Preventing Hosts and LMHosts Tampering

Preventing Hosts and LMHosts Tampering

Some forms of malware and some attackers will modify the DNS resolution file (hosts) and the Windows resolution file (lmhosts). Basically, this would allow someone to enter www.jwgoerlich.us into their browser but be redirected to the attacker’s IP address. A simple way to prevent this tactic is to turn off the hosts and lmhosts files.

You can find the files by looking in the registry.

Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters
Value: DataBasePath
Data:%SystemRoot%\system32\drivers\etc

Browse to the folder specified, and right-click, set permissions. The service account (NT AUTHORITY\NETWORK SERVICE) must have read access to the folder in order to parse the files and process the name-address mappings. Set explicit permissions and deny access to the service account (NT AUTHORITY\NETWORK SERVICE). Reboot.

From then on, regardless of who modifies the hosts and lmhosts file, the DNS and Windows resolution will be protected.

Posted by