The DNS implementation must automatically disable inactive accounts after an organization defined time period of inactivity.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33836 | SRG-NET-000004-DNS-000005 | SV-44289r1_rule | Medium |
| Description |
|---|
| As most accounts in the domain name system are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an attacker compromises an account, the entire DNS infrastructure, not to mention the hosts on the network, is at risk. Authentication for user or administrative access to the system is required at all times. Inactive accounts could be reactivated or compromised by unauthorized users allowing them to exploit vulnerabilities and maintain undetected access to the system. There is always a risk for inactive accounts to be reactivated or compromised by unauthorized users who could then gain full control of the device; thereby, enabling them to trigger a Denial of Service, intercept sensitive information, or disrupt the DNS availability. |
| STIG | Date |
|---|---|
| Domain Name System (DNS) Security Requirements Guide | 2012-10-24 |
Details
| Check Text ( C-41899r1_chk ) |
|---|
| Review the DNS system to determine if the system automatically disables inactive accounts after an organization defined time period. If the ability to disable inactive accounts is not automated or utilized, this is a finding. |
| Fix Text (F-37766r1_fix) |
|---|
| Configure the DNS system to automatically disable inactive accounts after the organization defined time period of inactivity. The account management functions will be performed by the DNS application if the capability exists. If the capability does not exist the underlying platform's account management system may be used. |