Title

The ISC BIND service does not have the appropriate user rights required for the proper configuration and security of ISC BIND. (Cat III impact)

Discussion

Having user rights beyond the minimum necessary gives the BIND service user unnecessary privileges that could be used by an intruder to further breach name server security.

Check Content

In Windows NT, select User Rights from the menu bar in “User Manager.” Select each user right and confirm that the DNS user account is not listed under any rights assignment other than “log on as a service.” If it is, this is a finding. Windows 2000 is similar to Windows NT, but adds several relevant user rights (actually user prohibitions). In “Local Security Settings” (a Microsoft Management Console Plug in), select Local Policies | User Rights Assignments in the left windowpane. By looking at the assignments in the right windowpane, check that the DNS user account is not listed under any assignments other than “Log on as a service,” “Deny access to this computer from the network,” and “Deny logon as batch job.” If the user has any additional rights beyond these, this is a finding.

Fix Text

The SA should grant the ISC BIND service the user rights of log on as service, Deny Access to This Computer from the Network, and Deny Logon as a Batch Job, which are required for the proper configuration and security of ISC BIND.

Additional Identifiers

Rule ID: SV-3623r1_rule

Vulnerability ID: V-3623

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.