Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The ISC BIND service user is a member of a group other than Everyone and Authenticated Users.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3622 | DNS4540 | SV-3622r1_rule | ECLP-1 | Low |
| Description |
|---|
| Membership in configurable groups gives the BIND service user unnecessary privileges that could be used by an intruder to further breach name server security. |
| STIG | Date |
|---|---|
| BIND DNS | 2013-10-09 |
Details
| Check Text ( C-3448r1_chk ) |
|---|
| In Windows 2000/2003, select System Tools | Users and Groups | Users in the “Computer Management” tool. View the “Member Of” tab in the “User Properties” dialog Box (which can be accessed by double-clicking on the user). If the user is a member of any group besides “everyone” and “Authenticated Users”, then this is a finding. In Windows, a user does not have to be a member of any group other than the implicit groups "Everyone" and "Authenticated Users." Thus, to best ensure security, dnsuser must be removed from all explicit groups, including the "Users" group, into which all users are placed by default. There should not be a dnsgroup group as is recommended for UNIX. |
| Fix Text (F-3553r1_fix) |
|---|
| The SA should remove the BIND service user account from all configurable user groups. |