ISC BIND is not configured to run as a dedicated non-privileged service user account.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3621 | DNS4530 | SV-3621r1_rule | ECLP-1 | Medium |
| Description |
|---|
| If an intruder gains control of named (BIND), then the intruder will acquire the privileges of the user ID under which it runs. Running as a non-privileged user account limits the extent of any breach. When BIND runs as SYSTEM (the default) intruders gain full control of the system. |
| STIG | Date |
|---|---|
| BIND DNS STIG | 2015-10-01 |
Details
| Check Text ( C-3443r1_chk ) |
|---|
| The reviewer will validate ISC BIND is configured to run as a dedicated non-privileged service user account. Select the “Log On” tab of the properties of the ISC BIND service. If the ISC BIND service logs on as the “Local System account”, then this is a finding. |
| Fix Text (F-3552r1_fix) |
|---|
| The SA should create a new user account dedicated to DNS, configure it per the DNS STIG, configure the ISC BIND service to logon as the new user account, and then restart the ISC BIND Service. |