UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNS implementation must automatically disable inactive accounts after an organization defined time period of inactivity.


Overview

Finding ID Version Rule ID IA Controls Severity
V-33836 SRG-NET-000004-DNS-000005 SV-44289r1_rule Medium
Description
As most accounts in the domain name system are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an attacker compromises an account, the entire DNS infrastructure, not to mention the hosts on the network, is at risk. Authentication for user or administrative access to the system is required at all times. Inactive accounts could be reactivated or compromised by unauthorized users allowing them to exploit vulnerabilities and maintain undetected access to the system. There is always a risk for inactive accounts to be reactivated or compromised by unauthorized users who could then gain full control of the device; thereby, enabling them to trigger a Denial of Service, intercept sensitive information, or disrupt the DNS availability.
STIG Date
Domain Name System (DNS) Security Requirements Guide 2012-10-24

Details

Check Text ( C-41899r1_chk )
Review the DNS system to determine if the system automatically disables inactive accounts after an organization defined time period. If the ability to disable inactive accounts is not automated or utilized, this is a finding.
Fix Text (F-37766r1_fix)
Configure the DNS system to automatically disable inactive accounts after the organization defined time period of inactivity.

The account management functions will be performed by the DNS application if the capability exists. If the capability does not exist the underlying platform's account management system may be used.