The ISC BIND service user is a member of a group other than Everyone and Authenticated Users.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3622	DNS4540	SV-3622r1_rule	ECLP-1	Low

Description
Membership in configurable groups gives the BIND service user unnecessary privileges that could be used by an intruder to further breach name server security.

STIG	Date
BIND DNS STIG	2015-10-01

Details

Check Text ( C-3448r1_chk )
In Windows 2000/2003, select System Tools \| Users and Groups \| Users in the “Computer Management” tool. View the “Member Of” tab in the “User Properties” dialog Box (which can be accessed by double-clicking on the user). If the user is a member of any group besides “everyone” and “Authenticated Users”, then this is a finding. In Windows, a user does not have to be a member of any group other than the implicit groups "Everyone" and "Authenticated Users." Thus, to best ensure security, dnsuser must be removed from all explicit groups, including the "Users" group, into which all users are placed by default. There should not be a dnsgroup group as is recommended for UNIX.

Check Text ( C-3448r1_chk )

In Windows 2000/2003, select System Tools | Users and Groups | Users in the “Computer Management” tool. View the “Member Of” tab in the “User Properties” dialog Box (which can be accessed by double-clicking on the user). If the user is a member of any group besides “everyone” and “Authenticated Users”, then this is a finding.

In Windows, a user does not have to be a member of any group other than the implicit groups "Everyone" and "Authenticated Users." Thus, to best ensure security, dnsuser must be removed from all explicit groups, including the "Users" group, into which all users are placed by default. There should not be a dnsgroup group as is recommended for UNIX.

Fix Text (F-3553r1_fix)
The SA should remove the BIND service user account from all configurable user groups.