Active directory security risks involved with implementation

Discussion in 'Active Directory' started by scripttron75, Jul 27, 2005.

  1. scripttron75

    scripttron75 Guest

    I get this error in the EV viewer for one of our servers saying this "Attempt
    to update DNS Host Name of the computer object in Active Directory failed.
    the updated value was 'snmp-wg.prv.echo-inc.com.' The following error
    occuredd: The parameter is incorrect. I found a resolution to the issue on
    MS but I need to know what security risks are involved with implementing MS
    resolution to this issue? Please help thank you
     
    scripttron75, Jul 27, 2005
    #1
    1. Advertisements

  2. scripttron75

    Al Mulnick Guest

    Can you post the reference you found on Microsoft's site so we can all know
    what you're talking about?
    And did you expect that object to try and update? snmp-wg.prv.echo-inc.com
    isn't something I'd let update my records, but I don't host that domain. It
    sounds like it may be a non-Microsoft device, perhaps a *nix based
    monitoring device or a router?

    Al
     
    Al Mulnick, Jul 27, 2005
    #2
    1. Advertisements

  3. scripttron75

    scripttron75 Guest

    scripttron75, Jul 28, 2005
    #3
  4. scripttron75

    Al Mulnick Guest

    WARNING: By modifying the default security in this way, there is the
    possibility that the computer joined to the selected domain could be
    operated by a malicious user and may be able to advertise itself under a
    different name through the service principal name attribute.


    I assume you saw that bit. Were you thinking there was more?
     
    Al Mulnick, Jul 28, 2005
    #4
  5. scripttron75

    scripttron75 Guest

    Yes I was thinking there was more if there is at all please let me know.
     
    scripttron75, Aug 1, 2005
    #5
  6. scripttron75

    Al Mulnick Guest

    The right that you're granting is Validated write to DNS host name &
    possibly Validated write to service principal name
    Not sure that poses any other security risk. Nothing comes to mind when you
    allow SELF to update it's own records other than that a malicious user might
    find a way to logon to the machine and then cause it to update a record with
    bogus or malicious information.

    Seems a small risk in most cases.
     
    Al Mulnick, Aug 1, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.