"DNS server for Windows XP?"

Danny Mayer mayer at gis.net
Fri Sep 10 02:28:58 UTC 2004 

At 01:36 AM 9/9/2004, Jim McAtee wrote:
>----- Original Message ----- From: "Danny Mayer" <mayer at gis.net>
>Subject: Re: "DNS server for Windows XP?"
>
>
>>>Danny, I haven't looked at BIND 9.3.0 yet.  Is running under a user 
>>>account now a requirement for running 9.3.0 on all Windows platforms? Or 
>>>are you just saying it's now possible to run with minimum privileges 
>>>whereas it wasn't possible previously?  I take the installation is a bit 
>>>different from prior versions where BIND's dlls were installed in system 
>>>directories?
>>
>>No, it's for security. You can do it for any version of BIND. However,
>>the installer didn't have the smarts until 9.3.0 to set it up. You can
>>do this manually but requires a set of instructions. It's not just a
>>matter of adding a user account.  In fact it shouldn't be a user
>>account. It's not a matter of where the dll's and exe's are installed.
>>That doesn't matter at all.
>
>Are these instructions available online somewhere?

No, I spent quite a lot of time figuring it all out before I put it into the
new installer.

>I'm not sure I understand then what you mean by the difference between a 
>'named' account and a user account.  Either the service runs under the 
>local SYSTEM account or a user account.

You basically can create an account as usual. You then remove it from the
user group so that it doesn't belong to a group (well okay, it's always in the
Everyone group). You then make sure that you remove the account from
all privileges. You can't remove privileges from the account because of the
way Microsoft sets up privileges. I had to write a program to figure out what
privileges an account has. Note that groups can be assigned to privileges.
You assign the account to just one privilege: Logon as Service. After that
you need to set up the directory permissions so that the account can read
from and write to the correct files in the various directories that you've
placed your BIND files.

>Will the 9.3.0 installer also have the smarts to upgrade a previous 
>installation of BIND 9 to a secure setup as well?

Yes. That part is upward compatible. It can't do that with BIND 8 because I
changed some registry setting IIRC.

Danny

More information about the bind-users mailing list