UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The login credentials for an emergency account must be physically protected.


Overview

Finding ID Version Rule ID IA Controls Severity
V-33835 SRG-NET-000003-DNS-000004 SV-44288r1_rule Medium
Description
As most accounts in the domain name system are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an attacker compromises an account, the entire DNS infrastructure, not to mention the hosts on the network, is at risk. Authentication for user or administrative access to the system is required at all times. A single account can be created within the systems account management application for use in an emergency, such as when the administrator's account is unavailable. The emergency account logon credentials must be stored in a sealed envelope and kept in a safe. However, when the account remains in place and active when no longer required, there is the potential for an adversary to utilize the account unnoticed. As accounts are created or terminated and privilege levels are updated, the DNS implementation must be configured such that it automatically recognizes and supports this activity and immediately enforces the current account policy.
STIG Date
Domain Name System (DNS) Security Requirements Guide 2012-10-24

Details

Check Text ( C-41898r1_chk )
If there is a single emergency DNS account, verify with the system administrator that the login credentials for the account are sealed in an envelope and locked in a safe. If the login credentials are not protected in this fashion, this is a finding.
Fix Text (F-37765r2_fix)
Create an emergency account. Place the login credentials in a sealed envelope and place the envelope in a safe.