UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

A name server is not protected by equivalent or better physical access controls than the clients it supports.


Overview

Finding ID Version Rule ID IA Controls Severity
V-13032 DNS0100 SV-13600r1_rule Medium
Description
If an adversary can compromise a name server, then the adversary can redirect most network traffic sent to the hosts defined on that name server. Therefore, the security of the name server is as critical as the security of the hosts it protects. It is understood that different hosts require different levels of physical security. Nevertheless, the name server should not have weaker physical access controls than the computers it supports because this would, in effect, reduce the security of those hosts as well.
STIG Date
DNS Policy 2016-09-26

Details

Check Text ( C-3336r1_chk )
Ask to see the locations at the facility where computers supported by the listed name server(s) under evaluation are located (e.g., server closets, raised floor space, etc.). Note those areas that have the most extensive physical security controls. Also ask to see the locations of the name servers themselves. Then compare the physical security of the most secure computers against the physical security of the name server under evaluation. If the name server has substantially weaker physical security controls than the hosts it supports (e.g., the name server is in the DNS administrator’s cube while the servers are in a locked cage in a secure raised floor area), then this is a finding.
Fix Text (F-4336r1_fix)
Working with appropriate technical and facility personnel, the IAO should arrange to relocate the name server into the same physical location as the most sensitive hosts it supports.