The DNS implementation must uniquely identify and authenticate all organizational users for access to accounts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34089	SRG-NET-000138-DNS-000079	SV-44542r1_rule		Medium

Description
Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy. Access to the network must be categorized as administrator, user, or guest so the appropriate authorization can be assigned to the user requesting access to the network or a network element. Authorization requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multi-factor authentication, some combination thereof. Lack of authentication enables anyone to gain access to the network or possibly a network element providing opportunity for intruders to compromise resources within the network infrastructure. While the DNS application itself does not employ interactive users, the platform on which the DNS application resides may allow them depending on the implementation. As such, the DNS implementation, as a whole, must disallow directly accessing the system through group accounts. For example, on a UNIX based system running in an operational state, the user "root" should not be able to log directly onto the system. An individual wishing to access root functions should first log into the system using their individual account and then use the "sudo" command to gain root access.

Description

Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy. Access to the network must be categorized as administrator, user, or guest so the appropriate authorization can be assigned to the user requesting access to the network or a network element. Authorization requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multi-factor authentication, some combination thereof. Lack of authentication enables anyone to gain access to the network or possibly a network element providing opportunity for intruders to compromise resources within the network infrastructure. While the DNS application itself does not employ interactive users, the platform on which the DNS application resides may allow them depending on the implementation. As such, the DNS implementation, as a whole, must disallow directly accessing the system through group accounts. For example, on a UNIX based system running in an operational state, the user "root" should not be able to log directly onto the system. An individual wishing to access root functions should first log into the system using their individual account and then use the "sudo" command to gain root access.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-42048r1_chk )
Review the DNS systems authentication methods and settings to verify individual account identifiers are utilized to gain network access to accounts. If individual account identifiers are not utilized, this is a finding.

Fix Text (F-37999r1_fix)
Configure the DNS system to utilize individual account identifiers for network access to the server.