The DNS implementation must enforce the organization defined time period during which the limit of consecutive invalid access attempts by a user is counted.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33932 | SRG-NET-000039-DNS-000020 | SV-44385r1_rule | Medium |
| Description |
|---|
| One of the most prevalent ways an attacker tries to gain access to a system is by repeatedly trying to access an account and guessing a password. To reduce the risk of malicious access attempts being successful, the DNS implementation must define and limit the number of times a user account may consecutively fail a login attempt within a defined time period, and subsequently lock that account when the maximum numbers have been reached. By limiting the number of failed login attempts within a specified time period, the risk of unauthorized system access via user password guessing, otherwise known as brute force attack, is reduced. |
| STIG | Date |
|---|---|
| Domain Name System (DNS) Security Requirements Guide | 2012-10-24 |
Details
| Check Text ( C-41941r1_chk ) |
|---|
| Review the DNS system configuration to determine if the time period has been configured in which the system will take action for consecutive invalid login attempts. If the system is not configured to enforce the organization defined time period, this is a finding. |
| Fix Text (F-37845r1_fix) |
|---|
| Configure the DNS system to enforce the specified time period defined for consecutive invalid login attempts. The account management functions will be performed by the DNS application if the capability exists. If the capability does not exist the underlying platform's account management system may be used. |