Check: DNS4530
BIND DNS STIG:
DNS4530
(in version v4 r1.2)
Title
ISC BIND is not configured to run as a dedicated non-privileged service user account. (Cat II impact)
Discussion
If an intruder gains control of named (BIND), then the intruder will acquire the privileges of the user ID under which it runs. Running as a non-privileged user account limits the extent of any breach. When BIND runs as SYSTEM (the default) intruders gain full control of the system.
Check Content
The reviewer will validate ISC BIND is configured to run as a dedicated non-privileged service user account. Select the “Log On” tab of the properties of the ISC BIND service. If the ISC BIND service logs on as the “Local System account”, then this is a finding.
Fix Text
The SA should create a new user account dedicated to DNS, configure it per the DNS STIG, configure the ISC BIND service to logon as the new user account, and then restart the ISC BIND Service.
Additional Identifiers
Rule ID: SV-3621r1_rule
Vulnerability ID: V-3621
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |