The DNS implementation must enforce multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the DNS implementation being accessed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34095	SRG-NET-000144-DNS-000085	SV-44548r1_rule		Medium

Description
Single factor authentication poses much unnecessary risk upon any information system as most single factor authentication methods use only a userid and password. Passwords are, in most cases, easily hacked with the right tools. Multifactor authentication utilizes multiple levels of identification and authorization criteria and provides a much stronger level of security than single factor. As privileged users have access to most of the files on the platform, using a single factor authentication approach provides an easy avenue of attack for a malicious user. Multifactor authentication includes: (i) something a user knows (e.g., password/PIN); (ii) something a user has (e.g., cryptographic identification device, token); or (iii) something a user is (e.g., biometric). When one of the authentication factors is provided by a device that is separate from the system that is gaining access, this is referred to as "out of band two factor authentication" (OOB2FA). OOB2FA employs separate communication channels at least one of which is independently maintained and trusted to authenticate an end user. The use of DoD systems, such as laptops, may fulfill the "[ii] something a user has" portion of this requirement when accessing a privileged account provided such access is restricted to only systems using a cryptographic identification device (i.e. CAC reader).

Description

Single factor authentication poses much unnecessary risk upon any information system as most single factor authentication methods use only a userid and password. Passwords are, in most cases, easily hacked with the right tools. Multifactor authentication utilizes multiple levels of identification and authorization criteria and provides a much stronger level of security than single factor. As privileged users have access to most of the files on the platform, using a single factor authentication approach provides an easy avenue of attack for a malicious user. Multifactor authentication includes: (i) something a user knows (e.g., password/PIN); (ii) something a user has (e.g., cryptographic identification device, token); or (iii) something a user is (e.g., biometric). When one of the authentication factors is provided by a device that is separate from the system that is gaining access, this is referred to as "out of band two factor authentication" (OOB2FA). OOB2FA employs separate communication channels at least one of which is independently maintained and trusted to authenticate an end user. The use of DoD systems, such as laptops, may fulfill the "[ii] something a user has" portion of this requirement when accessing a privileged account provided such access is restricted to only systems using a cryptographic identification device (i.e. CAC reader).

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-42054r1_chk )
Review DNS account management configuration and settings to determine whether one of the factors, when using multifactor authentication of privileged accounts via the network, is separate from the information system gaining access. If one of the factors is not a device separate from the information system gaining access (e.g., hardware token), this is a finding.

Fix Text (F-38005r1_fix)
Configure the DNS implementation to require multifactor authentication, with one of the factors being a device separate from the information system gaining access, when accessing privileged accounts via the network.