I think my point was: OP is making an assumption about the security of their network (it is physically secure, and always will be).
So, I am trying to say: "you are assuming that your network security is perfect in keeping out non-local users" (physically secure) AND "you are assuming that your local users will never do anything malicious" (those that do have physical access) I believe that those two sets cover the universal set of circumstances (or close enough to a universal set). Maybe I use set theory unconsciously too often. Cheers Ken -----Original Message----- From: Sam Cayze [mailto:[EMAIL PROTECTED] Sent: Tuesday, 8 January 2008 2:32 PM To: NT System Admin Issues Subject: RE: DNS dynamic updates - Secure vs. Nonsecure "physically" not perfectly (to interject) -----Original Message----- From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Monday, January 07, 2008 9:00 PM To: NT System Admin Issues Subject: RE: DNS dynamic updates - Secure vs. Nonsecure If you never have any malicious users, and your network is perfectly secure, then why do you need passwords, or user accounts or anything of that nature? Security is about managing risk. And there is the risk that (a) you network might not be physically secure in the future and there the risk that (b) someone internally may decide they want to do something malicious, and so on. Cheers Ken -----Original Message----- From: Ajay Kulsh [mailto:[EMAIL PROTECTED] Sent: Tuesday, 8 January 2008 1:14 PM To: NT System Admin Issues Subject: Re: DNS dynamic updates - Secure vs. Nonsecure Ken, That is the definition of nonsecure update - but how can this be harmful, if your network is physically secure? Jay ----- Original Message ----- From: "Ken Schaefer" <[EMAIL PROTECTED]> To: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com> Sent: Monday, January 07, 2008 4:05 PM Subject: RE: DNS dynamic updates - Secure vs. Nonsecure Non-secure updates means that anyone can update a dynamic DNS entry, because there's no workstation level authentication required in order to update the entry. Anyone can create a new entry, and anyone can "update" and existing entry. Cheers Ken -----Original Message----- From: Ajay Kulsh [mailto:[EMAIL PROTECTED] Sent: Tuesday, 8 January 2008 7:45 AM To: NT System Admin Issues Subject: Re: DNS dynamic updates - Secure vs. Nonsecure Carl, Thanks for replying. I had gone thru that long article and still was not sure what is the harm in having nonsecure updates. Also that article does not say why secure updates might fail. That article also states that "secure dynamic updates functionality can be compromised if the following conditions are true: . You run a DHCP server on a Windows Server 2003-based domain controller and . The DHCP server is configured to perform registration of DNS records on behalf of its clients." As a consultant, I often find DHCP servers configured on DCs and they, by default, register DNS on behalf of clients, so Secure dynamic updates functionality is hardly used... Jay ----- Original Message ----- From: "Carl Webster" <[EMAIL PROTECTED]> To: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com> Sent: Monday, January 07, 2008 12:21 PM Subject: Re: DNS dynamic updates - Secure vs. Nonsecure > > http://support.microsoft.com/kb/816592 > > > Webster > > ----- Original Message ---- > From: Ajay Kulsh <[EMAIL PROTECTED]> > Subject: DNS dynamic updates - Secure vs. Nonsecure > > Can anyone tell me what is the harm in having "Nonsecure" Dynamic DNS > updates in Windows 2003 DNS server, if any? For some reason, from some > of our subnets, clients (thru DHCP server or directly) cannot register > their A and PTR records with the DNS server if we choose to have > Secure Only updates, so we have enable both Secure and Nonsecure. Has > anyone had this kind of problem before? Thanks. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~