Printer Friendly Version

In the earlier installments of this series, you learned how to use Microsoft's Management Console (MMC) to automatically configure and enforce security policies by creating security templates and how to install them on multiple servers. In this part, I'm going to teach you what settings to configure in order to secure a Windows 2000 DNS server.

Getting Started on DNS Security

DNS stands for Domain Name Service. It is a distributed Internet directory service that allows your network to translate the names of domains with IP addresses. Without DNS, your browser would not be able to find Web sites and you would not be able to send or receive e-mail. An alternative to using DNS is a DHCP (which stands for Dynamic Host Configuration Protocol).

If you use DNS, you don't need to use DHCP and vice versa. It's best not to run more services than necessary on your DNS server. The more services your run, the more you expose your server to possible vulnerabilities. Therefore, the security settings that I am going to recommend are going to be only for the minimal amount of services required to run and secure DNS. These recommendations are for a DNS server, and therefore the settings will explicitly disable DNS and DHCP client services.

Intranet Journal's new RSS feed delivers articles to you.

Before you apply the DNS specific security settings, you should apply the general security settings that you applied on your basic Windows 2000 server; these are the settings that you learned how to apply in Parts 1, 2, and 3 of this series.

While the goal is to secure DNS, you want to harden the Windows 2000 operating system in a general way as well — just as you would do for any Windows 2000 server. You should perform the general operating system hardening configurations first. For example, you'll need to add members to the administrators group to according to what administrators are allowed to configure the DNS server. After you apply the general Windows 2000 operating system hardening settings that you have already learned, it is time to apply the DNS specific security settings.

Applying DNS Configuration Settings

As with all security templates, you're going to want to start by using the Microsoft Management Console (MMC) to launch the creation of a security template. Load the Security Template snap-in Console as you learned in Part 1.

Once you have the snap-in loaded, select the secure basic server (basicsv.inf) template that you have already configured. You are then going to save it into a new file called SECUREDNS.inf as illustrated below. By using your original basic server template and then modifying it, you will have all the original Windows 2000 security settings to start with.

Loading the SECUREDNS security template.

Once you have saved your SECUREDNS.inf file, you can expand it to see the subcategories as illustrated below.

Expanding the Subcategories in your SECUREDNS Template

The three sub-categories that you will need to configure in order to secure DNS are System Services, Registry, and Filesystem. Select the Services configuration category as illustrated below. The Services should be secured for both the Administrators group and for the SYSTEM. Follow the methodology we covered in Part 3 to access System Service configuration settings for Administrators and SYSTEM.

Configuring security for DNS services.

The Service security settings that you will want to configure are listed in the following table:

Service Name	Setting	Permissions
DHCP Client	Disabled	Full Control
DNS Client	Disabled	Full Control
DNS Server	Automatic	Full Control

Next it's time to configure Registry security. You need to secure the Registry in order to prevent unauthorized users from changing the location of the DNS zone files. To secure the DNS registry, select the Registry configuration category as illustrated below.

Configuring the security for the DNS Registry.

Similar to how you configured the Services settings, you'll want to make sure that these settings are applied to the user groups known as Administrators and SYSTEM. There is only one setting that you need to secure the DNS registry and that is listed in the following table:

Registry	Setting	Permissions
MACHINE\SYSTEM\CurrentControlSet\Services\DNS	Replace	Full Control

Lastly, you need to secure the filesystem that contains the DNS files. To do this, select the Filesystem category as illustrated below.

Apply the security settings listed in the following table to the Administrators group:

Object Name	Setting	Permissions
%SystemDirectory%\ipconfig.exe	Replace	Administrators: Full Control SYSTEM: Full Control
%SystemDirecory% \dns	Replace	Administrators: Full Control (for subfolders and files only) SYSTEM: Full Control

Your DNS server security settings are now configured. You now need to reboot the server.

Page 2: Post Configuration Tasks and Best Practices