As most of you are already aware, there is a new 0-day attack hitting some folks. It’s potentially very nasty since it centers on DNS servers which are often also domain controllers. That’s bad because the DNS Server service runs as the SYSTEM account which is all-powerful and a compromised domain controller, of course means a compromised domain. However there’s an easy workaround that most folks should be able to implement without causing any problem.
At this point let me first stress that port 53 (DNS) is not the attack vector for this exploit. The vulnerability does not lie in Windows’ implementation of the DNS protocol but in the RPC administration and management interface to the DNS Server service. You see when you use the DNS MMC snap-in to manage DNS server it uses either local procedure calls (LPC) or remote procedure calls (RPC). If you are running the DNS snap-in on the same server as the DNS service you’re administering the snap-in normally uses LPC. If you connect to a remote DNS server, the snap-in switches to RPC.
No time to decode event logs? Get served with the events that matter, in real time!
GFI EventsManager is the solution for centralized event log management & reporting. Boasting the most advanced event processing & filtering rules in the industry, this tool acts as an early-warning system for failures & alerts on possible security breaches. Get to know what's really happening on your network. Try it free for 30 days!
The good news is that since the attack vector is RPC the attacking computer almost certainly needs to be on the internal corporate/organization network – unless you have servers out there on the internet exposed to RPC traffic. I know all of you are smarter than that.
Nevertheless you are exposed to malicious internal individuals or internal computers infected with malware that exploit this vulnerability.
All you have to do to mitigate against this risk is turn off RPC in the DNS Server service. Turning off RPC in DNS Server is a simple registry tweak documented in http://www.microsoft.com/technet/security/advisory/935964.mspx.
What does that break? You won’t be able to open the DNS snap-in one computer and use to administer DNS Server on another computer over the network. Instead you’ll need to remote desktop into that server and run the DNS snap-in locally. You will still be able to use DNSCMD.exe and WMI locally but not remotely.
One final point, if the computer name of your DNS server is over 15 characters you may need to use the fully qualified DNS domain name to administer the server locally. Apparently >15 character computer names makes the DNS snap-in switch to RPC even if the DNS service is local.
Until next time, keep those risks mitigated!
Log management and SEM designed for InfoSec pros by InfoSec pros. – LogRhythm - Click Here!
Finally... Concurrent logon control and reliable logon/logoff auditing in one tool! – Engagent- Click Here
Logging in Depth – Secure, Comply, Save – with EventTracker Complete Event Management - For more information and to download a free trial
