UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNS implementation must automatically lock out an account after the maximum number of unsuccessful attempts is exceeded and remain locked for an organization defined time period or until released by an administrator.


Overview

Finding ID Version Rule ID IA Controls Severity
V-33933 SRG-NET-000040-DNS-000021 SV-44386r1_rule Medium
Description
One of the most prevalent ways an attacker tries to gain access to a system is by repeatedly trying to access an account and guessing a password. To reduce the risk of malicious access attempts being successful, the DNS implementation must define and limit the number of times a user account may consecutively fail a login attempt within a defined time period, and subsequently lock that account when the maximum numbers have been reached. By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute force attack, is reduced.
STIG Date
Domain Name System (DNS) Security Requirements Guide 2012-10-24

Details

Check Text ( C-41942r1_chk )
Review the DNS system configuration to determine if there is a limit on invalid account access requests within a specified time period, and if the system locks the account after the limit has been reached within that specified period of time. If the system is not configured to lock out accounts for an organization defined time period after the maximum number of unsuccessful login attempts, this is a finding.
Fix Text (F-37846r1_fix)
Configure the DNS system to lock out accounts after the maximum number of unsuccessful login attempts is exceeded.

The account management functions will be performed by the DNS application if the capability exists. If the capability does not exist the underlying platform's account management system may be used.