Check: DNS0425
BIND DNS STIG:
DNS0425
(in version v4 r1.2)
Title
Users and/or processes other than the DNS software Process ID (PID) and/or the DNS database administrator have edit/write access to the zone database files. (Cat II impact)
Discussion
Weak permissions on key files could allow an intruder to view or modify DNS zone files. Permissions on these files will be 640 or more restrictive.
Check Content
UNIX Instruction: The reviewer must work with the SA to obtain the username and groupname of the DNS database administrator, DNS software administrator, and the username running the named daemon process. In the presence of the reviewer, the SA should enter the following command to obtain the owner of the named process: ps –ef | grep named There are different ways (e.g., password/group file, NIS+, etc.) to obtain the DNS database administrator’s username and groupname, the reviewer is to work with the SA to obtain this information based on the configuration of the site’s UNIX OS. The zone files can be located by viewing the named.conf configuration for the zone statement and the file directive contained within the zone statement. In the presence of the reviewer, the SA should enter the following command while in the directory containing the zone files: ls -l If the zone files have permissions that allow write access to anyone beyond the owner of the named process or the DNS database administrator then this is a finding. Windows Instruction: The reviewer must obtain the username and groupname of the DNS database administrator. The reviewer must work with the SA to obtain the owner of the named.exe or dns.exe program. In the presence of the reviewer, the SA should right-click on the named.exe or dns.exe file and select Properties | Security tab | Advanced | Owner tab. For each Standard or Primary zone file, right-click on the file in %SystemRoot%\System32\Dns and select Properties | Security tab. If the zone files have permissions that allow write access to anyone beyond Administrators, Enterprise Domain Controllers, Enterprise Admins, Domain Admins, System or DNS Admins, then this is a finding. For Active directory integrated zones, the permissions of the Active Directory database should be verified. They usually reside in %SystemRoot%\NTDS\ntds.dit The permissions should only give full control access to System, Administrators, Creator Owner, and Local Service. Any others, then this is a finding.
Fix Text
The SA should modify permissions of zone files that only the DNS software PID and/or the DNS database administrator have edit access to the zone database files.
Additional Identifiers
Rule ID: SV-4476r2_rule
Vulnerability ID: V-4476
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |