UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNS implementation must automatically terminate temporary accounts after an organization defined time period for each type of account.


Overview

Finding ID Version Rule ID IA Controls Severity
V-33833 SRG-NET-000002-DNS-000002 SV-44286r1_rule Medium
Description
As most accounts in the domain name system are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an attacker compromises an account, the entire DNS infrastructure, not to mention the hosts on the network, is at risk. Authentication for user or administrative access to the system is required at all times. Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. For example, a temporary account could be created for vendor support use in order to perform diagnostics or assist in implementation. Temporary accounts are not to be confused with infrequently used accounts (e.g., local login accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic termination dates. If accounts intended to be temporary remain active when no longer needed, they may be used to gain unauthorized access with privileged level access. To reduce this risk, automated termination of all temporary accounts must be set upon account creation. The DNS implementation must be configured such that it automatically recognizes and supports this activity and immediately enforces the current account policy.
STIG Date
Domain Name System (DNS) Security Requirements Guide 2012-10-24

Details

Check Text ( C-41896r1_chk )
Review the DNS system to ensure the system is configured to automatically terminate temporary accounts after an organization defined time period. If the ability to terminate temporary accounts is not automated or not utilized, this is a finding.
Fix Text (F-37763r1_fix)
Configure the DNS system to automatically terminate temporary accounts after the organization defined time period.

The account management functions will be performed by the DNS application if the capability exists. If the capability does not exist the underlying platform's account management system may be used.