Minimum rights for DNS using DSACLs
Shaun Sawyer
If I want to stop 'users' from creating / amending DNS records in an AD
integrated 'Secure only' dynamc updates environment; can anybody let me know
what the 'least privileges' should be to the AD objects using DSACLs?
I am assuming that replacing authenticated users with domain computers is a
good start...
Thanks
Shaun
Herb Martin
news:22608784-E672-4880...@microsoft.com...
Logically that should work.
What is the real issue or are you just being security
vigilant?
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Ace Fekay [MVP]
Shaun Sawyer <Shaun...@discussions.microsoft.com> stated, which I
commented on below:
Be careful of your security settings on zone properties or you may also stop
DHCP, if on a DC, to be able to overwrite it's own records when an updated
record is different than the prior.
What are your intentions in attempting to control updates?
--
Ace
Innovative IT Concepts, Inc (IITCI)
Willow Grove, PA
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer
Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164
Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."
The only constant in life is change...
Ace Fekay [MVP]
Ace Fekay [MVP] <Pleas...@SomeDomain.com> stated, which I commented on
below:
> Be careful of your security settings on zone properties or you may
> also stop DHCP, if on a DC, to be able to overwrite it's own records
> when an updated record is different than the prior.
>
> What are your intentions in attempting to control updates?
Maybe I should restate this. TO allow DHCP to own a record in an AD
integrated zone where secure updates are set, the DHCP servers need to be
added to the DnsUpdateProxy group. However if DHCP is on a DC, this will
reduce security a bit.
More info on this...
317590 - HOW TO Configure DNS Dynamic Update in Windows 2000 and
DNSUpdateProxy Group:
http://support.microsoft.com/?id=317590
816592 - How to configure DNS dynamic updates in Windows Server 2003:
http://support.microsoft.com/kb/816592/
Follow up discussion on the DNSUpdateProxy-Group:
http://msmvps.com/ulfbsimonweidner/archive/2005/03/26/39841.aspx
Ace
Shaun Sawyer
down as much as possible, without affecting any fundamental operations (such
as creating the SVC, A, PTR records etc.)
To that end my initial inclusion is domain computers, the DHCP credentials
account.
Regards
Shaun
Shaun Sawyer
As I replied to Herb, this is an exercise in making DNS as secure as
possible without restricting basic operations. I take onboard your comments
about DHCP, and that has been thought of by including the credentials account
in the DSACLs list.
Thanks
Shaun
Ace Fekay [MVP]
Shaun Sawyer <Shaun...@discussions.microsoft.com> stated, which I
commented on below:
> Hi Ace,
>
> As I replied to Herb, this is an exercise in making DNS as secure as
> possible without restricting basic operations. I take onboard your
> comments about DHCP, and that has been thought of by including the
> credentials account in the DSACLs list.
>
> Thanks
> Shaun
I see. Good luck and let us know how you make out.
Ace