Title

The ISC BIND service user is a member of a group other than Everyone and Authenticated Users. (Cat III impact)

Discussion

Membership in configurable groups gives the BIND service user unnecessary privileges that could be used by an intruder to further breach name server security.

Check Content

In Windows 2000/2003, select System Tools | Users and Groups | Users in the “Computer Management” tool. View the “Member Of” tab in the “User Properties” dialog Box (which can be accessed by double-clicking on the user). If the user is a member of any group besides “everyone” and “Authenticated Users”, then this is a finding. In Windows, a user does not have to be a member of any group other than the implicit groups "Everyone" and "Authenticated Users." Thus, to best ensure security, dnsuser must be removed from all explicit groups, including the "Users" group, into which all users are placed by default. There should not be a dnsgroup group as is recommended for UNIX.

Fix Text

The SA should remove the BIND service user account from all configurable user groups.

Additional Identifiers

Rule ID: SV-3622r1_rule

Vulnerability ID: V-3622

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.