The DHCP server service is not disabled on any Windows 2000/2003 DNS server that supports dynamic updates.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-4501 | DNS0805 | SV-4501r1_rule | ECCD-1 ECCD-2 | High |
| Description |
|---|
| There is a significant vulnerability potential when the DHCP service runs using the computer account of a Windows Domain Controller, as in the default Windows configuration. This account has full control over all DNS objects stored in Active Directory. In this case the DHCP server has access to modify the SRV (and other) records for all the Domain Controllers. When these records were replicated to other domain controllers (when AD Integrated DNS is used as required by the STIG), all the Windows DNS servers could potentially be compromised. |
| STIG | Date |
|---|---|
| Windows DNS | 2015-12-28 |
Details
| Check Text ( C-3561r1_chk ) |
|---|
| Log in to the server with an account that has admin rights. Right-click “My Computer” on the desktop and click “Manage.” This brings up the “Computer Management” tool. Click the plus sign next to “Services and Applications” on the left pane to expand it. Select “Services” on the left panel. On the right pane, scroll down and select “DHCP Server.” Right-click “DHCP Server” and click “Properties.” This brings up the “DCHP Server Properties”. The reviewer will validate the DHCP server service is disabled. The “Disabled” drop down selection is to be selected on the “General” tab of the “DHCP Server Properties.” If the DHCP server service is not disabled, then this is a finding. |
| Fix Text (F-4386r1_fix) |
|---|
| Working with appropriate SA and technical personnel, the IAO should plan to migrate the DHCP service to another machine as soon as it is feasible to do so. |