Lock down HOSTS files

Placing name/address pairs in HOSTS allows the system to default to the IP address for that network name at all times -- saving DNS lookup time and traffic to the DNS server.

Windows uses a plain-text file, HOSTS, found in %systemroot%\system32\drivers\etc, to pre-define network names for particular network addresses. By default, the only entry in the HOSTS file is localhost, which is set to 127.0.0.1 and used for local loopback. Administrators or users can place their own name/address pairs in HOSTS, and this will allow the system to default to that IP address for that network name at all times. This saves...

the time involved for a DNS lookup, and cuts down on traffic to the DNS server. Entries in HOSTS can be local network machines (especially if they have fixed addresses that rarely change), or Internet addresses (which also rarely change).

However, one of the hazards of the HOSTS file is that spyware, viruses, worms, or Trojan applications can hijack it. The file is not encrypted or secured -- it's simply a text file -- and its default permissions allow a program to change it freely. Quite a few programs "in the wild" perform unscrupulous network name hijacking by rewriting HOSTS -- for instance, by redirecting all calls to many common websites to an advertising site. There are far worse things that can be done, such as redirecting sensitive information. You can imagine the disaster that such an exploit could cause.

But it's easy to stop this sort of thing: Set the HOSTS file to read-only. Open the containing folder, right-click on the file, select Properties, check off the "Read-only" box and click OK. This should stop many programs from rewriting hosts, since while they may have permission to edit the file, they will not usually have permission to change its properties. It may also be possible to stop hijacking of the HOSTS file by editing its security information, but setting it to read only is generally much simpler.

Note that if you plan to make deliberate changes to HOSTS, be sure to unprotect it before doing so.


Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!


This was first published in August 2003

Dig deeper on Microsoft Active Directory

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close