Computer accounts for DHCP servers are members of the DNSUpdateProxy group.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-12479 | DNS0260 | SV-13038r1_rule | ECLP-1 | Medium |
| Description |
|---|
| A built-in security group, DNSUpdateProxy, is provided as of Windows 2000. This group can update DNS records for clients without becoming the owner of the records. When DHCP servers are added as members of this group, any of the (member) DHCP servers can update the records. The first user that is not a member of the DNSUpdateProxy group to modify the records associated with a client; becomes the owner. There is a vulnerability for all servers (even non-domain controllers) on which a DHCP service runs. The DNS records associated with the DHCP server host could be modified by other DHCP servers that are members of the DNSUpdateProxy group. In order to prevent this from occurring, DHCP should not be installed on a domain controller if the group DNSUpdateProxy is utilized. |
| STIG | Date |
|---|---|
| Windows DNS | 2015-12-28 |
Details
| Check Text ( C-8639r1_chk ) |
|---|
| Review the membership of the DNSUpdateProxy group to determine if any of the computer accounts are DHCP servers. If there are any computer accounts for DHCP servers, this is a finding. View Computer Management, Local Users and Groups, Groups. Review the membership of the DNSUpdateProxy group to determine if any of the accounts are DHCP servers. |
| Fix Text (F-11799r1_fix) |
|---|
| The IAO will ensure computer accounts for DHCP servers are not members of the DNSUpdateProxy group. |