Corp.com is up for sale – check your Active Directory settings! – Naked Security

An old domain that has lain dormant for 26 years is going on sale – and the results could be catastrophic for enterprises with poorly configured Active Directory setups.

Brian Krebs reports that Mike O’Connor, a domain prospector who registered corp.com in 1994, wants to sell the domain for $1.7 million as he simplifies his estate. Most other domains would simply be a useful way to generate web traffic, but corp.com is different.

The problem lies with Microsoft’s Active Directory. This product, which provides identity management services across most of the world’s enterprises, handles internal URLs using its own domain naming system which is connected to but separate from the public domain naming system (DNS).

Because Active Directory is controlling what happens inside the company network, the company can host its services on whatever domains it likes. So, let’s say that your company hosts all of the services that its employees can access from inside the company network on the example.com domain.

The company HR portal might be accessible via a Fully Qualified Domain Name (FQDN) like hr-portal.example.com, for example, assuming that example.com was your company’s domain. Active Directory ensures that people inside the company network who type hr-portal.example.com into their browser are sent to the company HR portal.

No one wants to type in the full name for a server that they visit every day from inside the company network. So Windows makes that easier too, using a feature called DNS devolution. It works by appending portions of the Active Directory domain to an unqualified domain name. In our example, you could just type hr-portal, and Windows will try appending .example.com to see if it gets a hit.

Windows machines use a search list to tell them what to use during DNS devolution. The search list is either configured in the registry or sometimes declared explicitly in a file. As section 3.1 of this ICAAN Security and Stability Advisor Committee document on DNS search list processing points out, search list processing is affected by factors including the computer’s hostname (which you’ll be asked for when setting up business versions of Windows).

If you try to access hr-portalfrom outside the company network and your computer has the hostname example.com, your computer will probably contact an external DNS resolver, which will look up the public records for example.com.

That’s fine, so long as your hostname is a domain that your company owns. If your company controls the public DNS records for example.com, it can direct your request somewhere useful, or at least harmless, when you’re outside the company network.

But what if the company used a domain that it doesn’t own for its Active Directory?

That’s a problem called namespace collision, and it can spell trouble. If an attacker registers example.com, they can direct unsuspecting users to phishing sites, collect their emails, and worse.

National Cyber Security Consulting App







National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.