UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Computer accounts for DHCP servers are members of the DNSUpdateProxy group.


Overview

Finding ID Version Rule ID IA Controls Severity
V-12479 DNS0260 SV-13038r1_rule ECLP-1 Medium
Description
A built-in security group, DNSUpdateProxy, is provided as of Windows 2000. This group can update DNS records for clients without becoming the owner of the records. When DHCP servers are added as members of this group, any of the (member) DHCP servers can update the records. The first user that is not a member of the DNSUpdateProxy group to modify the records associated with a client; becomes the owner. There is a vulnerability for all servers (even non-domain controllers) on which a DHCP service runs. The DNS records associated with the DHCP server host could be modified by other DHCP servers that are members of the DNSUpdateProxy group. In order to prevent this from occurring, DHCP should not be installed on a domain controller if the group DNSUpdateProxy is utilized.
STIG Date
Windows DNS 2015-12-28

Details

Check Text ( C-8639r1_chk )
Review the membership of the DNSUpdateProxy group to determine if any of the computer accounts are DHCP servers. If there are any computer accounts for DHCP servers, this is a finding.

View Computer Management, Local Users and Groups, Groups. Review the membership of the DNSUpdateProxy group to determine if any of the accounts are DHCP servers.
Fix Text (F-11799r1_fix)
The IAO will ensure computer accounts for DHCP servers are not members of the DNSUpdateProxy group.