The DNS implementation must enforce a two-person rule for changes to organization defined information system components and system-level information.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34065	SRG-NET-000122-DNS-000073	SV-44518r1_rule		Medium

Description
Any changes to the hardware, software, and/or firmware components of the DNS implementation can potentially have significant effects on the overall security of the system. Therefore, only qualified and authorized individuals should be allowed to obtain access to the DNS system components for the purposes of implementing any changes or upgrades. A two person rule requires two separate individuals acknowledge and approve those changes. Enforcing a two person rule for changes to critical application components helps to reduce risks pertaining to availability and integrity.

Description

Any changes to the hardware, software, and/or firmware components of the DNS implementation can potentially have significant effects on the overall security of the system. Therefore, only qualified and authorized individuals should be allowed to obtain access to the DNS system components for the purposes of implementing any changes or upgrades. A two person rule requires two separate individuals acknowledge and approve those changes. Enforcing a two person rule for changes to critical application components helps to reduce risks pertaining to availability and integrity.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-42031r1_chk )
Review DNS vendor documentation to determine whether the DNS implementation is capable of supporting a two-person authorization rule. If the implementation has the capability to support a two-person rule, verify the DNS access control settings for two-person authorization is enabled for organization defined DNS components and system-level information. If the implementation is not capable of supporting a two-person authorization rule this technical control is NA. If the implementation is capable of supporting the two-person authorization rule and it is not enabled, this is a finding.

Check Text ( C-42031r1_chk )

Review DNS vendor documentation to determine whether the DNS implementation is capable of supporting a two-person authorization rule.

If the implementation has the capability to support a two-person rule, verify the DNS access control settings for two-person authorization is enabled for organization defined DNS components and system-level information.

If the implementation is not capable of supporting a two-person authorization rule this technical control is NA.

If the implementation is capable of supporting the two-person authorization rule and it is not enabled, this is a finding.

Fix Text (F-37979r1_fix)
Configure the DNS implementation to enforce a two-person rule for changes to organization defined information system components and system-level information. If the implementation is not capable of supporting the two-person rule, the rule should be implemented through policy.