UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The ISC BIND service does not have the appropriate user rights required for the proper configuration and security of ISC BIND.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3623 DNS4550 SV-3623r1_rule ECLP-1 Low
Description
Having user rights beyond the minimum necessary gives the BIND service user unnecessary privileges that could be used by an intruder to further breach name server security.
STIG Date
BIND DNS 2013-07-08

Details

Check Text ( C-3450r1_chk )
In Windows NT, select User Rights from the menu bar in “User Manager.” Select each user right and confirm that the DNS user account is not listed under any rights assignment other than “log on as a service.” If it is, this is a finding.

Windows 2000 is similar to Windows NT, but adds several relevant user rights (actually user prohibitions). In “Local Security Settings” (a Microsoft Management Console Plug in), select Local Policies | User Rights Assignments in the left windowpane. By looking at the assignments in the right windowpane, check that the DNS user account is not listed under any assignments other than “Log on as a service,” “Deny access to this computer from the network,” and “Deny logon as batch job.” If the user has any additional rights beyond these, this is a finding.
Fix Text (F-3554r1_fix)
The SA should grant the ISC BIND service the user rights of log on as service, Deny Access to This Computer from the Network, and Deny Logon as a Batch Job, which are required for the proper configuration and security of ISC BIND.