The DNS implementation must automatically lock out an account after the maximum number of unsuccessful attempts is exceeded and remain locked for an organization defined time period or until released by an administrator.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33933 | SRG-NET-000040-DNS-000021 | SV-44386r1_rule | Medium |
| Description |
|---|
| One of the most prevalent ways an attacker tries to gain access to a system is by repeatedly trying to access an account and guessing a password. To reduce the risk of malicious access attempts being successful, the DNS implementation must define and limit the number of times a user account may consecutively fail a login attempt within a defined time period, and subsequently lock that account when the maximum numbers have been reached. By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute force attack, is reduced. |
| STIG | Date |
|---|---|
| Domain Name System (DNS) Security Requirements Guide | 2012-10-24 |
Details
| Check Text ( C-41942r1_chk ) |
|---|
| Review the DNS system configuration to determine if there is a limit on invalid account access requests within a specified time period, and if the system locks the account after the limit has been reached within that specified period of time. If the system is not configured to lock out accounts for an organization defined time period after the maximum number of unsuccessful login attempts, this is a finding. |
| Fix Text (F-37846r1_fix) |
|---|
| Configure the DNS system to lock out accounts after the maximum number of unsuccessful login attempts is exceeded. The account management functions will be performed by the DNS application if the capability exists. If the capability does not exist the underlying platform's account management system may be used. |