The login credentials for an emergency account must be physically protected.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33835	SRG-NET-000003-DNS-000004	SV-44288r1_rule		Medium

Description
As most accounts in the domain name system are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an attacker compromises an account, the entire DNS infrastructure, not to mention the hosts on the network, is at risk. Authentication for user or administrative access to the system is required at all times. A single account can be created within the systems account management application for use in an emergency, such as when the administrator's account is unavailable. The emergency account logon credentials must be stored in a sealed envelope and kept in a safe. However, when the account remains in place and active when no longer required, there is the potential for an adversary to utilize the account unnoticed. As accounts are created or terminated and privilege levels are updated, the DNS implementation must be configured such that it automatically recognizes and supports this activity and immediately enforces the current account policy.

Description

As most accounts in the domain name system are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an attacker compromises an account, the entire DNS infrastructure, not to mention the hosts on the network, is at risk. Authentication for user or administrative access to the system is required at all times. A single account can be created within the systems account management application for use in an emergency, such as when the administrator's account is unavailable. The emergency account logon credentials must be stored in a sealed envelope and kept in a safe. However, when the account remains in place and active when no longer required, there is the potential for an adversary to utilize the account unnoticed. As accounts are created or terminated and privilege levels are updated, the DNS implementation must be configured such that it automatically recognizes and supports this activity and immediately enforces the current account policy.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-41898r1_chk )
If there is a single emergency DNS account, verify with the system administrator that the login credentials for the account are sealed in an envelope and locked in a safe. If the login credentials are not protected in this fashion, this is a finding.

Fix Text (F-37765r2_fix)
Create an emergency account. Place the login credentials in a sealed envelope and place the envelope in a safe.