The DNS implementation must notify the appropriate individuals when accounts are modified.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33846	SRG-NET-000008-DNS-000009	SV-44299r1_rule		Low

Description
Account management and distribution is vital to the security of any DNS implementation. Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method and best practice for mitigating this risk. Account management, as a whole, ensures access to DNS elements is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary privileges. Without a formal approval process for the deployment and modification of accounts, personnel without the proper need to know validation, may gain access to critical systems. It is imperative that all personnel who are granted accounts have completed and submitted the proper request forms and have been approved by the designated authority. Auditing account modification along with an automatic notification to appropriate individuals will provide the necessary reconciliation that account management procedures are being followed.

Description

Account management and distribution is vital to the security of any DNS implementation. Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method and best practice for mitigating this risk. Account management, as a whole, ensures access to DNS elements is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary privileges. Without a formal approval process for the deployment and modification of accounts, personnel without the proper need to know validation, may gain access to critical systems. It is imperative that all personnel who are granted accounts have completed and submitted the proper request forms and have been approved by the designated authority. Auditing account modification along with an automatic notification to appropriate individuals will provide the necessary reconciliation that account management procedures are being followed.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-41903r1_chk )
Review the DNS system and/or configuration files to determine if the system notifies the appropriate individuals when accounts are modified. If there is not a viewable, configurable option, request the administrator modify an account and validate that notification is sent to the appropriate individuals. If the appropriate individuals are not notified upon account modification, this is a finding.

Fix Text (F-37776r1_fix)
Configure the DNS server to notify appropriate individuals upon account modification actions. The account management functions will be performed by the DNS application if the capability exists. If the capability does not exist the underlying platform's account management system may be used.