The DNS implementation must enforce the number of characters changed when passwords are changed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34110	SRG-NET-000159-DNS-000098	SV-44563r1_rule		Medium

Description
Passwords need to be changed at specific policy based intervals to avoid almost certain compromise. Any password, no matter how complex, can eventually be cracked and, therefore, must be changed frequently. However, if users are allowed to change a password just slightly, without changing most of the characters, and if that password were to be compromised, it would take very little on the hacker's behalf to determine what the new password is. If a malicious user has obtained an older password associated with a user, and the authorized user only changes one or two characters each time, it will require much less in the way of resources and time for the unauthorized or malicious user to figure out new passwords.

Description

Passwords need to be changed at specific policy based intervals to avoid almost certain compromise. Any password, no matter how complex, can eventually be cracked and, therefore, must be changed frequently. However, if users are allowed to change a password just slightly, without changing most of the characters, and if that password were to be compromised, it would take very little on the hacker's behalf to determine what the new password is. If a malicious user has obtained an older password associated with a user, and the authorized user only changes one or two characters each time, it will require much less in the way of resources and time for the unauthorized or malicious user to figure out new passwords.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-42070r1_chk )
Review the DNS account management configuration settings to determine whether the DNS enforces the requirement to change a minimum organization defined number of characters for password changes. If not, this is a finding. The account management functions will be performed by the name server application if the capability exists. If the capability does not exist the underlying platform's account management system may be used.

Check Text ( C-42070r1_chk )

Review the DNS account management configuration settings to determine whether the DNS enforces the requirement to change a minimum organization defined number of characters for password changes. If not, this is a finding.

The account management functions will be performed by the name server application if the capability exists. If the capability does not exist the underlying platform's account management system may be used.

Fix Text (F-38020r1_fix)
Configure the DNS implementation settings to force a minimum organization defined number of characters to change when a password is changed.