Title

The ownership and permissions on all Windows ISC BIND name servers are not as restrictive as required. (Cat II impact)

Discussion

Weak permissions could allow an intruder to view or modify zone, configuration and/or program files.

Check Content

The reviewer can check permissions and ownership by looking at the properties of each file in “Windows Explorer.” Note that there may be multiple zone files, key files, and log files. The reviewer should be able to produce a list of the files based on a quick examination of named.conf, which should have been obtained at the beginning of this module. The reviewer should check the permissions of each zone, key or log file when more than one exists on the name server. The name of the root hints file is defined in named.conf. Common names for the root hints file are root.hints, named.cache, and db.cache. FOLDER/FILE NAME OWNER USER/GROUP PERMISSIONS %systemroot%\system32\dns\bin Administrators Administrators Full control dns-admins Read dnsuser Read&Execute/List Folder Contents\Read %systemroot%\system32\dns\etc Administrators Administrators Full control dns-admins Change dnsuser Change named.conf Administrators Administrators Full control dns-admins Change dnsuser Read named.pid Administrators Administrators Full control dns-admins Read dnsuser Change named.stat Administrators Administrators Full control dns-admins Read dnsuser Change root hints file Administrators Administrators Full control dns-admins Change dnsuser Read Any zone file Administrators Administrators Full control dns-admins Change dnsuser Change Any TSIG key file Administrators dnsuser Read If permissions are more permissive than required, then this is a finding.

Fix Text

The SA should modify permissions so that they are at least as restrictive as specified in the DNS STIG.

Additional Identifiers

Rule ID: SV-3626r1_rule

Vulnerability ID: V-3626

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.