The DNS implementation must enforce multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the DNS systems being accessed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34096	SRG-NET-000145-DNS-000086	SV-44549r1_rule		Medium

Description
Single factor authentication poses much unnecessary risk upon any information system as most single factor authentication methods use only a userid and password. Passwords are, in most cases, easily hacked with the right tools. Multifactor authentication utilizes multiple levels of identification and authorization criteria and provides a much stronger level of security than single factor. As users have access to many of the files on the platform, using a single factor authentication approach provides an easy avenue of attack for a malicious user, to include escalation of privileges. Multifactor authentication includes: (i) something a user knows (e.g., password/PIN); (ii) something a user has (e.g., cryptographic identification device, token); or (iii) something a user is (e.g., biometric). When one of the authentication factors is provided by a device that is separate from the system that is gaining access, this is referred to as "out of band two factor authentication" (OOB2FA). OOB2FA employs separate communication channels at least one of which is independently maintained and trusted to authenticate an end user. The use of DoD systems such as laptops may fulfill the "[ii] something a user has" portion of this requirement when accessing a non-privileged account provided such access is restricted to only systems using a cryptographic identification device (i.e. CAC reader).

Description

Single factor authentication poses much unnecessary risk upon any information system as most single factor authentication methods use only a userid and password. Passwords are, in most cases, easily hacked with the right tools. Multifactor authentication utilizes multiple levels of identification and authorization criteria and provides a much stronger level of security than single factor. As users have access to many of the files on the platform, using a single factor authentication approach provides an easy avenue of attack for a malicious user, to include escalation of privileges. Multifactor authentication includes: (i) something a user knows (e.g., password/PIN); (ii) something a user has (e.g., cryptographic identification device, token); or (iii) something a user is (e.g., biometric). When one of the authentication factors is provided by a device that is separate from the system that is gaining access, this is referred to as "out of band two factor authentication" (OOB2FA). OOB2FA employs separate communication channels at least one of which is independently maintained and trusted to authenticate an end user. The use of DoD systems such as laptops may fulfill the "[ii] something a user has" portion of this requirement when accessing a non-privileged account provided such access is restricted to only systems using a cryptographic identification device (i.e. CAC reader).

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-42055r1_chk )
Review DNS account management configuration and settings to determine whether one of the factors, when using multifactor authentication of non-privileged accounts via the network, is separate from the information system gaining access. If one of the factors is not a device separate from the information system gaining access (e.g., hardware token), this is a finding.

Fix Text (F-38006r1_fix)
Configure the DNS implementation to require multifactor authentication, with one of the factors being a device separate from the information system gaining access, when accessing non-privileged accounts via the network. The account management functions will be performed by the DNS application if the capability exists. If the capability does not exist the underlying platform's account management system may be used.

Fix Text (F-38006r1_fix)

Configure the DNS implementation to require multifactor authentication, with one of the factors being a device separate from the information system gaining access, when accessing non-privileged accounts via the network.

The account management functions will be performed by the DNS application if the capability exists. If the capability does not exist the underlying platform's account management system may be used.