Announcement

Collapse
No announcement yet.

How to prevent changes to DNS server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to prevent changes to DNS server

    Hi, we are in need to prevent access to DNS servers to only three "dns administrators". The DNS servers are also domain controllers, running of Windows 2000 servers. DNS zones are active directory integrated. We need to prevent users from accessing DNS servers using DNS MMC either from dns server it self and from local workstations.
    Current security settings on DNS server (DNS MMC/server properties/Security) allow access to DNS server for Domain Admins (full rights), System, Authenticated users (read only and inherited special permissions), Administrators (full access). We would like to setup only one group DNS admins with full access rights on DNS servers - this groups should only be allowed to make changes to DNS server like adding/deleting records but on the other side, we need to keep DNS server Active directory functions.

    Thanks for your help.
    Regards,

  • #2
    Re: How to prevent changes to DNS server

    Originally posted by Makarije View Post
    Current security settings on DNS server (DNS MMC/server properties/Security) allow access to DNS server for Domain Admins (full rights), System, Authenticated users (read only and inherited special permissions), Administrators (full access)
    Your one "network" group is "Domain Admins" then?
    Who can change things that you don't want to? You could restrict use of the mmc on client machines maybe? What is wrong with people reading what is in DNS?
    Do you have a bit more info regarding the background please?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: How to prevent changes to DNS server

      Here few more facts:
      - the dns server is also a domain controller for AD
      - we have to prevent users from making changes in DNS database (eg adding records, removing records, etc)
      - users we would like to prevent access, are also members of domain admins group which by default has full access to domain controller as well as DNS server.
      The question is: can we create a AD group called dnsadmin, add few users into this group and apply security access to dns server to allow only dnsadmins to make change to dns server zones?
      Do we have to keep Domain Admins with full rights to dns server database?
      Do we need to have members of dnsadmin group members of domain admins group at the same time (two groups membership) in order to make chagnes to dns server?
      Also, it is very important to limit access to dns server using either dns mmc or rdp.

      Thanks

      Comment


      • #4
        Re: How to prevent changes to DNS server

        Do you have secure updates only setup?

        I would worry if you have Domain Admins that you can't trust with DNS, or anything else for that matter.

        Why not delegate permissions to new groups for the tasks that these users perform and remove them from Domain Admins and then use a "DNS Admins" group to give them rights to DNS (for example)?
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: How to prevent changes to DNS server

          your problem is that your regular users are members of the Domain Admins.
          Originally posted by Makarije View Post
          - users we would like to prevent access, are also members of domain admins group which by default has full access to domain
          Thanks
          Domain Admins have right to change your DNS records and you won't change it and you shouldn't.
          what you should do is remove regular Users from being Domain Admins, they don't need it and they could only damage your AD.
          as for DNS admin , there is a group "DNS Admins", users that are not members on the Domain Admins group that you want to grant them with DNS administration would be placed in that group.

          Action Plan:
          Remove unneeded Users from the Domain Admins Group!!

          Comment


          • #6
            Re: How to prevent changes to DNS server

            Thank you all for responds. The problem here is that everythign was inherited from previous domain admin and now i trying to make it beter and more secure.
            Akila - do not see group called "Dns Admin" - did you refer to users group we are trying to create?
            I believe i will do what AndyJG247 suggested.

            Thank you all for prompt responses.

            Regards,

            Comment


            • #7
              Re: How to prevent changes to DNS server

              The security group DnsAdmins (along with DnsUpdateProxy, DHCP Administrators, DHCP Users etc etc), on our SBS server, is in the root of the Users container. Have a look there and see if you find it.
              Gareth Howells

              BSc (Hons), MBCS, MCP, MCDST, ICCE

              Any advice is given in good faith and without warranty.

              Please give reputation points if somebody has helped you.

              "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

              "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

              Comment


              • #8
                Re: How to prevent changes to DNS server

                I got it. Thanks

                Comment

                Working...
                X