The DNS implementation must automatically terminate emergency accounts after an organization defined time period.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33834	SRG-NET-000003-DNS-000003	SV-44287r1_rule		Medium

Description
As most accounts in the domain name system are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an attacker compromises an account, the entire DNS infrastructure, not to mention the hosts on the network, is at risk. Authentication for user or administrative access to the system is required at all times. Emergency accounts are established in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency accounts are not to be confused with infrequently used accounts (e.g., local login accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic termination dates. If accounts intended to be for emergency use remain active when no longer needed, they may be used to gain unauthorized access with privileged level access. To reduce this risk, automated termination of all emergency accounts must be set upon account creation. The DNS implementation must be configured such that it automatically recognizes and supports this activity and immediately enforces the current account policy.

Description

As most accounts in the domain name system are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an attacker compromises an account, the entire DNS infrastructure, not to mention the hosts on the network, is at risk. Authentication for user or administrative access to the system is required at all times. Emergency accounts are established in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency accounts are not to be confused with infrequently used accounts (e.g., local login accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic termination dates. If accounts intended to be for emergency use remain active when no longer needed, they may be used to gain unauthorized access with privileged level access. To reduce this risk, automated termination of all emergency accounts must be set upon account creation. The DNS implementation must be configured such that it automatically recognizes and supports this activity and immediately enforces the current account policy.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-41897r1_chk )
Review the DNS system to determine if the system is configured to automatically terminate emergency accounts after an organization defined time period. If the DNS system does not automatically terminate emergency accounts after an organization defined time period, this is a finding.

Fix Text (F-37764r1_fix)
Configure the DNS system to automatically terminate emergency accounts after an organization defined time period. The account management functions will be performed by the DNS application if the capability exists. If the capability does not exist the underlying platform's account management system may be used.