Create HOSTS and LMHOSTS Files to Prevent Spoofing Attacks
There is a risk that an attacker could impersonate a member of the SMS IPsec group through a name resolution attack. The IP filter list in this scenario encrypts traffic only between members of the SMS IPsec group. If an attacker can impersonate a member of the SMS IPsec group and establish a security association, all traffic for the intended computer could be rerouted to the attacker’s computer. The attack is complicated and the mitigation requires significant administrative overhead, but the SMS IPsec policy settings depend upon secure IP address lookup.
For example, if mp1.smssite.com needs to connect to sqlserver.smssite.com, it performs a DNS name lookup. If an attacker intercepts the DNS query and tells the management point that sqlserver.smssite.com can be found at the attacker’s IP address instead of the IP address of the computer running SQL Server, the attacker can transmit unauthorized policy to the management point and thus, to the SMS Advanced Clients.
The mitigation for this attack is to hard-code the IP addresses of each member of the SMS IPsec group into each member’s HOSTS and LMHOSTS file. This mitigates the attack by preventing members of the SMS IPsec group from looking up the address on the network, which provides an opportunity for an attacker to impersonate a member of the group.
To add site systems to the HOSTS file
In Notepad, open the file %systemroot%\system32\drivers\etc\HOSTS.
For each site system, add a line that lists the computer’s fully qualified domain name (FQDN) and static IP address.
Save the HOSTS file (verifying that no extension has been added to the file name) and close the file.
To add site systems to the LMHOSTS file
In Notepad, open the file %systemroot%\system32\drivers\etc\LMHOSTS.sam
For each site system, add a line that lists the computer’s NetBIOS name and static IP address.
Save the LMHOSTS.sam file as LMHOSTS (with no extension) and close the file.