temporary workaround. It's documented in the KB article. The fix disables remote DNS management over RPC, which means when the temp fix is enabled, you can't use a remote DNS MMC console to manage your DNS server. If that isn't a problem, apply the fix.

Dr. Jesper Johansson also has a nice alternative way to apply the reg edit across multiple DNS servers at once in his blog.

Update 4-15-07(Some new notes from Microsoft regarding the temp workaround):
Remote management of DNS server functionality using RPC will be disabled. DNS management tools, will fail to work remotely. Local and remote management through terminal services can be still used to manage your DNS Server configuration. This includes the DNS management MMC Snap-in, DNSCMD.exe, DNS WMI provider. Additional management and control functionality may be lost for applications or components that use affected ports.

DNS Server local administration and configuration may not work if the
server being managed has a computer name of 15 characters or longer and is selected by its computer name. To avoid this issue, use the Fully Qualified Domain Name (FQDN) of the computer being managed in the DNS administration tools.

Posted by Roger Grimes on April 13, 2007 12:25 PM

April 13, 2007 | Comments: (0)

Making Verizon EDVO work with Vista

TAGS: None

I've been a big fan of Verizon's EDVO/Broadband service for a year or so now. Plug in a EDVO PC Card into your laptop or mobile device and get pretty kick butt Internet speeds. It's very pricey at $59-$79/mo. plus normal fees and taxes, but it gets great speeds and access.

Since I'm running Windows Vista Enterprise on my work laptop now, I needed a way to get Verizon's software and the EDVO card's drivers working with Vista. As with most wireless phone services and features, the phone companies rarely update the software once released. In my case, the Verizon-provided software called VZAccess didn't like Vista at first.

It's a simple fix two solutions. 1) Just fool VZAccess into thinking it is running in XP, or 2) Don't use VZAccess. Just install the card driver and use Vista's dial-up features. Either option works. Keith Comb's blog has an excellent entry on it.

Keith's blog has both solutions. The 'Running VZAccess in Windows XP compatiblity mode' is near the bottom of the blog entry. And I'll add a few things.

First copy the VZAccess.exe installer file from the CD-ROM's \VZAccess folder to your mobile device. Then right-click the file on the mobile device and click on Properties. Then click on the Compatibility tab. Then click on the Show settings for all users button and put in the admin credentials (if asked). Then enable the Run this program in compability mode for: and select Windows XP (Service Pack 2).

After installing the software and installing the drivers, you should have a VZAccess Manager icon on your desktop. Depending on your setup, you may or may not need to enable compatibility on the normal VZAccess Manager executable.

Posted by Roger Grimes on April 13, 2007 12:07 PM