Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-4473 | DNS0415 | SV-4473r2_rule | ECSC-1 | Medium |
Description |
---|
Even a securely configured operating system is vulnerable to the flaws of the programs that run on it. To prevent DNS software from being subjected to the vulnerabilities of other programs and services, the DNS server will not run other programs and services at all, or at least run only those programs that are necessary for either OS or DNS support. |
STIG | Date |
---|---|
BIND DNS STIG | 2015-01-05 |
Check Text ( C-3483r1_chk ) |
---|
During the initial interviews, the reviewer may have already identified that a name server is supporting production services other than DNS. At this point, the reviewer should validate that response through a hands-on check of the actual name server. UNIX The only permitted services to be running on a DNS UNIX BIND server are those implementing: - DNS - Secure shell - Host intrusion detection - Host file integrity - Network management or monitoring - Anti-virus - Backup - UPS - NTP The below are not permitted: Services started through inetd.conf: admind, chargen, echo, etherstatd, fingerd, ftpd, httpd, ICQ server, identd, netstat, netstatd, nit, nntp, nsed, nsemntd, pfilt, portd, quaked, rexd, rexecd, rje_mapper, rlogind, rpc_3270, rpc_alias, rpc_database, rpc_keyserv, rpc_sched, rquotad, rsh, rstatd, rusersd, selectd, serverd, showfhd, sprayd, statmon, sunlink_mapper, sysstat, talkd, telnetd, tfsd, tftpd, timed, ttdb, ugidd, uucpd, and walld. Services started at boot time: NFS client, NFS server process and SNMP daemon, automounter, printer queue daemon, and RPC portmapper. (For Solaris, disable the following scripts in rc2.d: S73nfs.client, S74autofs, S80lp, S71rpc, and S99dtlogin and the following scripts in rc3.d: S15nfs.server and S76snmpd.) Instruction: In the presence of the reviewer, the SA should enter the following command: ps –ef Based on the command output, the reviewer should be able to determine if the machine is dedicated to DNS or if it is supporting other production services. If additional services are running and it is determined the name server is not running on dedicated hardware, then this is a finding. Windows The only permitted services to be running on a ISC BIND or Windows DNS server are those implementing: - DNS (i.e., the ISC BIND service) or - DNS Server (i.e., Windows 2000 DNS) - Host intrusion detection - Host file integrity - Network management or monitoring - Anti-virus - Backup - UPS - Active Directory/Domain Controller Services including: Alerter Service COM+ Event System Computer Browser Distributed File System (DFS) DNS Client DNS Server Event Log File Replication Service Intersite Messaging IPSec Policy Agent Kerberos Key Distribution Center Logical Disk Manager Logical Disk Manager Administrative Service Messenger Net Logon Network Connections NTLM Security Support Provider Plug and Play Print Spooler Protected Storage Remote Procedure Call (RPC) Remote Procedure Call (RPC) Locator Remote Registry Service Security Accounts Manager Server System Event Notification TCP/IP NetBIOS Helper Service Windows Management Instrumentation Windows Management Instrumentation Driver Extensions Windows Time Workstation |
Fix Text (F-4358r1_fix) |
---|
Working with DNS and Systems Administrators, the IAO should migrate the DNS software to dedicated hardware for the purpose of supporting the name server or remove/migrate any additional programs or applications, running on the name server to ensure the name server is running on dedicated hardware. |