UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DHCP server service is not disabled on any Windows 2000/2003 DNS server that supports dynamic updates.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4501 DNS0805 SV-4501r1_rule ECCD-1 ECCD-2 High
Description
There is a significant vulnerability potential when the DHCP service runs using the computer account of a Windows Domain Controller, as in the default Windows configuration. This account has full control over all DNS objects stored in Active Directory. In this case the DHCP server has access to modify the SRV (and other) records for all the Domain Controllers. When these records were replicated to other domain controllers (when AD Integrated DNS is used as required by the STIG), all the Windows DNS servers could potentially be compromised.
STIG Date
Windows DNS 2015-12-28

Details

Check Text ( C-3561r1_chk )
Log in to the server with an account that has admin rights. Right-click “My Computer” on the desktop and click “Manage.” This brings up the “Computer Management” tool.

Click the plus sign next to “Services and Applications” on the left pane to expand it. Select “Services” on the left panel.

On the right pane, scroll down and select “DHCP Server.” Right-click “DHCP Server” and click “Properties.” This brings up the “DCHP Server Properties”.

The reviewer will validate the DHCP server service is disabled. The “Disabled” drop down selection is to be selected on the “General” tab of the “DHCP Server Properties.” If the DHCP server service is not disabled, then this is a finding.
Fix Text (F-4386r1_fix)
Working with appropriate SA and technical personnel, the IAO should plan to migrate the DHCP service to another machine as soon as it is feasible to do so.