The DNS implementation must automatically audit the creation of accounts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33837	SRG-NET-000005-DNS-000006	SV-44290r1_rule		Medium

Description
Account management and distribution is vital to the security of any DNS implementation. Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method and best practice for mitigating this risk. Account management, as a whole, ensures access to DNS elements is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary privileges. Without a formal approval process for the deployment and modification of accounts, personnel without the proper need to know validation, may gain access to critical systems. It is imperative that all personnel who are granted accounts have completed and submitted the proper request forms and have been approved by the designated authority. Auditing account creation and modification along with an automatic notification to appropriate individuals will provide the necessary reconciliation that account management procedures are being followed.

Description

Account management and distribution is vital to the security of any DNS implementation. Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method and best practice for mitigating this risk. Account management, as a whole, ensures access to DNS elements is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary privileges. Without a formal approval process for the deployment and modification of accounts, personnel without the proper need to know validation, may gain access to critical systems. It is imperative that all personnel who are granted accounts have completed and submitted the proper request forms and have been approved by the designated authority. Auditing account creation and modification along with an automatic notification to appropriate individuals will provide the necessary reconciliation that account management procedures are being followed.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-41900r1_chk )
Review the DNS system and/or configuration files to determine if the system is configured to audit for account creation. If the system is not configured to audit account creation, this is a finding.

Fix Text (F-37767r1_fix)
Configure the DNS system to audit all account creation. Auditing functions will be performed by the DNS application if the capability exists. If the capability does not exist the underlying platform's audit system may be used.