Managing the Global Query Block List

Source here. Extremely wordy, but I thought it was interesting how M$ is like, “uh, we can’t really prevent someone from hijacking DNS requests like this, so here’s a block thingy.”

dns_globalqueryblocklist_01

The dynamic update feature of Domain Name System (DNS) makes it possible for DNS client computers to register and dynamically update their resource records with a DNS server whenever a client changes its network address or host name. This reduces the need for manual administration of zone records. This convenience comes at a cost, however, because any authorized client can register any unused host name, even a host name that might have special significance for certain applications. This can allow a malicious user to take over a special name and divert certain types of network traffic to that user’s computer.

Two commonly deployed protocols are particularly vulnerable to this type of takeover: the Web Proxy Automatic Discovery Protocol (WPAD) and the Intra-site Automatic Tunnel Addressing Protocol (ISATAP). Even if a network does not deploy these protocols, clients that are configured to use them are vulnerable to the takeover that DNS dynamic update enables. To help prevent such a takeover, the DNS server role in Windows Server 2008 includes a global query block list that can help prevent a malicious user from taking over DNS names that have special significance.

Most Web browsers use WPAD to locate and apply configuration settings that make it possible for the Web browsers to use a network proxy server. These configuration settings are contained in a file that is located on a server. A browser locates this server by querying a Dynamic Host Configuration Protocol (DHCP) server for the URL of the network’s WPAD server. If this query is not successful, the browser attempts to locate the WPAD server by using standard DNS name-resolution queries.

For example, if the Web browser is running on a Windows-based computer named laptop.acctg.corp.contoso.com, the browser attempts to find the WPAD configuration file by looking for the following URLs:

http://wpad.acctg.corp.contoso.com/wpad.dat
http://wpad.corp.contoso.com/wpad.dat
http://wpad.contoso.com/wpad.dat

When the browser locates the Wpad.dat file at any of these locations, it reads the contents of the file and then configures itself according to the settings in the file.

Unfortunately, you cannot secure this automatic discovery process. Any computer that is registered in a DNS zone with the name wpad can provide a WPAD configuration to clients on the network, even if the file contains settings that cause the clients to use a fake proxy server, for example, to divert the client’s Web browser to counterfeit Web sites. The dynamic update feature of DNS makes it possible for a malicious user to accomplish this without requiring the intervention of a DNS system administrator simply by giving a computer the name wpad and then connecting it to the network. As long as there is no other computer in the zone with the same name, the computer of the malicious user can register its name with the DNS server that is authoritative for its zone and then direct all WPAD queries to itself.

The block list feature that is provided by the DNS server role in Windows Server 2008 helps prevent the takeover of WPAD by ensuring that queries for WPAD servers always fail unless WPAD is excluded from the block list.

ISATAP provides a transition between networks that are based on IP version 4 (IPv4) and networks that are based solely on the newer IP version 6 (IPv6). ISATAP provides this transition by using a tunneling approach to carry IPv6 traffic on an IPv4 infrastructure. In other words, ISATAP encapsulates IPv6 packets with an IPv4 header, which makes it possible for the IPv6 packets to be transmitted through a single ISATAP router from one ISATAP-enabled host to another. This transmission occurs wherever the hosts are located on the network, regardless of whether the hosts are located on an IPv6-enabled subnet or on an IPv4-only network.

ISATAP does not support automatic router discovery. Instead, ISATAP hosts use a potential routers list (PRL) to discover available ISATAP routers. Most commonly, ISATAP hosts construct their PRLs by using DNS to locate a host named isatap on the local domain. For example, if the local domain is corp.contoso.com, an ISATAP-enabled host queries DNS to obtain the IPv4 address of a host named isatap.corp.contoso.com.

Consequently, a malicious user can spoof an ISATAP router in much the same way as a malicious user can spoof a WPAD server: A malicious user can use dynamic update to register the user’s own computer as a counterfeit ISATAP router and then divert traffic between ISATAP-enabled computers on the network. To prevent this, the Windows Server 2008 DNS Server service blocks name resolution of the isatap host name by default.

In its default configuration, the Windows Server 2008 DNS Server service maintains a list of names that, in effect, it ignores when it receives a query to resolve the name in any zone for which the server is authoritative. To accomplish this, the DNS Server service first checks queries against the list. Then, if the leftmost portion of the name matches an entry in the list, the DNS Server service replies to the query as though no resource record existed, even if there is a host (A or AAAA) resource record in the zone for the name. In this way, if a host (A or AAAA) resource record exists in the zone because a host has used dynamic update to register itself with a blocked name, the DNS Server service does not resolve the name.

