UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The ISC BIND service user is a member of a group other than Everyone and Authenticated Users.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3622 DNS4540 SV-3622r6_rule ECLP-1 Low
Description
Membership in configurable groups gives the BIND service user unnecessary privileges that could be used by an intruder to further breach name server security.
STIG Date
BIND DNS 2011-01-20

Details

Check Text ( C-3448r2_chk )
In Windows 2000/2003, select System Tools | Users and Groups | Users in the “Computer Management” tool. View the “Member Of” tab in the “User Properties” dialog Box (which can be accessed by double-clicking on the user). If the user is a member of any group besides “everyone” and “Authenticated Users”, then this is a finding.

In Windows, a user does not have to be a member of any group other than the implicit groups "Everyone" and "Authenticated Users." Thus, to best ensure security, dnsuser must be removed from all explicit groups, including the "Users" group, into which all users are placed by default. There should not be a dnsgroup group as is recommended for UNIX.
Fix Text (F-3553r2_fix)
The SA should remove the BIND service user account from all configurable user groups.