The DNS implementation must automatically terminate temporary accounts after an organization defined time period for each type of account.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33833	SRG-NET-000002-DNS-000002	SV-44286r1_rule		Medium

Description
As most accounts in the domain name system are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an attacker compromises an account, the entire DNS infrastructure, not to mention the hosts on the network, is at risk. Authentication for user or administrative access to the system is required at all times. Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. For example, a temporary account could be created for vendor support use in order to perform diagnostics or assist in implementation. Temporary accounts are not to be confused with infrequently used accounts (e.g., local login accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic termination dates. If accounts intended to be temporary remain active when no longer needed, they may be used to gain unauthorized access with privileged level access. To reduce this risk, automated termination of all temporary accounts must be set upon account creation. The DNS implementation must be configured such that it automatically recognizes and supports this activity and immediately enforces the current account policy.

Description

As most accounts in the domain name system are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an attacker compromises an account, the entire DNS infrastructure, not to mention the hosts on the network, is at risk. Authentication for user or administrative access to the system is required at all times. Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. For example, a temporary account could be created for vendor support use in order to perform diagnostics or assist in implementation. Temporary accounts are not to be confused with infrequently used accounts (e.g., local login accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic termination dates. If accounts intended to be temporary remain active when no longer needed, they may be used to gain unauthorized access with privileged level access. To reduce this risk, automated termination of all temporary accounts must be set upon account creation. The DNS implementation must be configured such that it automatically recognizes and supports this activity and immediately enforces the current account policy.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-41896r1_chk )
Review the DNS system to ensure the system is configured to automatically terminate temporary accounts after an organization defined time period. If the ability to terminate temporary accounts is not automated or not utilized, this is a finding.

Fix Text (F-37763r1_fix)
Configure the DNS system to automatically terminate temporary accounts after the organization defined time period. The account management functions will be performed by the DNS application if the capability exists. If the capability does not exist the underlying platform's account management system may be used.