Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-3626 | DNS4590 | SV-3626r1_rule | ECLP-1 | Medium |
Description |
---|
Weak permissions could allow an intruder to view or modify zone, configuration and/or program files. |
STIG | Date |
---|---|
BIND DNS STIG | 2015-01-05 |
Check Text ( C-3453r1_chk ) |
---|
The reviewer can check permissions and ownership by looking at the properties of each file in “Windows Explorer.” Note that there may be multiple zone files, key files, and log files. The reviewer should be able to produce a list of the files based on a quick examination of named.conf, which should have been obtained at the beginning of this module. The reviewer should check the permissions of each zone, key or log file when more than one exists on the name server. The name of the root hints file is defined in named.conf. Common names for the root hints file are root.hints, named.cache, and db.cache. FOLDER/FILE NAME OWNER USER/GROUP PERMISSIONS %systemroot%\system32\dns\bin Administrators Administrators Full control dns-admins Read dnsuser Read&Execute/List Folder Contents\Read %systemroot%\system32\dns\etc Administrators Administrators Full control dns-admins Change dnsuser Change named.conf Administrators Administrators Full control dns-admins Change dnsuser Read named.pid Administrators Administrators Full control dns-admins Read dnsuser Change named.stat Administrators Administrators Full control dns-admins Read dnsuser Change root hints file Administrators Administrators Full control dns-admins Change dnsuser Read Any zone file Administrators Administrators Full control dns-admins Change dnsuser Change Any TSIG key file Administrators dnsuser Read If permissions are more permissive than required, then this is a finding. |
Fix Text (F-3557r1_fix) |
---|
The SA should modify permissions so that they are at least as restrictive as specified in the DNS STIG. |