72
submitted 11 months ago by throws_lemy@lemmy.nz to c/technology@lemmy.world
top 3 comments
sorted by: hot top controversial new old
[-] SnotFlickerman@lemmy.blahaj.zone 13 points 10 months ago* (last edited 10 months ago)

I hate to be that guy, but the documentation for AD DHCP goes over this.

It isn't always Microsoft's fault when they fail to save their customers from their own stupidity and lack of concern for security.

It is bad that this is the default behavior, but defaults aren't always defaults because they are the best, they are the defaults that will all work functionally together as long as everything is at default settings.

It is more about making it "work out of the box" with defaults than "making sure it is secure out of the box."

Frankly, the security of their AD DHCP/DNS is the job of the SysAdmin, not Microsoft. A SysAdmin is supposed to be a professional, so why do they want to blame a third party for their own shortcomings and lack of security conscientiousness?

Nobody is blaming Linus for badly secured Linux servers, or saying the defaults should be more secure.

[-] SpeakerToLampposts@lemmy.world 3 points 10 months ago

I am going to blame Microsoft, because “works out of the box” shouldn't conflict with “secure out of the box.”

And while I won't blame Linus for insecure-by-default Linux configs, I will blame whoever integrated the distro/dockerfile/etc.

[-] autotldr@lemmings.world 2 points 11 months ago

This is the best summary I could come up with:


In addition to detailing the security issue, the cloud services biz also provided a tool that sysadmins can use to detect configurations that are at risk.

While the current report doesn't provide technical details or proof-of-concept exploits, Akamai has promised, in the near future, to publish code that implements these attacks called DDSpoof - short for DHCP DNS Spoof.

"We will show how unauthenticated attackers can collect necessary data from DHCP servers, identify vulnerable DNS records, overwrite them, and use that ability to compromise AD domains," Akamai security researcher Ori David said.

The DHCP attack research builds on earlier work by NETSPI's Kevin Roberton, who detailed ways to exploit flaws in DNS zones.

In addition to abusing Microsoft's DHCP to create or overwrite DNS records, the team found another feature, DNSUpdateProxy group, that also poses a security risk - and potentially contains a bug.

But in the meantime, we'd suggest following Akamai's advice and disable DHCP DNS Dynamic Updates if you don't already and avoid DNSUpdateProxy altogether.


The original article contains 753 words, the summary contains 167 words. Saved 78%. I'm a bot and I'm open source!

this post was submitted on 09 Dec 2023
72 points (97.4% liked)

Technology

59066 readers
4390 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS