| V-34244 | High | The DNS implementation must verify each NS record in a zone file points to an active name server authoritative for the domain specified in that record. | Poorly constructed NS records pose a security risk because they create conditions under which an adversary might be able to provide the missing authoritative name services that are improperly... |
| V-34265 | High | The DNS implementation must enforce a Discretionary Access Control (DAC) policy to protect the transfer of zone information.
| DAC is based on the notion that individual users are owners of objects and , therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write).... |
| V-34261 | High | The DNS implementation must be fault-tolerant.
| A critical component of securing an information system is ensuring its availability. The best way to ensure availability is to eliminate any single point of failure in the system itself and in the... |
| V-33958 | Medium | The network element must route all remote access traffic through managed access control points. | Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Regardless of... |
| V-33959 | Medium | The network element must monitor for unauthorized remote connections to specific information systems on an organization defined frequency. | Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Monitoring of... |
| V-33956 | Medium | The DNS implementation must use approved cryptography to protect the confidentiality of remote access sessions such as zone transfers. | Zone transfer encryption is critical for the protection of the zone data. If the zone data is not protected for confidentiality, malicious users may gain the ability to map the network resources.... |
| V-33957 | Medium | The DNS implementation must be configured to use cryptography to protect the integrity of remote access sessions such as zone transfers. | Zone transfer encryption is critical for the protection of the zone data. If the zone data is not protected for integrity, malicious users may gain the ability to modify the network resources.... |
| V-33954 | Medium | The network element must allow authorized users to associate security attributes with information. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are... |
| V-33955 | Medium | The network element must employ automated mechanisms to facilitate the monitoring and control of remote access methods. | Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Monitoring of... |
| V-33952 | Medium | The network element must only allow authorized entities to change security attributes. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are... |
| V-33953 | Medium | The network element must maintain the binding of security attributes to information with sufficient assurance that the information attribute association can be used as the basis for automated policy actions. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are... |
| V-34131 | Medium | The DNS implementation must employ cryptographic mechanisms to protect information in storage.
| When data is written to digital media, there is risk of loss of data along with integrity and data confidentiality. An organizational assessment of risk guides the selection of media and... |
| V-34130 | Medium | The network element must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
| When data is written to portable digital media, there is risk of loss of data along with integrity and data confidentiality. An organizational assessment of risk guides the selection of media and... |
| V-34133 | Medium | The network element must separate user functionality (including user interface services) from information system management functionality.
| Network management is the process of monitoring network elements and links, configuring network elements to turn up and disable network services, the collection of performance, diagnostics, and... |
| V-34132 | Medium | The network element must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency.
| Malicious software, such as Trojan horses, hacker tools, DDoS (Distributed Denial of Service) agents, and spyware, can establish a base on individual desktops and servers. Many of these are not... |
| V-34135 | Medium | The DNS implementation must isolate security functions from non-security functions.
| Security functions are defined as ""the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and... |
| V-34134 | Medium | The network element must prevent the presentation of information system management-related functionality at an interface for general (i.e. non-privileged) users.
| Network management is the process of monitoring network elements and links, configuring network elements to turn up and disable network services, the collection of performance, diagnostics, and... |
| V-34137 | Medium | The DNS must implement a system isolation boundary to minimize the number of non-security functions included within the boundary containing security functions. | Security functions are defined as "the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and... |
| V-34136 | Medium | The DNS implementation must isolate security functions enforcing access and information flow control from both non-security functions and from other security functions.
| Application security functionality that performs security tasks, such as enforcing access and information flow control requires additional system privilege and can have a large impact on the... |
| V-34139 | Medium | The DNS implementation must prevent unauthorized and unintended information transfer via shared system resources.
| The purpose of this control is to prevent information, produced by the actions of a prior process (or the actions of a process acting on behalf of a prior user) from being available to any current... |
| V-34138 | Medium | The DNS implementation must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
| Security functions are defined as "the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and... |
| V-34223 | Medium | The network element must prevent non-privileged users from circumventing intrusion detection and prevention capabilities. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| V-34222 | Medium | The network element must provide near real-time alerts when any of the organization defined list of compromise or potential compromise indicators occur. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| V-34225 | Medium | The network element must take an organization defined list of least-disruptive actions to terminate suspicious events. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| V-34224 | Medium | The network element must notify an organization defined list of incident response personnel of suspicious events. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| V-34227 | Medium | The network element must ensure all encrypted traffic is visible to network monitoring tools. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| V-34226 | Medium | The network element must protect information obtained from intrusion monitoring tools from unauthorized access, modification, and deletion. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| V-33862 | Medium | The network element must enforce security policies regarding information on interconnected systems. | Transferring information between interconnected information systems of differing security policies introduces the risk of the transfers violating one or more policies. It is imperative for policy... |
| V-33863 | Medium | The network element must uniquely identify source domains for information transfer. | Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy... |
| V-33861 | Medium | The network element must provide the capability for a privileged administrator to configure the organization defined security policy filters to support different security policies. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled, so... |
| V-34108 | Medium | The DNS implementation must enforce password complexity by the number of numeric characters used.
| Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that... |
| V-33964 | Medium | The network element must protect wireless access to the network using encryption. | The security boundary of a Wireless LAN (WLAN) extends from the client device to the network boundary where network access is controlled. This boundary represents the portion of the network most... |
| V-34236 | Medium | The network element must detect unauthorized changes to software and information. | Anomalous behavior and unauthorized changes must be detected before the network element is breached or no longer in service. Identifying the source and method used to make the unauthorized change... |
| V-34237 | Medium | The DNS implementation must be configured to identify and respond to potential security-relevant error conditions. | Error messages generated by various elements within the DNS components and services can indicate a possible security violation or breach. The DNS system must be configured to be able to recognize... |
| V-33929 | Medium | The network element must provide the capability for a privileged administrator to configure organization defined security policy filters to support different security policies. | Each account should grant access to only those privileges the system administrator is authorized for. By not restricting system administrators to their proper privilege levels, access to... |
| V-33928 | Medium | The network element must audit the use of privileged accounts when accessing configuration and operational commands enabled for non-privileged accounts. | Each account should grant access to only those privileges the system administrator is authorized for. By not restricting system administrators to their proper privilege levels, access to... |
| V-34034 | Medium | The DNS implementation must provide an audit reduction capability. | Due to the numerous functions a DNS implementation processes, log files can become extremely large because of the volume of data. The more processes that are logged, more log data is collected.... |
| V-34035 | Medium | The DNS implementation must provide a report generation capability. | Due to the numerous functions a DNS implementation processes, log files can become extremely large because of the volume of data. The more processes that are logged, more log data is collected.... |
| V-34036 | Medium | The DNS implementation must provide the capability to automatically process log records for events of interest based upon selectable criteria. | Due to the numerous functions a DNS implementation processes, log files can become extremely large because of the volume of data. The more processes that are logged, more log data is collected.... |
| V-34037 | Medium | The DNS implementation must use internal system clocks to generate time stamps for audit records. | Determining the correct time a particular event occurred within the DNS architecture is critical when conducting forensic analysis and investigating system events. Without the use of an approved... |
| V-33923 | Medium | All encrypted traffic must be decrypted prior to passing through content inspection and filtering mechanisms. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| V-33922 | Medium | The network element must enforce dynamic traffic flow control based on policy allowing or disallowing flows based upon traffic types and rates within or out of profile. | Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy... |
| V-33921 | Medium | The network element must implement security policies for all traffic flows by using security zones at various protection levels as a basis for flow control decisions. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| V-33920 | Medium | The DNS implementation must support organizational requirements to disable the user identifiers after an organization defined time period of inactivity. | Inactive user accounts pose a risk to systems and applications. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Attackers that are able... |
| V-33927 | Medium | The DNS implementation must implement separation of duties through assigned information system access authorizations. | Separation of duties supports the management of individual accountability and reduces the power of one individual or administrative account. An example of separation of duties within the DNS... |
| V-33926 | Medium | The network element must enforce information flow control using organization defined security policy filters as a basis for flow control decisions. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| V-34238 | Medium | The DNS implementation must generate error messages providing information necessary for corrective actions without revealing organization defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited. | Error messages generated by various elements within the DNS components and services can indicate a possible security violation or breach. The DNS system must be configured to recognize those error... |
| V-33924 | Medium | The network element enforces organization defined limitations on the embedding of data types within other data types. | Allowing traffic to bypass the security checkpoints such as firewalls and intrusion detection systems puts the network infrastructure and critical data at risk. Malicious traffic could enter the... |
| V-34128 | Medium | The network element must enforce identification and authentication for the establishment of non-local maintenance and diagnostic sessions.
| Lack of authentication enables anyone to gain access to the network or possibly a network element providing opportunity for intruders to compromise resources within the network infrastructure.... |
| V-34129 | Medium | The network element must terminate all sessions when non-local maintenance is completed.
| In the event the remote node has abnormally terminated or an upstream link from the managed device is down, the management session will be terminated; thereby, freeing device resources and... |
| V-34126 | Medium | The network element protects non-local maintenance sessions by separating the maintenance session from other network sessions with the information system by either physically separated communications paths or logically separated communications paths based upon encryption.
| Network management is the process of monitoring network elements and links, configuring network elements, and enabling network services. Network management also includes the collection of... |
| V-34127 | Medium | The network element must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
| Network management is the process of monitoring network elements and links, configuring network elements, and enabling network services. Network management also includes the collection of... |
| V-34124 | Medium | The DNS system must log non-local maintenance and diagnostic sessions.
| Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was... |
| V-34125 | Medium | The DNS system must protect non-local maintenance sessions through the use of multifactor authentication.
| Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure.... |
| V-34122 | Medium | The DNS implementation must invoke a shutdown of the DNS service in the event of an audit failure unless an alternative audit capability exists.
| Auditing and logging are key components of the DNS architecture. It is essential for security personnel to know what is being performed on the system, where an event occurred, when an event... |
| V-34123 | Medium | The network element must automate mechanisms to restrict the use of maintenance tools to authorized personnel only.
| With the growth of widespread network delivered malware infections, organizations tend to overlook the spread of malware from system to system through removable media. Once an infected media is... |
| V-34120 | Medium | The network element must uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.
| Non-organizational users (those users that do not have equivalent status as that of an employee) shall be uniquely identified and authenticated for all accesses other than those accesses... |
| V-34121 | Medium | The network element must employ automated mechanisms to assist in the tracking of security incidents.
| Despite the investment in perimeter defense technologies, enclaves are still faced with detecting, analyzing, and remediating network breaches and exploits that have made it past the firewall. An... |
| V-34229 | Medium | The network element must analyze outbound communications traffic at selected interior points within the network as deemed necessary to discover anomalies. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| V-34228 | Medium | The network element must analyze outbound traffic at the external boundary of the network. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| V-34232 | Medium | The DNS implementation must verify the correct operation of security functions in accordance with organization defined conditions and frequency. | DNS security functional testing involves testing the system for conformance to the applications security function specifications, as well as, for the underlying security model.
The need to verify... |
| V-34046 | Medium | The DNS implementation must have the capability to produce audit records on hardware-enforced write-once media. | It is imperative the audit data collected from DNS elements is secured and stored on write-once media for longevity of the records and to ensure it is not disposed of improperly, or overwritten.... |
| V-33962 | Medium | The network element must enforce requirements for remote connections to the network. | Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Enabling... |
| V-33858 | Medium | The network element must enforce information flow control using explicit security attributes on information source and destination objects as a basis for flow control decisions. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| V-33990 | Medium | The DNS implementation must be capable of taking organization defined actions upon audit failure (e.g. overwrite oldest audit records stop generating audit records cease processing notify of audit failure). | Auditing and logging are key components of the DNS architecture. It is essential for security personnel to know what is being performed on the system, where an event occurred, when an event... |
| V-33938 | Medium | Upon successful logon the DNS implementation must display to the user the number of unsuccessful logon attempts since the last successful logon. | As most "users" of a DNS platform are administrators, they need to be very vigilant in maintaining situational awareness of activity that occurs regarding their accounts. Providing them with... |
| V-33939 | Medium | The DNS implementation must notify the user of the number of successful login attempts to the system occurring during an organization defined time period. | As most "users" of a DNS platform are administrators, they need to be very vigilant in maintaining situational awareness of activity that occurs regarding their accounts. Providing them with... |
| V-34241 | Medium | The DNS implementation must prohibit recursion on authoritative name servers. | A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers... |
| V-34240 | Medium | The DNS implementation must activate an organization defined alarm when a system component failure is detected. | Error messages generated by various elements within the DNS components and services can indicate a possible security violation or breach. The DNS system must be configured to recognize those error... |
| V-34247 | Medium | The DNS implementation must prevent access to organization defined security-relevant information except during secure non-operable system states.
| Security-relevant information is any information within the information system that can potentially impact the operation of security functions in a manner possibly resulting in failure to enforce... |
| V-34246 | Medium | The network element must display security attributes in human readable form on each object output from the system to system output devices to identify an organization-identified set of special dissemination, handling, or distribution instructions using organization identified human readable, standard naming conventions.
| Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are... |
| V-34245 | Medium | The network element disables network access by unauthorized devices and logs the information as a security violation. | Local access to the private network can easily be accomplished by merely connecting a workstation or laptop to any available wall plate or a wireless connection to a nearby access point. Remote... |
| V-33930 | Medium | The network element must be configured to automatically disable the device if any of the organization defined list of security violations are detected. | To reduce or eliminate the risk of the network or the network element itself to be compromised, the device must be configured to disable itself depending on the violation or when it is not able to... |
| V-33931 | Medium | The DNS implementation must enforce the organization defined limit of consecutive invalid access attempts by a user during the organization defined time period. | One of the most prevalent ways an attacker tries to gain access to a system is by repeatedly trying to access an account and guessing a password.
To reduce the risk of malicious access attempts... |
| V-33932 | Medium | The DNS implementation must enforce the organization defined time period during which the limit of consecutive invalid access attempts by a user is counted. | One of the most prevalent ways an attacker tries to gain access to a system is by repeatedly trying to access an account and guessing a password.
To reduce the risk of malicious access attempts... |
| V-34248 | Medium | The network element must enforce information flow control on metadata.
| Metadata is defined as data providing information about one or more other pieces of data such as purpose of the data, author or creator of the data, network location of where data was created, and... |
| V-33934 | Medium | The DNS implementation must display an approved system use notification message or warning banner before granting access to the system. | The DNS implementation is required to display a DoD approved warning banner prior to granting access to the server. The banner must warn any unauthorized user not to proceed. It must also provide... |
| V-33935 | Medium | The DNS implementation must display an approved banner to the user and it must remain on the screen until the user takes explicit actions to log on. | The DNS implementation is required to display a DoD approved warning banner until the user performs an explicit action to log onto the server. The banner must warn any unauthorized user not to... |
| V-33936 | Medium | The DNS implementation must display an approved system use notification message or warning banner before granting access to the system. | The DNS implementation is required to display an approved system use notification message or banner before granting access to the system providing privacy and security notices consistent with... |
| V-34085 | Medium | The network element must employ automated mechanisms to detect the addition of unauthorized components or devices. The monitoring may be accomplished on an ongoing basis or by the periodic scanning. Automated mechanisms can be implemented within the network element and/or in another separate information system or device. | Centrally managing configuration changes for network elements can ensure they are done at the correct time and if necessary in synchronization with each other which can be vital for nodes that... |
| V-34084 | Medium | The network element must employ automated mechanisms to prevent program execution in accordance with organization defined specifications. | A compromised network element introduces risk to the entire network infrastructure, as well as data resources accessible via the network. The perimeter defense has no oversight or control of... |
| V-34087 | Medium | The DNS implementation must support organizational requirements to conduct backups of system-level information contained in the information system per organization defined frequency. | Information system backup is a critical step in maintaining data assurance and availability. Without available back up data to restore a system in the event of a system failure, the system may be... |
| V-34158 | Medium | The DNS implementation must employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.
| If unprotected data records obtained via a zone transfer are intercepted and altered by a man-in-the-middle attack, the DNS data may be compromised and the cache may be poisoned.
DNS provides... |
| V-34039 | Medium | The DNS implementation must protect audit information from unauthorized access. | Protection of audit records and audit data is of critical importance. Care must be taken to ensure users cannot circumvent audit protections put in place. If audit data were to become compromised,... |
| V-34220 | Medium | The network element must interconnect and configure individual intrusion detection tools into a system-wide intrusion detection system using common protocols. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| V-34153 | Medium | The network element must route organization defined internal communications traffic to organization defined external networks through authenticated proxy servers within the managed interfaces of boundary protection devices.
| A proxy server is designed to hide the identity of the client when making a connection to a server on the outside of its network such as web server, web mail, and chat rooms. This prevents any... |
| V-34152 | Medium | The network element must deny network traffic by default and allow network traffic by exception at all interfaces at the network perimeter.
| All inbound and outbound traffic must be denied by default. Firewalls and perimeter routers should only allow traffic through that is explicitly permitted. The initial defense for the internal... |
| V-34151 | Medium | The network element must prevent access into the organizations internal networks except as explicitly permitted and controlled by employing boundary protection devices.
| The enclave's internal network contains the servers where mission critical data and applications reside. There should never be connection attempts made to these devices from any host outside of... |
| V-34089 | Medium | The DNS implementation must uniquely identify and authenticate all organizational users for access to accounts. | Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy. Access to the network must be categorized as administrator, user,... |
| V-34088 | Medium | The DNS implementation must support organizational requirements to conduct backups of information system documentation including security-related documentation per organization defined frequency that is consistent with recovery time and recovery point object. | Information system backup is a critical step in maintaining data assurance and availability. Information system and security related documentation contains information pertaining to system... |
| V-34155 | Medium | The network element must monitor and control traffic at both the external and internal boundary interfaces.
| Audit logs are necessary to provide a trail of evidence in case the network is compromised. With this information, the network administrator can devise ways to block the attack and possibly... |
| V-34154 | Medium | The network element must deny network traffic and audit internal addresses posing a threat to external information systems.
| The firewall will build a state to allow return traffic for all initiated traffic that was allowed outbound. Monitoring and filtering the outbound traffic adds a layer of protection to the... |
| V-33947 | Medium | The network element must support and maintain the binding of organization defined security attributes to information in storage. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are... |
| V-34109 | Medium | The DNS implementation must enforce password complexity by the number of special characters used.
| The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Password strength is a measure of the effectiveness of... |
| V-33963 | Medium | The network element must protect wireless access to the network using authentication. | The security boundary of a Wireless LAN (WLAN) extends from the client device to the network boundary where network access is controlled. This boundary represents the portion of the network most... |
| V-34062 | Medium | The DNS implementation must be configured to enable automated mechanisms to enforce access restrictions. | Any changes to the hardware, software, and/or firmware components of the DNS implementation can potentially have significant effects on the overall security of the system. Therefore, only... |
| V-34049 | Medium | The network element must use cryptography to protect the integrity of audit tools. | Auditing and logging are key components of any security architecture. It is essential that security personnel know what is being done, what attempted to be done, where it was done, when it was... |
| V-34055 | Medium | The DNS implementation must allow authorized personnel to select which events are to be logged by specific components of the system. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being performed on the system, where an event occurred, when an event... |
| V-34250 | Medium | The network element must implement policy filters that constrain data structure and content to organization defined information security policy requirements when transferring information between different security domains.
| Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled, so... |
| V-34251 | Medium | The network element must detect unsanctioned information when transferring information between different security domains.
| Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled, so... |
| V-34252 | Medium | The network element must prohibit the transfer of unsanctioned information in accordance with the security policy when transferring information between different security domains.
| Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled, so... |
| V-34253 | Medium | The DNS implementation must protect the audit records of non-local accesses to privileged accounts and the execution of privileged functions.
| Protection of audit records and audit data is of critical importance. Care must be taken to ensure privileged users cannot circumvent audit protections put in place.
Auditing might not be... |
| V-34254 | Medium | The network element must prevent the download of prohibited mobile code.
| Decisions regarding the employment of mobile code within network elements are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies... |
| V-34255 | Medium | The network element must prevent the execution of prohibited mobile code.
| Decisions regarding the employment of mobile code within network elements are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies... |
| V-34256 | Medium | The network element must prevent the automatic execution of mobile code in organization defined software applications and requires organization defined actions prior to executing the code.
| Decisions regarding the employment of mobile code within network elements are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies... |
| V-34163 | Medium | The DNS implementation must terminate the connection associated with a communications session at the end of the session or after an organization defined time period of inactivity.
| Terminating network connections associated with communications sessions include, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking... |
| V-34092 | Medium | The DNS implementation must use multifactor authentication for local access to privileged accounts. | Single factor authentication poses much unnecessary risk upon any information system as most single factor authentication methods use only a userid and password. Passwords are, in most cases,... |
| V-34093 | Medium | The DNS implementation must use multifactor authentication for local access to non-privileged accounts. | Single factor authentication poses much unnecessary risk upon any information system as most single factor authentication methods use only a userid and password. Passwords are, in most cases,... |
| V-34090 | Medium | The DNS implementation must use multifactor authentication of all organizational users for access to privileged accounts. | Single factor authentication poses much unnecessary risk upon any information system as most single factor authentication methods use only a userid and password. Passwords are, in most cases,... |
| V-34091 | Medium | The DNS implementation must use multifactor authentication for network access to non-privileged accounts. | Single factor authentication poses much unnecessary risk upon any information system as most single factor authentication methods use only a userid and password. Passwords are, in most cases,... |
| V-34096 | Medium | The DNS implementation must enforce multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the DNS systems being accessed. | Single factor authentication poses much unnecessary risk upon any information system as most single factor authentication methods use only a userid and password. Passwords are, in most cases,... |
| V-34097 | Medium | The DNS implementation must use organization defined replay-resistant authentication mechanisms for network access to privileged accounts. | Replay attacks, if successfully used against a DNS account could result in unfettered access to the DNS settings and data records. A successful replay attack against a privileged DNS account could... |
| V-34094 | Medium | The DNS implementation must support organizational requirements to ensure individuals are authenticated with an individual authenticator prior to using a group authenticator. | To assure individual accountability and prevent unauthorized access, DNS administrators and users (and any processes acting on behalf of users) must be individually identified and authenticated.... |
| V-34095 | Medium | The DNS implementation must enforce multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the DNS implementation being accessed. | Single factor authentication poses much unnecessary risk upon any information system as most single factor authentication methods use only a userid and password. Passwords are, in most cases,... |
| V-34140 | Medium | The DNS implementation must protect against or limits the effects of Denial of Service (DoS) attacks.
| A denial of service (DoS) attack against the DNS infrastructure has the potential to cause a denial of service to all network users. As the DNS is a distributed backbone service of the Internet,... |
| V-34141 | Medium | The DNS implementation must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
| When it comes to DoS attacks, most of the attention is paid to ensuring that systems and applications are not victims of these attacks. A DoS attack against the DNS infrastructure has the... |
| V-34142 | Medium | The DNS implementation must manage excess capacity bandwidth or other redundancy to limit the effects of information flooding types of denial of service attacks.
| A denial of service (DoS) attack against the DNS infrastructure has the potential to cause a DoS to all network users. As the DNS is a distributed backbone service of the Internet, various forms... |
| V-34099 | Medium | The DNS server must authenticate an organization defined list of specific devices by device type before establishing a connection.
| A DNS server must have a level of trust with any device that has a need to connect to it.
The DNS system must allow only devices that are included in an organizational defined list to connect.... |
| V-34144 | Medium | The network element must check inbound traffic to ensure communications are coming from an authorized source and routed to an authorized destination.
| Spoofing source addresses occurs when a malicious user outside the network has created packets with source address belonging to the private address space of the target network. This is done in an... |
| V-34145 | Medium | The DNS implementation must implement host based boundary protection mechanisms.
| A host-based boundary protection mechanism is, for example, a host based firewall. Host-based boundary protection mechanisms are employed on devices to protect the asset where the data resides and... |
| V-34146 | Medium | The network element must isolate organization defined key information, security tools mechanisms, and support components from other internal information system components via physically separate subnets.
| Implementing defense-in-depth by deploying various network security elements at strategic locations and segregating the enclave into separate subnets with unique security policies to provide... |
| V-34147 | Medium | The network element must route all management traffic through a dedicated management interface for purposes of access control and auditing.
| From an architectural perspective, implementing out of band management (OOBM) for network elements is a best practice and the first step in the deployment of a management network. OOBM networks... |
| V-34148 | Medium | The network element must prevent discovery of specific system components or devices composing a managed interface.
| Allowing neighbor discovery messages to reach external network nodes is dangerous as it provides an attacker a method to obtain information of the network infrastructure that can be useful to plan... |
| V-34149 | Medium | The network element must employ automated mechanisms to enforce strict adherence to protocol format.
| Crafted packets not conforming to Institute of Electrical and Electronics Engineers (IEEE) standards can be used by malicious people to exploit a host's protocol stack to create a Denial of... |
| V-34040 | Medium | The DNS implementation must protect audit information from unauthorized modification. | Protection of audit records and audit data is of critical importance. Care must be taken to ensure users cannot circumvent audit protections put in place against modification of the audit data. If... |
| V-33838 | Medium | The DNS implementation must notify the appropriate individuals when accounts are created. | As most accounts in the domain name system are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an... |
| V-33979 | Medium | The DNS implementation must produce log records containing sufficient information to determine if the event was a success or failure. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being performed on the system, where an event occurred, when an event... |
| V-34100 | Medium | The DNS server must authenticate devices before establishing remote network connections using bidirectional authentication between cryptographically based devices.
| A DNS server must have a level of trust with any other device wanting to connect to it. To safeguard these connections, it is imperative that any device connecting to a DNS system from a remote... |
| V-33833 | Medium | The DNS implementation must automatically terminate temporary accounts after an organization defined time period for each type of account. | As most accounts in the domain name system are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an... |
| V-33832 | Medium | The DNS implementation must provide automated support for account management functions. | As most accounts in the domain name system are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an... |
| V-33835 | Medium | The login credentials for an emergency account must be physically protected. | As most accounts in the domain name system are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an... |
| V-33834 | Medium | The DNS implementation must automatically terminate emergency accounts after an organization defined time period. | As most accounts in the domain name system are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an... |
| V-33837 | Medium | The DNS implementation must automatically audit the creation of accounts. | Account management and distribution is vital to the security of any DNS implementation. Once an attacker establishes initial access to a system, they often attempt to create a persistent method of... |
| V-33836 | Medium | The DNS implementation must automatically disable inactive accounts after an organization defined time period of inactivity. | As most accounts in the domain name system are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an... |
| V-34243 | Medium | The DNS implementation must ensure each NS record in a zone file points to an active name server authoritative for the domain specified in that record. | Poorly constructed NS records pose a security risk because they create conditions under which an adversary might be able to provide the missing authoritative name services that are improperly... |
| V-34171 | Medium | The network element must employ NSA-approved cryptography to protect classified information.
| Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to... |
| V-34170 | Medium | The DNS implementation must employ FIPS validated cryptography to protect unclassified information.
| Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing... |
| V-33978 | Medium | The DNS implementation must produce log records containing sufficient information to establish the sources of the events. | Auditing and logging are key components of any security architecture. Without information establishing the source of activity, the value of audit records from a forensics perspective is... |
| V-34242 | Medium | The DNS must utilize valid root name servers in the local root zone file. | All caching name servers must be authoritative for the root zone because without this starting point, they would have no knowledge of the DNS infrastructure and thus would be unable to respond to... |
| V-34264 | Medium | The DNS implementation must enforce a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user.
| DAC is based on the notion that individual users are owners of objects and , therefore, have discretion over who should be authorized to access the object and in which mode (e.g., read or write).... |
| V-34267 | Medium | The network element protects against unauthorized physical connections across the boundary protections implemented at organization defined list of managed interfaces.
| Local access to the network can easily be accomplished by merely connecting a workstation or laptop to any available wall plate or a wireless connection to a nearby access point. Eliminating... |
| V-34266 | Medium | The DNS implementation must employ FIPS-validated cryptography to implement digital signatures.
| The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS 140-2 validation and NSA approval provides assurance that the relevant cryptography... |
| V-34263 | Medium | The DNS implementation must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights.
| Discretionary Access Control (DAC) is based on the premise that individual users are ""owners"" of objects and , therefore have discretion over who should be authorized to access the object and in... |
| V-34262 | Medium | The DNS implementation must implement internal/external role separation.
| DNS servers with an internal role, only process name/address resolution requests from within the organization (i.e., internal clients). DNS servers with an external role only process name/address... |
| V-34214 | Medium | The network element must be configured to perform organization defined actions in response to malicious code detection. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They... |
| V-34069 | Medium | The network element must employ automated mechanisms to centrally manage configuration settings. | Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for network... |
| V-34068 | Medium | The network element must implement automatic safeguards and countermeasures if security functions or mechanisms are changed inappropriately. | Changes to any software components of the network element can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be... |
| V-34067 | Medium | The DNS implementation must limit privileges to change software resident within software libraries, including privileged programs. | Any changes to the software components of the DNS implementation can potentially have significant effects on the overall security and functionality of the system. Therefore, only qualified and... |
| V-34065 | Medium | The DNS implementation must enforce a two-person rule for changes to organization defined information system components and system-level information. | Any changes to the hardware, software, and/or firmware components of the DNS implementation can potentially have significant effects on the overall security of the system. Therefore, only... |
| V-34064 | Medium | The network element must prevent the installation of organization defined critical software programs not signed with a certificate that is recognized and approved by the organization. | Changes to any software components of the network element can have significant effects on the overall security of the network. Verifying the authenticity of the software prior to installation... |
| V-34063 | Medium | The DNS implementation must be configured to enable automated mechanisms to support auditing of the enforcement actions. | Any changes to the hardware, software, and/or firmware components of the DNS implementation can potentially have significant effects on the overall security of the system. Therefore, only... |
| V-34098 | Medium | The DNS implementation must use organization defined replay-resistant authentication mechanisms for network access to non-privileged accounts. | Replay attacks, if successfully used against a DNS account could result in unfettered access to the DNS settings and data records. A successful replay attack against a privileged DNS account could... |
| V-34061 | Medium | The DNS implementation must enforce access restrictions associated with changes to the information system. | Any changes to the software components of the DNS implementation can potentially have significant effects on the overall security and functionality of the system. Therefore, only qualified and... |
| V-34060 | Medium | The DNS implementation must generate audit records for the success and failure of start and stop of the name server service or daemon. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being performed on the system, where an event occurred, when an event... |
| V-34143 | Medium | The DNS implementation must limit the use of resources by priority.
| Priority protection helps prevent a lower-priority process from delaying or interfering with the information system servicing any higher-priority process. This control does not apply to components... |
| V-33989 | Medium | The DNS implementation must be configured to send an alert to designated personnel in the event of an audit processing failure. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include: software/hardware errors, failures... |
| V-33988 | Medium | The DNS implementation must reject or delay network traffic generated above configurable traffic volume thresholds as defined by the organization. | It is critical when a system is at risk of failing to process audit logs, as required, actions are automatically taken to mitigate the failure or risk of failure.
One method used by attackers is... |
| V-33985 | Medium | The DNS implementation must provide a warning when the logging storage capacity reaches an organization defined percentage of maximum capacity. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. An audit processing failure includes the audit storage capacity being... |
| V-33984 | Medium | The DNS implementation logging facility must be configured to reduce the likelihood of log record capacity being exceeded. | The DNS implementation needs to be cognizant of potential audit log storage capacity issues. During the installation and/or configuration process, the DNS should detect and determine if adequate... |
| V-33987 | Medium | The DNS implementation must enforce configurable traffic volume thresholds representing auditing capacity for network traffic to be logged. | It is critical when a system is at risk of failing to process audit logs, as required, actions are automatically taken to mitigate the failure or risk of failure.
One method used by attackers is... |
| V-33986 | Medium | The DNS implementation must provide a real-time alert when organization defined audit failure events occur. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include: software/hardware errors, failures... |
| V-33981 | Medium | The network element must produce log records that contain detailed information for events identified by type location and subject. | Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes, for example,... |
| V-33980 | Medium | The DNS implementation must produce audit records that contain sufficient information to establish the identity of any user or subject associated with the event. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being performed on the system, where an event occurred, when an event... |
| V-33983 | Medium | The DNS implementation must be configured to allocate audit record storage capacity. | In order to ensure the DNS implementation has a sufficient storage capacity in which to write the audit logs, the system must be configured to allocate appropriate audit record storage capacity.... |
| V-33982 | Medium | The DNS implementation must support the requirement to centrally manage the content of audit records generated by DNS components. | Auditing and logging are key components of any security architecture. Centrally managing audit data provides for easier management of DNS events and is an effective facility for monitoring and the... |
| V-34268 | Medium | The DNS implementation must initiate session auditing upon startup.
| Without session level auditing, IA and IT professionals do not have the complete picture, in detail, of what is transpiring on their systems. Without the session level auditing capability, it is... |
| V-34212 | Medium | The network element must employ malicious code protection mechanisms to perform periodic scans of the information system on an organization defined frequency. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They... |
| V-34221 | Medium | The network element must monitor inbound and outbound communications for unusual or unauthorized activities or conditions. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| V-34213 | Medium | The network element must be configured to perform real-time scans of files from external sources as they are downloaded and prior to being opened or executed. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They... |
| V-34249 | Medium | The network element must identify information flows by data type specification and usage when transferring information between different security domains.
| Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled, so... |
| V-33967 | Medium | The network element must be configured to disable functionality that provides the capability for automatic execution of code on mobile devices without user direction. | Auto execution vulnerabilities can result in malicious programs being executed that can be used to cause a denial of service on the device and hence disrupt network services. Examples of... |
| V-33966 | Medium | The network element must enforce requirements for the connection of mobile devices to organizational information systems. | Wireless services enable users within close proximity of access points to have access to data and services within the private network. The security boundary of a Wireless LAN extends from the... |
| V-34160 | Medium | The DNS implementation must protect the confidentiality of zone transfers.
| DNS provides integrity through the use of TSIG and DNSSEC, however, it does not provide confidentiality. Confidentiality of DNS data transfers, to include dynamic updates and zone transfers, must... |
| V-33933 | Medium | The DNS implementation must automatically lock out an account after the maximum number of unsuccessful attempts is exceeded and remain locked for an organization defined time period or until released by an administrator. | One of the most prevalent ways an attacker tries to gain access to a system is by repeatedly trying to access an account and guessing a password.
To reduce the risk of malicious access attempts... |
| V-34166 | Medium | The DNS implementation must produce, control, and distribute symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes.
| The escalating use of cryptography has brought forth a huge challenge for organizations to protect and manage the hundreds and even thousands of cryptographic keys employed during daily... |
| V-34167 | Medium | The DNS implementation must produce, control, and distribute asymmetric cryptographic keys using prepositioned keying material.
| The escalating use of cryptography has brought forth a huge challenge for organizations to protect and manage the hundreds and even thousands of cryptographic keys employed during daily... |
| V-33961 | Medium | The DNS implementation must disable use of non-secure protocols. | In this context an unsecure protocol is one that has not been evaluated and accepted for use as per the Ports, Protocols, and Services Category Assignments List (CAL) from DISA (PPSM).
Disabling... |
| V-33960 | Medium | The network element must audit remote sessions for accessing an organization defined list of security functions and security-relevant information. | Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Monitoring of... |
| V-34272 | Medium | The network element must enforce dual authorization based on organizational policies and procedures for organization defined privileged commands.
| Dual authorization mechanisms require two forms of approval to execute. An organization may determine certain commands or network element configuration changes require dual authorization before... |
| V-34193 | Medium | The network element must take corrective action when unauthorized mobile code is identified. | The mobile code paradigm encompasses programs that can be executed on one or several hosts other than the one they originate from. Mobility of such programs implies some built-in capability for... |
| V-34168 | Medium | The network element must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the users private key.
| The escalating use of cryptography has brought forth a huge challenge for organizations to protect and manage the hundreds and even thousands of cryptographic keys employed during daily... |
| V-34271 | Medium | The DNS implementation must restrict error messages so only authorized personnel may view them.
| If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise if the information is available to non authorized personnel.... |
| V-34274 | Medium | The DNS implementation must be conformant to the IETF DNS specification.
| Any DNS implementation must be designed to be able to conform to the Internet Engineering Task Force (IETF) specification. DoD utilizes many different DNS servers and it is essential that core... |
| V-33968 | Medium | The DNS implementation must produce log records that contain sufficient information to establish what type of events occurred. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being performed on the system, where an event occurred, when an event... |
| V-34118 | Medium | The DNS implementation must obscure feedback of authentication information during the authentication process to protect the information from possible use by unauthorized individuals.
| To prevent the compromise of authentication information, such as passwords during the authentication process, the feedback from the information system shall not provide any information that would... |
| V-34219 | Medium | The network element must not allow users to introduce removable media into the information system. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They... |
| V-34074 | Medium | The DNS implementation must not have unnecessary services and capabilities enabled. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support the essential... |
| V-34075 | Medium | The DNS implementation must be configured to prohibit or restrict the use of organization defined functions, ports, protocols, and services. | Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential... |
| V-34070 | Medium | The network element must employ automated mechanisms to centrally apply configuration settings. | Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for network... |
| V-34071 | Medium | The network element must employ automated mechanisms to centrally verify configuration settings. | Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for network... |
| V-34072 | Medium | The network element must employ automated mechanisms to respond to unauthorized changes to organization defined configuration settings. | Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for network... |
| V-34073 | Medium | The network element must ensure detected unauthorized security-relevant configuration changes are tracked. | Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for network... |
| V-34156 | Medium | The DNS implementation must connect to external networks only through managed interfaces (proxy) consisting of boundary protection devices arranged in accordance with an organizational security architecture.
| Employment of a DNS proxy is critical to protect internal DoD DNS traffic and access to the DoD authoritative services. Proxy services limit the exposure of authoritative servers and aid in... |
| V-33852 | Medium | The network element must be configured to dynamically manage administrative privileges and associated command authorizations. | Web services are web applications that provide a method of communication between two or more different electronic devices. They are normally used by applications to provide each other with data.... |
| V-33851 | Medium | The DNS implementation must monitor for irregular usage of administrative user accounts. | Atypical account usage is behavior that is not part of normal usage cycles. For example, large amounts of user account activity occurring after hours or on weekends.
A comprehensive account... |
| V-33850 | Medium | The DNS implementation must notify the appropriate individuals for account termination. | As most accounts in the DNS are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an attacker... |
| V-34164 | Medium | The DNS implementation must establish a trusted communications path between the user and organization defined security functions within the information system.
| The DNS user interface must provide an unspoofable and faithful communication channel between the user and any entity trusted to manipulate authorities on the user's behalf. To safeguard critical... |
| V-33856 | Medium | The network element must enforce approved authorizations for controlling the flow of information in accordance with applicable policy. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| V-33855 | Medium | The DNS implementation must implement non-discretionary access control policies over privileged level users and resources to protect the DNS database or zone files. | The primary objective of DNS authentication and access control is the integrity of DNS records; only authorized personnel must be able create and modify resource records, and name servers should... |
| V-33854 | Medium | The DNS implementation must enforce approved authorizations for logical access to the system in accordance with applicable policy. | Strong access controls are critical to securing DNS data and the DNS infrastructure. Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and... |
| V-33859 | Medium | The network element must enforce the highest privilege level administrative access to enable or disable security policy filters. | The use of Authentication, Authorization, and Accounting (AAA) affords the best methods for controlling user access, authorization levels, and activity logging. By enabling AAA on the network... |
| V-33991 | Medium | The network element must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was... |
| V-34270 | Medium | The DNS implementation must check the validity of data inputs.
| Invalid input occurs when a user, or system acting on behalf of a user, inserts data or characters into an application's data entry fields and the application is unprepared to process that data.... |
| V-34159 | Medium | The network element must maintain the integrity of information during aggregation packaging and transformation in preparation for transmission.
| If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service for both internal and external connectivity, it... |
| V-34086 | Medium | The network element must support organizational requirements to conduct backups of user-level information contained in the device per organization defined frequency that is consistent with recovery time and recovery point objectives. | User information contained on a network element is associated to the users account and the resources the user is authorized to access. If this information becomes corrupted by hardware failures or... |
| V-33917 | Medium | The network element must uniquely authenticate source domains for information transfer. | Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy... |
| V-34188 | Medium | The DNS implementation must protect the integrity and availability of publicly available information. | By its very nature, DNS provides information that has to be made publicly available, therefore security of the DNS system is paramount to protect the integrity and availability of the DNS... |
| V-33918 | Medium | The network element must uniquely identify and validate destination domains for information transfer. | Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy... |
| V-33919 | Medium | The network element must uniquely authenticate destination domains for information transfer. | Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy... |
| V-33945 | Medium | The network element must support and maintain the binding of organization defined security attributes to information in transmission. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are... |
| V-33965 | Medium | The network element must monitor for unauthorized connections of mobile devices to information systems. | Wireless services enable users within close proximity of access points to have access to data and services within the private network. The security boundary of a Wireless LAN extends from the... |
| V-34162 | Medium | The network element must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.
| If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service for both internal and external connectivity, it... |
| V-33976 | Medium | The DNS implementation must produce log records containing sufficient information to establish when the events occurred. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being performed on the system, where an event occurred, when an event... |
| V-33977 | Medium | The DNS implementation must produce log records containing sufficient information to establish where the events occurred. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being performed on the system, where an event occurred, when an event... |
| V-34111 | Medium | The DNS implementation must enforce password encryption for storage.
| Passwords need to be protected at all times and encryption is the standard method for protecting passwords during storage. If passwords are not encrypted in storage and are simply text in a file... |
| V-34199 | Medium | The DNS implementation must recognize only system-generated session identifiers. | Unique session IDs are the opposite of sequentially generated session IDs which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of said identifiers.... |
| V-34198 | Medium | The DNS implementation must generate a unique session identifier for each session. | Unique session IDs are the opposite of sequentially generated session IDs which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of said identifiers.... |
| V-34197 | Medium | The DNS implementation must invalidate session identifiers upon user logout or other session termination. | Session IDs are tokens generated by web applications to uniquely identify an application user's session. Applications will make application decisions and execute business logic based on the... |
| V-34196 | Medium | The DNS implementation must provide mechanisms to protect the authenticity of communications sessions for queries. | The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is the integrity of DNS data returned in the response. An integral part of... |
| V-34195 | Medium | The DNS implementation must provide mechanisms to protect the authenticity of communications sessions for dynamic updates. | DNS is a fundamental network service which is prone to various attacks. If the authenticity of the originator of a dynamic update cannot be guaranteed through the use of TSIG , the DNS server is... |
| V-34194 | Medium | The DNS implementation must provide mechanisms to protect the authenticity of communications sessions for zone transfers. | DNS is a fundamental network service which is prone to various attacks, such as cache poisoning and man-in-the middle attacks. If communication sessions are not provided appropriate validity... |
| V-34161 | Medium | The DNS implementation must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.
| Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during... |
| V-34032 | Medium | The network element must centralize the review and analysis of audit records from multiple network elements within the network. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was... |
| V-34191 | Medium | The network element must issue public key certificates under an appropriate certificate policy or obtain public key certificates under an appropriate certificate policy from an approved service provider. | For user certificates, each organization attains certificates from an approved, shared service provider, as required by OMB policy.
For federal agencies operating a legacy public key... |
| V-34190 | Medium | The network element must validate the integrity of security attributes exchanged between network elements. | Security attributes are associated with internal structures within the network element used to enable the implementation of access control and flow control policies or support other aspects of the... |
| V-34117 | Medium | The DNS implementation must map the authenticated identity to the user account for PKI-based authentication.
| The cornerstone of the PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information. The... |
| V-34048 | Medium | The network element must use cryptographic mechanisms to protect the integrity of audit information. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was... |
| V-34115 | Medium | The DNS implementation must validate DNS keys used for PKI-based authentication against an accepted trust anchor.
| A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, and Domain Name System Security Extensions... |
| V-34235 | Medium | The DNS implementation must provide automated support for the management of distributed security testing. | The need to verify security functionality is necessary to ensure the DNS implementation is behaving as expected and the element's defenses are enabled. To scale the deployment of the verification... |
| V-34113 | Medium | The DNS implementation must enforce minimum password lifetime restrictions.
| Passwords need to be changed at specific policy based intervals to avoid almost certain compromise. Any password, no matter how complex, can eventually be cracked and, therefore, must be changed... |
| V-34112 | Medium | The DNS implementation must enforce password encryption for transmission.
| Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted in transit, the traffic can be... |
| V-34209 | Medium | The network element must employ malicious code protection mechanisms to detect and eradicate malicious code at the network perimeter. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They... |
| V-34110 | Medium | The DNS implementation must enforce the number of characters changed when passwords are changed.
| Passwords need to be changed at specific policy based intervals to avoid almost certain compromise. Any password, no matter how complex, can eventually be cracked and, therefore, must be changed... |
| V-34207 | Medium | The network element must be configured to implement automated mechanisms on an organization defined frequency to determine the state of information system components with regard to flaw remediation. | It is imperative that the activity promptly installs security-relevant software updates to mitigate the risk of new vulnerabilities. Flaws discovered during security assessments, continuous... |
| V-34206 | Medium | The network element must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission. | Information can be subjected to unauthorized changes (e.g., malicious or unintentional modification) at information aggregation or protocol transformation points.
Protection of information at... |
| V-34205 | Medium | The DNS implementation must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures. | This requirement is intended to address the confidentiality and integrity of system information at rest when it is located on a secondary storage device within the DNS element. It is imperative... |
| V-34042 | Medium | The network element must protect audit tools from unauthorized access. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was... |
| V-34203 | Medium | The network element must include components to proactively seek to identify web-based malicious code. | A honey pot simulates multiple platforms and services used to attract and contain the attackers.
To the attacker, it appears to be part of a production network providing services. A honey pot... |
| V-34202 | Medium | The DNS implementation must preserve organization defined system state information in the event of a system failure. | Failure in a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system.
Failure in a... |
| V-34201 | Medium | The DNS implementation must fail to an organization defined known-state for organization defined types of failures. | Failure in a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system.
Failure in a... |
| V-34233 | Medium | The DNS implementation must respond to security function anomalies in accordance with organization defined responses and alternative actions. | The need to verify security functionality is necessary to ensure the DNS defenses are enabled. If anomalies occur and the system does not respond appropriately, a compromise could occur. For those... |
| V-34041 | Medium | The DNS implementation must protect audit information from unauthorized deletion. | Protection of audit records and audit data is of critical importance. Care must be taken to ensure users cannot circumvent audit protections put in place and intentionally or inadvertently delete... |
| V-34204 | Medium | The DNS implementation must protect the confidentiality and integrity of system information at rest. | This requirement is intended to address the confidentiality and integrity of system information at rest when it is located on a secondary storage device within the DNS element. It is imperative... |
| V-34230 | Medium | The network element must detect attack attempts to the wireless network. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| V-33847 | Medium | The DNS implementation must automatically audit account disabling actions. | As most accounts in the DNS are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an attacker... |
| V-33848 | Medium | The DNS implementation must notify the appropriate individuals when account disabling actions are taken. | As most accounts in the DNS are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an attacker... |
| V-34157 | Medium | The DNS implementation must protect the integrity of transmitted information.
| "DNS, is a scalable, distributed system, is highly vulnerable to exposure and the threats to the infrastructure are numerous. In order to thwart the threat of bogus and forged data in particular,... |
| V-34231 | Medium | The network element must detect rogue wireless devices attack attempts and potential compromises or breaches to the wireless network. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| V-34044 | Medium | The network element must protect audit tools from unauthorized deletion. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was... |
| V-34116 | Medium | The DNS implementation must enforce authorized access to the corresponding private key for PKI-based authentication.
| The cornerstone of the PKI is the private key used to encrypt or digitally sign information.
In DNS, the private part of the key pair is used to sign the zone. Validating resolvers use the... |
| V-34038 | Medium | The DNS implementation must synchronize its internal clock on an organization defined frequency with an organization defined authoritative time source. | Determining the correct time a particular event occurred within the DNS architecture is critical when conducting forensic analysis and investigating system events. Without the use of an approved... |
| V-34119 | Medium | The DNS implementation must use NIST validated FIPS 140-2 cryptography to implement authentication encryption mechanisms.
| Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and... |
| V-34047 | Medium | The DNS implementation must backup audit data on an organization defined frequency onto a different system or media. | It is imperative the audit data collected from DNS elements is backed up on a defined frequency onto a different system or media to ensure the longevity of the records, retention of the data, and... |
| V-34273 | Medium | The DNS implementation must implement non-discretionary access control policies over resources to protect the name server executables/daemons and service configuration files.
| "Non-discretionary access control policies that may be implemented by organizations include Attribute-Based Access Control, Mandatory Access Control, and Originator Controlled Access Control.... |
| V-34101 | Medium | The network element must authenticate devices before establishing wireless network connections using bidirectional authentication between cryptographically based devices.
| Without authentication, an unauthorized user can easily connect to a nearby access-point (AP) within the enclave. In addition, a rogue AP owned by an attacker can accept connections from wireless... |
| V-34200 | Medium | The DNS implementation must generate unique session identifiers with organization defined randomness requirements. | Unique session IDs are the opposite of sequentially generated session IDs which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of said identifiers.... |
| V-33857 | Medium | The network element must enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| V-34056 | Medium | The DNS implementation must generate audit records for the success and failure organization defined events on the DNS server. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being performed on the system, where an event occurred, when an event... |
| V-34057 | Medium | The DNS implementation must generate audit records for the success and failure of zone transfers on the DNS server. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being performed on the system, where an event occurred, when an event... |
| V-34054 | Medium | The DNS implementation must provide audit record generation capability for organization defined auditable events occurring within DNS. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being performed on the system, where an event occurred, when an event... |
| V-34169 | Medium | The DNS implementation must employ cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
| The most common vulnerabilities with cryptographic modules are those associated with poor implementation. Using cryptographic modules complying with applicable federal laws, Executive Orders,... |
| V-34052 | Medium | The DNS implementation must produce a system-wide audit trail composed of log records in a standardized format. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being performed on the system, where an event occurred, when an event... |
| V-34189 | Medium | The network element must associate security attributes with information exchanged between network elements. | Security attributes are associated with internal structures within the network element used to enable the implementation of access control and flow control policies or support other aspects of the... |
| V-34050 | Medium | The DNS implementation must protect against an individual falsely denying having performed a particular action. | When non-repudiation techniques are not employed, high assurance that an individual performed a specific action cannot be guaranteed and the individual can falsely deny having performed such... |
| V-34051 | Medium | The DNS implementation must compile log data from multiple components into a system-wide audit trail that is time correlated to within organization defined level of tolerance. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being performed on the system, where an event occurred, when an event... |
| V-34192 | Medium | The network element must implement detection and inspection mechanisms to identify unauthorized mobile code. | The mobile code paradigm encompasses programs that can be executed on one or several hosts other than the one they originate from. Mobility of such programs implies some built-in capability for... |
| V-34187 | Medium | The network element must employ FIPS-validated cryptography to protect information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to... |
| V-34058 | Medium | The DNS implementation must generate audit records for the success and failure of zone update notifications on the DNS server. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being performed on the system, where an event occurred, when an event... |
| V-34059 | Medium | The DNS implementation must generate audit records for the success and failure of dynamic updates of the name server service or daemon. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being performed on the system, where an event occurred, when an event... |
| V-34104 | Medium | The DNS implementation must enforce minimum password length.
| The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Password strength is a measure of the effectiveness of... |
| V-34105 | Medium | The DNS implementation must prohibit password reuse for the organization defined number of generations.
| The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Password strength is a measure of the effectiveness of... |
| V-34106 | Medium | The DNS implementation must enforce password complexity by the number of upper case characters used.
| Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that... |
| V-34107 | Medium | The DNS implementation must enforce password complexity by the number of lower case characters used.
| Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that... |
| V-34218 | Medium | The network element must only update malicious code protection mechanisms when directed by a privileged user. | Malicious code includes viruses, worms, Trojan horses, and spyware. It can be transported by electronic mail, mail attachments, Web accesses, removable media, or other common means. Malicious... |
| V-33925 | Medium | The network element must enforce organization defined one-way traffic flows using hardware mechanisms. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| V-33946 | Medium | The network element must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are... |
| V-34103 | Medium | The network element must dynamically manage identifiers attributes and associated access authorizations to enable user access to the network with the appropriate and authorized privileges.
| Web services are web applications that provide a method of communication between two or more different electronic devices. They are normally used by applications to provide each other with data.... |
| V-34102 | Medium | The DNS server must authenticate devices before establishing network connections using bidirectional authentication between cryptographically based devices.
| A DNS server must have a level of trust with any node wanting to connect to it. To safeguard these connections, it is imperative that any device connecting to a DNS system from the network... |
| V-34215 | Medium | The network element must address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They... |
| V-34216 | Medium | The network element must automatically update malicious code protection mechanisms and signature definitions. | Malicious code includes viruses, worms, Trojan horses, and spyware. It can be transported by electronic mail, mail attachments, web accesses, removable media, or other common means. Malicious... |
| V-34239 | Medium | The DNS implementation must support the requirement to activate an alarm and/or automatically shut down the information system if an application component failure is detected. This can include conducting a graceful application shutdown to avoid losing information. | Predictable failure prevention requires organizational planning to address system failure issues. If components key to maintaining system's security fail to function, the system could continue... |
| V-34210 | Medium | The network element must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted through the exploitation of information system vulnerabilities. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They... |
| V-34211 | Medium | The network element must update malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They... |
| V-34043 | Medium | The network element must protect audit tools from unauthorized modification. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was... |
| V-34033 | Medium | The DNS implementation must employ automated mechanisms to alert security personnel of any organization defined inappropriate or unusual activities with security implications. | Applications will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within the application. Without this information diagnostics and forensics are... |
| V-34165 | Medium | The DNS implementation must produce, control, and distribute symmetric cryptographic keys, such as TSIG, using NIST-approved key management technology and processes.
| The escalating use of cryptography has brought forth a huge challenge for organizations to protect and manage the hundreds and even thousands of cryptographic keys employed during daily... |
| V-34114 | Medium | The DNS implementation must enforce maximum password lifetime restrictions.
| Passwords need to be changed at specific policy based intervals to avoid almost certain compromise. Any password, no matter how complex, can eventually be cracked and, therefore, must be changed... |
| V-33944 | Medium | The network element must support and maintain the binding of organization defined security attributes to information in process. | These binding of these attribute assignments to information must be maintained while the data is in process, such as switching, traffic classification, Quality of Service (QoS) marking, packet... |
| V-34208 | Medium | The network element must be configured to implement automated patch management tools to facilitate flaw remediation to network components. | It is imperative that the activity promptly installs security-relevant software updates to mitigate the risk of new vulnerabilities. Flaws discovered during security assessments, continuous... |
| V-33849 | Medium | The DNS implementation must automatically audit account termination. | As most accounts in the DNS are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an attacker... |
| V-34217 | Medium | The network element must prevent non-privileged users from circumventing malicious code protection capabilities. | Malicious code includes viruses, worms, Trojan horses, and spyware. It can be transported by electronic mail, mail attachments, web accesses, removable media, or other common means. Malicious... |
| V-34234 | Low | The DNS implementation must provide notification of failed automated security tests. | The need to verify security functionality is necessary to ensure the DNS implementation is behaving as expected and the element's defenses are enabled. To scale the deployment of the verification... |
| V-33937 | Low | Upon successful logon the DNS implementation must display the date and time of the last logon of the user. | As most "users" of a DNS platform are administrators, they need to be very vigilant in maintaining situational awareness of activity that occurs regarding their accounts. Providing them with... |
| V-34257 | Low | The DNS implementation, as the distributed, hierarchical namespace, must provide the means to indicate the security status of child domains and enable verification of a chain of trust among parent and child domains.
| DNSSEC provides the means to verify integrity assurances for the host/service name to network address resolution information obtained through the service.
By using the delegation signer (DS)... |
| V-34258 | Low | The DNS implementation, as the distributed, hierarchical namespace, must provide the means to indicate the security status of child domains and enable verification of a chain of trust among parent and child domains.
| In DNS, trust in the public key of the source is established by starting from a trusted name server and establishing the chain of trust down to the current source of response through successive... |
| V-34259 | Low | The DNS implementation must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.
| A recursive resolving or caching DNS server is an information system providing name/address resolution service for local clients. If data origin authentication and data integrity verification is... |
| V-33943 | Low | The DNS implementation must limit the number of concurrent sessions for each system account which for DNS consist of zone transfers and client connections to an organization defined number. | Limiting the number of concurrent sessions reduces the risk of Denial of Service (DoS) to the DNS implementation. Limiting the number of zone transfer sessions reduces the likelihood of DoS from... |
| V-34260 | Low | The DNS implementation must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service.
| A recursive resolving or caching DNS server is an information system providing name/address resolution service for local clients. If data origin authentication and data integrity verification is... |
| V-33940 | Low | The DNS implementation must notify the user of the number of unsuccessful login attempts to the system occurring during organization defined time period. | As most "users" of a DNS platform are administrators, they need to be very vigilant in maintaining situational awareness of activity that occurs regarding their accounts. Providing them with... |
| V-34269 | Low | The DNS implementation must provide additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries.
| Per most sources, and NIST in particular, the underlying feature in the major threat associated with DNS forged responses or failures, is the integrity of the DNS data returned in the response.... |
| V-33941 | Low | The DNS implementation must notify the user of security-related changes to the users account occurring during the organization defined time period. | Notifying the user of account changes mitigates the risk of an attacker modifying an account without the user's knowledge and potentially gaining unauthorized access to the system or other systems... |
| V-33846 | Low | The DNS implementation must notify the appropriate individuals when accounts are modified. | Account management and distribution is vital to the security of any DNS implementation. Once an attacker establishes initial access to a system, they often attempt to create a persistent method of... |
| V-33845 | Low | The DNS implementation must automatically audit account modification. | As most accounts in the domain name system are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an... |
