V-259368
CAT IIThe Windows DNS Server key file must be owned by the account under which the Windows DNS Server service is run.
- Ships Affected
- 1
- Total Findings
- 1
- Open
- 0
- Closed
- 1
Check Text
Access Services on the Windows DNS Server and locate the DNS Server Service.
Determine the account under which the DNS Server Service is running.
Access Windows Explorer.
Navigate to the following location:
%ALLUSERSPROFILE%\Microsoft\Crypto
Note: If the folder above does not exist, this check is not applicable.
Right-click on each subfolder, choose "Properties", click the "Security" tab, and click the "Advanced" button.
Verify the Owner on the folder, subfolders, and files is the account under which the DNS Server Service is running.
If any other user or group is listed as OWNER of the %ALLUSERSPROFILE%\Microsoft\Crypto folder, subfolders, and files, this is a finding.
Fix Text
Access Windows Explorer.
Navigate to the following location:
%ALLUSERSPROFILE%\Microsoft\Crypto
Right-click on each subfolder, choose "Properties", click the "Security" tab, and click the "Advanced" button.
Click "Change" next to the listed Owner and change to be the account under which the DNS Server Service is running.
STIG Reference
- STIG
- Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide
- Version
- 2
- Release
- 4
- Rule ID
- SV-259368r961041_rule
All Occurrences
This vulnerability appears on 1 ship(s)
| Ship | Hull # | Source File | Status | Assigned To | Scan Date | Actions |
|---|---|---|---|---|---|---|
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_WinServerDNS_V2R3_20251023-172313.ckl | Unassigned | 2026-01-14T12:57:38.179760 | View in Context |