The block list automatically applies to all zones for which the server is authoritative. For example, if the DNS server is authoritative for contoso.com and for europe.contoso.com, it ignores queries for wpad.contoso.com as well as for wpad.europe.contoso.com. However, the DNS Server service does not ignore queries for names in zones for which it is not authoritative. Specifically, the DNS Server service does not ignore queries that it receives through a forwarder or a stub zone or as a result of normal recursion or forwarding. If the block list causes the DNS Server service to ignore a request for a resource record that does exist in a zone, it logs an event that explains why it did so. This event is logged only once after the DNS server has been restarted to prevent the event log from being flooded by an attempted denial-of-service attack.

Important
All DNS servers that are authoritative for a zone must be running Windows Server 2008, and they must be configured with the same block list to ensure consistent results when clients query for resolution of names in the block list. The block list is a per-server setting and is not replicated between servers.

Because the DNS Server service applies the block list for all resource records, not just host (A or AAAA) resource records, it ignores queries for such resource record types as mail exchanger (MX) and service locator (SRV) resource records. However, because the DNS Server service does not apply the block list to zone names themselves, an administrator can create a zone named wpad.contoso.com, for example, and add host resource records to that zone. In this case, the DNS Server service continues to resolve host names in the wpad.contoso.com zone.

The initial contents of the block list depend on whether WPAD or ISATAP is already deployed when you add the DNS server role to an existing Windows Server 2008 deployment or when you upgrade an earlier version of Windows Server running the DNS Server service. You can use the procedures in this task to view and update the contents of the global query block list as well as to enable or disable the global query block list.

To complete this task, you can perform the following procedures:

View the global query block list
Update the global query block list
Enable or disable the global query block list

This article assumes your DNS zone is set up for Active Directory, and thus, dynamic DNS updates are turned on along with the block list by proxy. You can always create a zone with dynamic updates disabled if needed:

Capture

Advertisements

File Permissions and You: UAC Edition

04fig07

If you’ve ever tried to access a folder (i.e. someone else’s profile in C:\Users) and still get prompted for UAC even though you’re logged in as a domain admin, this is by design and limitation. If the folder is using the built-in security groups for permissions (Administrators), you’re going to get the box, and you’re going to hit continue and it’s then going to go through every file and permanently add your account to the ACL for every file in the folder. Maybe this isn’t a big deal for a small user folder, but on something like a network share that is using DFS-R, this can ruin your day pretty quickly as Windows sets your permissions on every file across the entire file structure.

The quickest way to get your permissions straight is to add your account to a custom security group that does have access, as UAC does not prompt unless it’s trying to use the built-in administrator account. Yes, this can be disabled via registry and local security policy (https://www.virtualizationhowto.com/2015/07/windows-10-edge-opened-builtin-administrator-account/) , but you really shouldn’t be doing that.

An in-depth explanation on how UAC and ACLs work together can be found here: https://support.microsoft.com/en-us/help/950934/when-you-click-continue-for-folder-access-in-windows-explorer–your-us

That being said, a combination of a /r takeown (https://technet.microsoft.com/en-us/library/cc753024(v=ws.11).aspx) & a /t icacls (https://technet.microsoft.com/en-us/library/cc753525(v=ws.11).aspx) is always going to be faster than Windows trying to set permissions. It’s safer as well, as you can generally Ctrl+C the process for those commands and know what all you’ve affected as opposed to hitting continue on the UAC and being forced to cancel it and having your permissions in an inconsistent state requiring you to completely re-do the entire thing. Happy troubleshooting!

Windows: The Difference Between MAK and KMS Keys

6165-windows

When Microsoft released Windows Vista they also released a new volume licensing model using two different types of software license keys: MAK and KMS.

MAK stands for Multiple Activation Key.  Each MAK key is a good for a specific number of device activations.  You configure a MAK key by typing it in during Windows Setup or by changing it through the System dialog after installation. When you try to activate your MAK-configured software it will connect to Microsoft’s activation service, verify the key, and subtract 1 from the number of activations still available. Because activation counts are not “returned” when you wipe a hard drive or reinstall your operating system, MAK keys are best suited for situations where machines are not reinstalled or re-imaged often. MAK is most appropriate on clients that spend a significant amount of time disconnected from the corporate network.

KMS stands for Key Management Services.  Like MAK keys KMS keys are good for a specific number of activations.  The difference lies in how we configure and process KMS activation.

