SovLabs Microsoft DNS: Rule of Least Privilege

Brandon Miller
by Brandon Miller

Categories

Problem 

You may want to do this if:

  • You want to set a custom permission role, so that the security policies are not compromised by giving that role additional privileges when that same task could be done without granting extra permissions in Microsoft (MS) DNS Server.

 

Cause

You do not want to use administrator/domain admin for integration with Microsoft DNS.

 

Affected Versions

  • Microsoft 2012 R2
  • Microsoft 2016

 

Delegating required permissions to the Service Account

Overview

Permissions can be delegated to each 'Forward Lookup zone' and 'Reverse Lookup zone' that records are being created in. Follow the steps below.

 

Configuring forward lookup zone(s)
  • This is required if you are creating/destroying (A) records.
  • Login into the DNS manager, Right-click on the forward zone where records are being created.  In the security tab. Add the account to the user list. Click on Advanced to bring up Windows below.
  • Highlighting the account - click edit. Apply the following permission set:

Configuring reverse lookup zone(s)
  • This is required if you are creating/destroying (PTR) records.
  • Login into the DNS manager, Right-click on the reverse zone where records are being created.  In the security tab. Add the account to the user list. Click on Advanced to bring up Windows below.

 

  • Highlighting the account - click edit. Apply the following permission set:

 

Additional information

See http://docs.sovlabs.com/latest/vRA/7.5/modules/dns/microsoft-dns/ for full configuration process.

The first step in providing reliable self-service automation for your CMP is starting a free trial.

Free Trial
Wave One Wave One
Wave Two Wave Two