UCF STIG Viewer Logo

Users and/or processes other than the DNS software Process ID (PID) and/or the DNS database administrator have edit/write access to the zone database files.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4476 DNS0425 SV-4476r2_rule ECCD-1 ECCD-2 Medium
Description
Weak permissions on key files could allow an intruder to view or modify DNS zone files. Permissions on these files will be 640 or more restrictive.
STIG Date
BIND DNS STIG 2015-10-01

Details

Check Text ( C-3518r1_chk )
UNIX

Instruction: The reviewer must work with the SA to obtain the username and groupname of the DNS database administrator, DNS software administrator, and the username running the named daemon process.

In the presence of the reviewer, the SA should enter the following command to obtain the owner of the named process:

ps –ef | grep named

There are different ways (e.g., password/group file, NIS+, etc.) to obtain the DNS database administrator’s username and groupname, the reviewer is to work with the SA to obtain this information based on the configuration of the site’s UNIX OS.

The zone files can be located by viewing the named.conf configuration for the zone statement and the file directive contained within the zone statement. In the presence of the reviewer, the SA should enter the following command while in the directory containing the zone files:

ls -l

If the zone files have permissions that allow write access to anyone beyond the owner of the named process or the DNS database administrator then this is a finding.

Windows

Instruction: The reviewer must obtain the username and groupname of the DNS database administrator. The reviewer must work with the SA to obtain the owner of the named.exe or dns.exe program.

In the presence of the reviewer, the SA should right-click on the named.exe or dns.exe file and select Properties | Security tab | Advanced | Owner tab.

For each Standard or Primary zone file, right-click on the file in %SystemRoot%\System32\Dns and select Properties | Security tab.

If the zone files have permissions that allow write access to anyone beyond Administrators, Enterprise Domain Controllers, Enterprise Admins, Domain Admins, System or DNS Admins, then this is a finding.

For Active directory integrated zones, the permissions of the Active Directory database should be verified. They usually reside in %SystemRoot%\NTDS\ntds.dit The permissions should only give full control access to System, Administrators, Creator Owner, and Local Service. Any others, then this is a finding.
Fix Text (F-4361r1_fix)
The SA should modify permissions of zone files that only the DNS software PID and/or the DNS database administrator have edit access to the zone database files.