UCF STIG Viewer Logo

DNS software does not run on dedicated (running only those services required for DNS) hardware. The only currently accepted exception of this requirement is Windows 2000/2003 DNS, which must run on a domain controller that is integrated with Active Directory services.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4473 DNS0415 SV-4473r1_rule ECSC-1 Medium
Description
Even a securely configured operating system is vulnerable to the flaws of the programs that run on it. To prevent DNS software from being subjected to the vulnerabilities of other programs and services, the DNS server will not run other programs and services at all, or at least run only those programs that are necessary for either OS or DNS support.
STIG Date
BIND DNS 2013-01-10

Details

Check Text ( C-3483r1_chk )
During the initial interviews, the reviewer may have already identified that a name server is supporting production services other than DNS. At this point, the reviewer should validate that response through a hands-on check of the actual name server.

UNIX

The only permitted services to be running on a DNS UNIX BIND server are those implementing:

- DNS
- Secure shell
- Host intrusion detection
- Host file integrity
- Network management or monitoring
- Anti-virus
- Backup
- UPS
- NTP

The below are not permitted:

Services started through inetd.conf:
admind, chargen, echo, etherstatd, fingerd, ftpd, httpd, ICQ server, identd, netstat, netstatd, nit, nntp, nsed, nsemntd, pfilt, portd, quaked, rexd, rexecd, rje_mapper, rlogind, rpc_3270, rpc_alias, rpc_database, rpc_keyserv, rpc_sched, rquotad, rsh, rstatd, rusersd, selectd, serverd, showfhd, sprayd, statmon, sunlink_mapper, sysstat, talkd, telnetd, tfsd, tftpd, timed, ttdb, ugidd, uucpd, and walld.

Services started at boot time:
NFS client, NFS server process and SNMP daemon, automounter, printer queue daemon, and RPC portmapper. (For Solaris, disable the following scripts in rc2.d: S73nfs.client, S74autofs, S80lp, S71rpc, and S99dtlogin and the following scripts in rc3.d: S15nfs.server and S76snmpd.)

Instruction: In the presence of the reviewer, the SA should enter the following command:

ps –ef

Based on the command output, the reviewer should be able to determine if the machine is dedicated to DNS or if it is supporting other production services. If additional services are running and it is determined the name server is not running on dedicated hardware, then this is a finding.

Windows

The only permitted services to be running on a ISC BIND or Windows DNS server are those implementing:

- DNS (i.e., the ISC BIND service) or
- DNS Server (i.e., Windows 2000 DNS)
- Host intrusion detection
- Host file integrity
- Network management or monitoring
- Anti-virus
- Backup
- UPS
- Active Directory/Domain Controller Services including:

Alerter Service
COM+ Event System
Computer Browser
Distributed File System (DFS)
DNS Client
DNS Server
Event Log
File Replication Service
Intersite Messaging
IPSec Policy Agent
Kerberos Key Distribution Center
Logical Disk Manager
Logical Disk Manager Administrative Service
Messenger
Net Logon Network Connections
NTLM Security Support Provider
Plug and Play
Print Spooler
Protected Storage
Remote Procedure Call (RPC)
Remote Procedure Call (RPC) Locator
Remote Registry Service
Security Accounts Manager
Server
System Event Notification
TCP/IP NetBIOS Helper Service
Windows Management Instrumentation
Windows Management Instrumentation Driver Extensions
Windows Time
Workstation
Fix Text (F-4358r1_fix)
Working with DNS and Systems Administrators, the IAO should migrate the DNS software to dedicated hardware for the purpose of supporting the name server or remove/migrate any additional programs or applications, running on the name server to ensure the name server is running on dedicated hardware.