We configure KMS Clients (Windows Vista, 7, or 8 devices) with a generic product key that tells the Activation process to activate using KMS.  You must configure a server within your corporate network with the Software Licensing Service and your KMS key.  This is the only device that will actually need to connect to the Internet to verify its product key. Your clients will use DNS to find the licensing server and activate against it instead of connecting to Microsoft’s licensing service over the Internet.

KMS activations expire after a set period (180 days).  The “activation count” will automatically increase on the Software Licensing server and the client will see itself as not activated until it reconnects to the server and reactivates.  The advantage of this method is that you can’t permanently waste KMS keys through a constant cycle of re-imaging or OS reinstallation.  Eventually expired activations return to the KMS server and increase the available activation count.  The disadvantage is that KMS clients must reconnect to the licensing server on semi-regular basis. Configuring clients for KMS activation ( and the required KMS infrastructure on your network) is most appropriate for client devices that rarely if ever leave the corporate network.

In order to see what kind of key is installed on your systems, you can install the Volume Activation Management Tool (VAMT) 2.0 from here, which will show you what MS products you have installed, their genuine status, expiration dates, and key type.

Source: https://www.reich-consulting.net/2012/12/20/the-difference-between-mak-and-kms-keys/

Outlook search stops working after updating to build 7870.2020 and higher

Last updated: March 30, 2017

ISSUE

After updating to builds 7870.2020 and 7870.2024, search stops working for PST files and POP accounts in Outlook 2016

FIXED

A fix has been released for this issue in build 7870.2031. To install the fix, go to File > Office Account > Update Options > Update Now.

If you previously reverted to the older build, please re-enable updates by going to File > Office Account > Update Options >Enable Updates.

NOTES:

WORKAROUND

If you’re still experiencing the issue after the steps above, revert to the previous build, (16.0.7571.2109) to work around this issue. We’re working to resolve this issue and will update this article when a fix is available.

Here are the main steps to revert to the previous working version:

  1. Open a command prompt and run the following commands in order:

    cd %programfiles%\Common Files\Microsoft Shared\ClickToRun

    officec2rclient.exe /update user updatetoversion=16.0.7571.2109

  2. Open Outlook and click File > Office Account and set Update Options to Disable Updates.
  3. Add an appointment on your calendar for a month or more out to remind you to re-enable updates.

For more information, see: How to revert to an earlier version of Office 2013 or Office 2016 Click-to-Run.

PSA: New Processors Require Win10 to run Windows Update

“Your PC uses a processor that isn’t supported on this version of Windows” error when you scan or download Windows updates

Windows_Update_Restart_Vista

Symptoms

When you try to scan or download updates through Windows Update, you receive the following error message:

Unsupported Hardware
Your PC uses a processor that isn’t supported on this version of Windows  and you won’t receive updates.

Additionally, you may see an error message on the Windows Update window that resembles the following:

Windows could not search for new updates
An error occurred while checking for new updates for your computer.
Error(s) found:
Code 80240037 Windows Update encountered an unknown error.

Cause

This error occurs because new processor generations require the latest Windows version for support. For example, Windows 10 is the only Windows version that is supported on the following processor generations:

  • Intel seventh (7th)-generation processors
  • AMD “Bristol Ridge”
  • Qualcomm “8996″

Because of how this support policy is implemented, Windows 8.1 and Windows 7 devices that have a seventh generation or a later generation processor may no longer be able to scan or download updates through Windows Update or Microsoft Update.

Resolution

We recommend that you upgrade Windows 8.1-based and Window 7-based computers to Windows 10 if those computers have a processor that is from any of the following generations:

  • Intel seventh (7th)-generation “Intel Core” processor or a later generation
  • AMD seventh (7th)-generation (“Bristol Ridge”) processor or a later generation
  • Qualcomm “8996″ processor or a later generation

That’s just dirty, Microsoft.

Granting write permission for calendar sharing with OWA 2010

Thoughtsofanidlemind's Blog

The calendar sharing feature introduced in Outlook Web App 2010 (OWA) allows a user to grant access to their calendar to another user. To access the option, click on the Share option when in the Calendar and then on Share This Calendar. You’ll then be able to select the user(s) that you want to share your calendar with and define the level of information you want the recipient to be able to see in your calendar.

Creating a message to inform the recipient that you’d like to share your calendar

The recipients see a message as shown below. To access the calendar, they simply click on the Add This Calendar link. OWA will then add the calendar to the list of available calendars and the user can then access your calendar whenever they want by simply clicking on the calendar’s entry to instruct OWA to open it.

The message…

View original post 511 more words