Title

The DHCP server service is not disabled on any Windows 2000/2003 DNS server that supports dynamic updates. (Cat I impact)

Discussion

There is a significant vulnerability potential when the DHCP service runs using the computer account of a Windows Domain Controller, as in the default Windows configuration. This account has full control over all DNS objects stored in Active Directory. In this case the DHCP server has access to modify the SRV (and other) records for all the Domain Controllers. When these records were replicated to other domain controllers (when AD Integrated DNS is used as required by the STIG), all the Windows DNS servers could potentially be compromised.

Check Content

Log in to the server with an account that has admin rights. Right-click “My Computer” on the desktop and click “Manage.” This brings up the “Computer Management” tool. Click the plus sign next to “Services and Applications” on the left pane to expand it. Select “Services” on the left panel. On the right pane, scroll down and select “DHCP Server.” Right-click “DHCP Server” and click “Properties.” This brings up the “DCHP Server Properties”. The reviewer will validate the DHCP server service is disabled. The “Disabled” drop down selection is to be selected on the “General” tab of the “DHCP Server Properties.” If the DHCP server service is not disabled, then this is a finding.

Fix Text

Working with appropriate SA and technical personnel, the IAO should plan to migrate the DHCP service to another machine as soon as it is feasible to do so.

Additional Identifiers

Rule ID: SV-4501r1_rule

Vulnerability ID: V-4501

Group Title: The DHCP server service is not disabled.

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.