UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The ownership and permissions on all Windows ISC BIND name servers are not as restrictive as required.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3626 DNS4590 SV-3626r1_rule ECLP-1 Medium
Description
Weak permissions could allow an intruder to view or modify zone, configuration and/or program files.
STIG Date
BIND DNS STIG 2015-01-05

Details

Check Text ( C-3453r1_chk )
The reviewer can check permissions and ownership by looking at the properties of each file in “Windows Explorer.”

Note that there may be multiple zone files, key files, and log files. The reviewer should be able to produce a list of the files based on a quick examination of named.conf, which should have been obtained at the beginning of this module. The reviewer should check the permissions of each zone, key or log file when more than one exists on the name server.

The name of the root hints file is defined in named.conf. Common names for the root hints file are root.hints, named.cache, and db.cache.

FOLDER/FILE NAME OWNER USER/GROUP PERMISSIONS
%systemroot%\system32\dns\bin Administrators Administrators Full control
dns-admins Read
dnsuser Read&Execute/List Folder Contents\Read
%systemroot%\system32\dns\etc Administrators Administrators Full control
dns-admins Change
dnsuser Change
named.conf Administrators Administrators Full control
dns-admins Change
dnsuser Read
named.pid Administrators Administrators Full control
dns-admins Read
dnsuser Change
named.stat Administrators Administrators Full control
dns-admins Read
dnsuser Change
root hints file Administrators Administrators Full control
dns-admins Change
dnsuser Read
Any zone file Administrators Administrators Full control
dns-admins Change
dnsuser Change
Any TSIG key file Administrators dnsuser Read

If permissions are more permissive than required, then this is a finding.
Fix Text (F-3557r1_fix)
The SA should modify permissions so that they are at least as restrictive as specified in the DNS STIG.