A list of personnel authorized to administer each zone and name server is not maintained.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-13036	DNS0120	SV-13604r2_rule		Low

Description
If an organization does not document who is responsible for the DNS function, then there is a significant potential that unauthorized individuals will obtain privileged access to name servers. During a security breach, it will be difficult to assign accountability for improper transactions if it is not known who is responsible for this function. The roles of the SA and the web administrator or web master are generally understood but are often used interchangeably. The SA is responsible for the OS, while the web administrator or web master usually manages the website(s). In some cases, the SA is also the web administrator/web master, which is why guidance tends to be written in a certain fashion. The application development group should refer to the supporting organization for the application when application issues arise from meeting web server requirements.

Description

If an organization does not document who is responsible for the DNS function, then there is a significant potential that unauthorized individuals will obtain privileged access to name servers. During a security breach, it will be difficult to assign accountability for improper transactions if it is not known who is responsible for this function. The roles of the SA and the web administrator or web master are generally understood but are often used interchangeably. The SA is responsible for the OS, while the web administrator or web master usually manages the website(s). In some cases, the SA is also the web administrator/web master, which is why guidance tends to be written in a certain fashion. The application development group should refer to the supporting organization for the application when application issues arise from meeting web server requirements.

STIG	Date
DNS Policy Security Technical Implementation Guide	2017-10-02

Details

Check Text ( C-3358r3_chk )
Interview the ISSO and ask for the web server’s documented procedures and processes. Verify the documented procedures and processes explicitly document the roles and responsibilities for the web server and website(s) management. These documented roles will be used to validate access controls in respective DNS technology STIGs. In some environments, the SA is also the web manager/web master. In such case, the roles should still be documented. If the organization does not have the web server roles documented, this is a finding.

Check Text ( C-3358r3_chk )

Interview the ISSO and ask for the web server’s documented procedures and processes.

Verify the documented procedures and processes explicitly document the roles and responsibilities for the web server and website(s) management. These documented roles will be used to validate access controls in respective DNS technology STIGs.

In some environments, the SA is also the web manager/web master. In such case, the roles should still be documented.

If the organization does not have the web server roles documented, this is a finding.

Fix Text (F-4340r2_fix)
The ISSO must create and maintain a list of authorized DNS administrators for each zone and name server under the ISSOs scope of responsibility.