The appropriate encryption software is not correctly installed and configured on Windows ISC BIND name servers and it is required that in-band remote management be performed from hosts outside the enclave in which the name server resides.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3624 | DNS4570 | SV-3624r1_rule | ECCT-1 ECCT-2 | Medium |
| Description |
|---|
| In administrative network traffic is in the clear between external clients and name servers, then there is significant potential that authorized individuals can intercept and view that traffic, which may contain passwords and other sensitive information. |
| STIG | Date |
|---|---|
| BIND DNS STIG | 2015-10-01 |
Details
| Check Text ( C-3451r1_chk ) |
|---|
| The Systems Administrator may state that the evaluated Windows BIND name server is administered from a host outside of the internal network (e.g., a home office or remote site). In this case, there must be appropriate software on the Windows BIND name server to support encrypted communication. Once the service has been identified, the reviewer should check that the software does require encrypted sessions and authentication. Additional checks from the Secure Remote Computing STIG may apply. If the reviewer determines that the installed remote access/control configuration is inadequate, then there should be a finding with a written explanation specifying why the configuration is inadequate. |
| Fix Text (F-3555r1_fix) |
|---|
| The IAO should prohibit inband remote management until an appropriate network encryption solution has been deployed and tested. |