The ownership and permissions on all Windows ISC BIND name servers are not as restrictive as required.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3626	DNS4590	SV-3626r1_rule	ECLP-1	Medium

Description
Weak permissions could allow an intruder to view or modify zone, configuration and/or program files.

STIG	Date
BIND DNS	2013-01-10

Details

Check Text ( C-3453r1_chk )
The reviewer can check permissions and ownership by looking at the properties of each file in “Windows Explorer.” Note that there may be multiple zone files, key files, and log files. The reviewer should be able to produce a list of the files based on a quick examination of named.conf, which should have been obtained at the beginning of this module. The reviewer should check the permissions of each zone, key or log file when more than one exists on the name server. The name of the root hints file is defined in named.conf. Common names for the root hints file are root.hints, named.cache, and db.cache. FOLDER/FILE NAME OWNER USER/GROUP PERMISSIONS %systemroot%\system32\dns\bin Administrators Administrators Full control dns-admins Read dnsuser Read&Execute/List Folder Contents\Read %systemroot%\system32\dns\etc Administrators Administrators Full control dns-admins Change dnsuser Change named.conf Administrators Administrators Full control dns-admins Change dnsuser Read named.pid Administrators Administrators Full control dns-admins Read dnsuser Change named.stat Administrators Administrators Full control dns-admins Read dnsuser Change root hints file Administrators Administrators Full control dns-admins Change dnsuser Read Any zone file Administrators Administrators Full control dns-admins Change dnsuser Change Any TSIG key file Administrators dnsuser Read If permissions are more permissive than required, then this is a finding.

Check Text ( C-3453r1_chk )

The reviewer can check permissions and ownership by looking at the properties of each file in “Windows Explorer.”

Note that there may be multiple zone files, key files, and log files. The reviewer should be able to produce a list of the files based on a quick examination of named.conf, which should have been obtained at the beginning of this module. The reviewer should check the permissions of each zone, key or log file when more than one exists on the name server.

The name of the root hints file is defined in named.conf. Common names for the root hints file are root.hints, named.cache, and db.cache.

FOLDER/FILE NAME OWNER USER/GROUP PERMISSIONS
%systemroot%\system32\dns\bin Administrators Administrators Full control
dns-admins Read
dnsuser Read&Execute/List Folder Contents\Read
%systemroot%\system32\dns\etc Administrators Administrators Full control
dns-admins Change
dnsuser Change
named.conf Administrators Administrators Full control
dns-admins Change
dnsuser Read
named.pid Administrators Administrators Full control
dns-admins Read
dnsuser Change
named.stat Administrators Administrators Full control
dns-admins Read
dnsuser Change
root hints file Administrators Administrators Full control
dns-admins Change
dnsuser Read
Any zone file Administrators Administrators Full control
dns-admins Change
dnsuser Change
Any TSIG key file Administrators dnsuser Read

If permissions are more permissive than required, then this is a finding.

Fix Text (F-3557r1_fix)
The SA should modify permissions so that they are at least as restrictive as specified in the DNS STIG.