DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 936263 - Last Review: October 11, 2007 - Revision: 2.3

On This Page

INTRODUCTION

This article describes how to disable DNS remote management of a DNS server that is running one of the following operating systems:
  • Microsoft Windows Server 2003
  • Microsoft Windows 2000 Server
You can use the method that is mentioned in this article to enhance the security of the computers that are running the DNS Server service in an organization.

For more information about a problem that affects the DNS Server service in Windows Server 2003 and in Windows 2000 Server, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx (http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx)

MORE INFORMATION

Overview

By default, the DNS Server service allows for remote management by using many interfaces. When the DNS Server service starts, it binds to a dynamic port in the ephemeral range. This port is used by the DNS Microsoft Management Console (MMC) snap-in and by the DNS Windows Management Instrumentation (WMI) provider. You can use the following registry entry to control whether the DNS Server service allows for remote management:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

Value name: RpcProtocol
Value type: REG_DWORD
Value data: 0x4
The following values are available for the RpcProtocol registry entry:
  • 0x1
    This value corresponds to a setting of DNS_RPC_USE_TCPIP
  • 0x2
    This value corresponds to a setting of DNS_RPC_USE_NAMED_PIPE
  • 0x4
    This value corresponds to a setting of DNS_RPC_USE_LPC
Note A value of 0x4 restricts the DNS RPC interface to local procedure calls only. This allows for local management only.

The effect of disabling remote management

When you set the RpcProtocol registry entry to 0x4, remote management of the DNS Server service is disabled. Therefore, you cannot use RPC or Windows Management Instrumentation (WMI) to manage the DNS server. In this scenario, DNS server management tools no longer work from a remote location. However, you can still use local management tools to manage the DNS server, and you can still perform remote management of the DNS server by using a Terminal Services connection.

Setting the RpcProtocol to 0x4 does not affect DNS queries, DNS dynamic updates, DNS zone transfers, and so on.

Note DNS Server service local administration and configuration may not work if the following conditions are true:
  • The server that you want to manage has a host name that has 15 characters.
  • You select the server by using its host name.
To resolve this problem, specify the fully qualified domain name (FQDN) of the computer when you manage it by using the DNS server administration tools.

To disable remote management of the DNS Server service

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows


To disable the remote management over RPC functionality of a computer that is running the DNS Server service, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. In the New Value #1 box, type RpcProtocol, and then press ENTER.
  5. Right-click RpcProtocol, and then click Modify.
  6. In the Value data box, type 4, and then click OK.
  7. Exit Registry Editor, and then restart the DNS Server service. To restart the DNS Server service, follow these steps:
    1. Click Start, click Run, type cmd, and then click OK.
    2. At the command prompt, type the following command, and then press ENTER:
      net stop dns && net start dns

To deploy the RpcProtocol registry value to many computers

You can use a script to deploy the RpcProtocol registry value. This lets you more easily disable remote management of the DNS Server service on many computers. To do this, follow these steps:
  1. Log on to the domain by using an account that has rights to modify the DNS servers. For example, log on as a domain administrator.
  2. Create a list of all the DNS servers. To do this, run the following command at a command prompt:
    dsquery * -filter "(servicePrincipalName=DNS*)" -attr dNSHostName -l > dns_servers.txt
    If it is required, manually edit the dns_servers.txt file that is created to specify all the DNS servers. For example, this command only captures domain controllers that are configured as DNS servers. Therefore, you must manually add DNS servers that are configured as member servers.

    Note You can use the Name Servers tab in the DNS zone Properties dialog box for each zone in the DNS snap-in to determine the names of the DNS servers that you want to add to this list.
  3. If it is required, use the cd command at the command prompt to change to the directory to which you saved the dns_servers.txt file.
  4. Type the following command, and then press ENTER:
    for /f %i in (dns_servers.txt) do reg add \\%i\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v RpcProtocol /t REG_DWORD /d 4 /f
    This command adds the RpcProtocol registry entry together with a value of 0x4.
  5. Stop the DNS Server service on all the computers. To do this, type the following command, and then press ENTER:
    for /f %i in (dns_servers.txt) do sc \\%i stop DNS
  6. Start the DNS Server service on all the computers. To do this, type the following command, and then press ENTER:
    for /f %i in (dns_servers.txt) do sc \\%i start DNS

To verify that the RpcProtocol registry entry is set on many computers

To query the servers and to verify that the RpcProtocol registry entry is set, follow these steps:
  1. Log on to a DNS server that has the RpcProtocol registry entry set.
  2. Copy the following script to a text file, and then name this file Dnsquery.cmd:
    Echo Comparing registry value for: > dns_errors.txt echo HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters >> dns_errors.txt 
    echo Data Value for "RpcProtocol" >> dns_errors.txt echo. >> dns_errors.txt echo. >> dns_errors.txt 
    Echo Errorlevel 1 - Failed to compare registry values >> dns_errors.txt 
    Echo Errorlevel 2 - Reg values compared are different >> dns_errors.txt echo. >> dns_errors.txt 
    echo. >> dns_errors.txt echo ===================================================== >> dns_errors.txt 
    set _MachineName= 
    for /f %%i in (dns_servers.txt) do ( call :TEST %%i )
    :TEST
    Set _MachineName=%1
    echo %_MachineName%
    reg.exe compare "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters" "\\%_MachineName%\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v RpcProtocol
    if %_MachineName% == "" echo 0 > nul
    if %errorlevel% == 0 echo 0 > nul
    if %errorlevel% == 1 Echo Computername: %_MachineName% Errorlevel returned: 1 - Failed >> dns_errors.txt
    if %errorlevel% == 2 Echo Computername: %_MachineName% Errorlevel returned: 2 - Different >> dns_errors.txt
    :End
    rem exit
    Note This script compares the Parameters registry subkey on the remote computers to the one on the computer where you run the script.

    Important There must be no trailing space characters in this script.
  3. Double-click the Dnsquery.cmd file to run it.

To remove the RpcProtocol registry value from many computers

To undo the operation that sets the RpcProtocol registry value, follow these steps:
  1. Log on to the domain by using an account that has rights to modify the DNS servers. For example, log on as a domain administrator.
  2. Start a command prompt, and then use the cd command to change to the directory to which you saved the Dns_servers.txt file.
  3. Type the following command, and then press ENTER:
    for /f %i in (dns_servers.txt) do reg delete \\%i\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v RpcProtocol /f
  4. Stop the DNS Server service on all the computers. To do this, type the following command, and then press ENTER:
    for /f %i in (dns_servers.txt) do sc \\%i stop DNS
  5. Start the DNS Server service on all the computers. To do this, type the following command, and then press ENTER:
    for /f %i in (dns_servers.txt) do sc \\%i start DNS

APPLIES TO
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
Keywords: 
kbregistry kbhowto kbinfo kbtshoot kberrmsg KB936263
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support