Administratively Created DNS Records May Not Be Security-Enhanced (321610)


The information in this article applies to:

  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP3
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Advanced Server SP3
  • Microsoft Windows 2000 Professional SP1
  • Microsoft Windows 2000 Professional SP2
  • Microsoft Windows 2000 Professional SP3
This article was previously published under Q321610
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SYMPTOMS

Authenticated users may be given full control of static records (that are manually created by an administrator) in an Active Directory-integrated DNS zone that is configured with the Allow Secure Updates Only setting.

CAUSE

This occurs to permit DNS dynamic update protocol clients to take control of records that are registered on their behalf by the administrator or by a DNS proxy server that supports the dynamic update protocol (such as a DHCP server).

RESOLUTION

Service Pack Information

To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

Hotfix Information

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that are experiencing this specific problem. This fix may receive additional testing. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Windows 2000 service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The typical support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 
   Date         Time   Version        Size     File name
   -----------------------------------------------------
   15-Aug-2002  22:06  5.0.2195.6016  325,392  Dns.exe

WORKAROUND

To secure the records manually, change the Authenticated Users ACE to Read by using the standard tools (Dsacls, Dnscmd, or the Microsoft Management Console snap-in).

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Microsoft Windows 2000 Service Pack 4.

MORE INFORMATION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Install the hotfix on all DNS servers that host the Active Directory-integrated zone. The default behavior after you install the hotfix is to create static records with secure ACLs. To revert to open ACLs, you must add a registry value:
  1. Start Registry Editor (Regedit.exe).
  2. Locate and then click the following key in the registry:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters

  3. On the Edit menu, click Add Value, and then add the following registry value:

    Value name: CreateRecordsWithOpenAcl
    Data type: REG_DWORD
    Value: 1

Note If you add the CreateRecordsWithOpenAcl registry value to the registry on a Microsoft Windows 2000-based DNS server, dynamic updates from authenticated users can overwrite records that are created with the Dnscmd tool. In Microsoft Windows Server 2003, the equivalent procedure is to create static records by using the Dnscmd tool with the /OpenACL parameter.

For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:

265173 The Datacenter Program and Windows 2000 Datacenter Server Product


Modification Type:MinorLast Reviewed:10/11/2005
Keywords:kbHotfixServer kbQFE kbDirServices kbWin2kSP4fix kbbug kbfix kbWin2000preSP4Fix KB321610
©2004 Microsoft Corporation. All rights reserved.