How to turn off RPC management of DNS on a large scale
![ryan-naraine.jpg](https://www.zdnet.com/a/img/resize/58705b1ab848cb0209d7d7d504dffaab176d93aa/2014/07/22/4b4e2273-1175-11e4-9732-00505685119a/ryan-naraine.jpg?auto=webp&fit=crop&frame=1&height=192&width=192)
In an advisory issued earlier today, Microsoft issued several workarounds/mitigations for the Windows DNS server service zero-day attacks, including a recommendation that network admins completely disable remote management of RPC capability for DNS Servers.
The recommendation included instructions on registry key edits but if you're in charge of a large-scale Windows shop with numerous domain controllers, Microsoft only gave you the switch but no way to automate the registry changes.
To the rescue comes Jesper Johansson, a former Microsoft security strategist who maintains a must-read blog on Windows security issues. If you run a Windows server shop, this is a blog entry you want to read before taking off for the weekend.
Johansson provides a script with step-by-step instructions on turning off RPC management on a large number of domain controllers. "Hopefully this will help people mitigate this problem a bit faster than having to do manual registry changes everywhere," he explained.
It makes me wonder why Microsoft doesn't include these instructions in its own advisories.