The ISC BIND service does not have the appropriate user rights required for the proper configuration and security of ISC BIND.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3623	DNS4550	SV-3623r1_rule	ECLP-1	Low

Description
Having user rights beyond the minimum necessary gives the BIND service user unnecessary privileges that could be used by an intruder to further breach name server security.

STIG	Date
BIND DNS STIG	2015-10-01

Details

Check Text ( C-3450r1_chk )
In Windows NT, select User Rights from the menu bar in “User Manager.” Select each user right and confirm that the DNS user account is not listed under any rights assignment other than “log on as a service.” If it is, this is a finding. Windows 2000 is similar to Windows NT, but adds several relevant user rights (actually user prohibitions). In “Local Security Settings” (a Microsoft Management Console Plug in), select Local Policies \| User Rights Assignments in the left windowpane. By looking at the assignments in the right windowpane, check that the DNS user account is not listed under any assignments other than “Log on as a service,” “Deny access to this computer from the network,” and “Deny logon as batch job.” If the user has any additional rights beyond these, this is a finding.

Check Text ( C-3450r1_chk )

In Windows NT, select User Rights from the menu bar in “User Manager.” Select each user right and confirm that the DNS user account is not listed under any rights assignment other than “log on as a service.” If it is, this is a finding.

Windows 2000 is similar to Windows NT, but adds several relevant user rights (actually user prohibitions). In “Local Security Settings” (a Microsoft Management Console Plug in), select Local Policies | User Rights Assignments in the left windowpane. By looking at the assignments in the right windowpane, check that the DNS user account is not listed under any assignments other than “Log on as a service,” “Deny access to this computer from the network,” and “Deny logon as batch job.” If the user has any additional rights beyond these, this is a finding.

Fix Text (F-3554r1_fix)
The SA should grant the ISC BIND service the user rights of log on as service, Deny Access to This Computer from the Network, and Deny Logon as a Batch Job, which are required for the proper configuration and security of ISC BIND.