Administratively Created DNS Records May Not Be Security-Enhanced

Article translations Article translations
Article ID: 321610 - View products that this article applies to.
This article was previously published under Q321610
This article has been archived. It is offered "as is" and will no longer be updated.
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
Expand all | Collapse all

On This Page

SYMPTOMS

Authenticated users may be given full control of static records (that are manually created by an administrator) in an Active Directory-integrated DNS zone that is configured with the Allow Secure Updates Only setting.

CAUSE

This occurs to permit DNS dynamic update protocol clients to take control of records that are registered on their behalf by the administrator or by a DNS proxy server that supports the dynamic update protocol (such as a DHCP server).

RESOLUTION

Service Pack Information

To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack

Hotfix Information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language. The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time   Version        Size     File name
   -----------------------------------------------------
   15-Aug-2002  22:06  5.0.2195.6016  325,392  Dns.exe
				

WORKAROUND

To secure the records manually, change the Authenticated Users ACE to Read by using the standard tools (Dsacls, Dnscmd, or the Microsoft Management Console snap-in).

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Microsoft Windows 2000 Service Pack 4.

MORE INFORMATION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Install the hotfix on all DNS servers that host the Active Directory-integrated zone. The default behavior after you install the hotfix is to create static records with secure ACLs. To revert to open ACLs, you must add a registry value:
  1. Start Registry Editor (Regedit.exe).
  2. Locate and then click the following key in the registry:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
  3. On the Edit menu, click Add Value, and then add the following registry value:
    Value name: CreateRecordsWithOpenAcl
    Data type: REG_DWORD
    Value: 1
Note If you add the CreateRecordsWithOpenAcl registry value to the registry on a Microsoft Windows 2000-based DNS server, dynamic updates from authenticated users can overwrite records that are created with the Dnscmd tool. In Microsoft Windows Server 2003, the equivalent procedure is to create static records by using the Dnscmd tool with the /OpenACL parameter.

For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:
265173 The Datacenter Program and Windows 2000 Datacenter Server Product

Properties

Article ID: 321610 - Last Review: February 27, 2014 - Revision: 4.6
APPLIES TO
  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Service Pack 3
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Advanced Server SP3
  • Microsoft Windows 2000 Professional SP1
  • Microsoft Windows 2000 Professional SP2
  • Microsoft Windows 2000 Service Pack 3
Keywords: 
kbnosurvey kbarchive kbautohotfix kbhotfixserver kbqfe kbdirservices kbwin2ksp4fix kbbug kbfix kbwin2000presp4fix KB321610

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com