V-259369
CAT IIThe Windows DNS Server permissions must be set so the key file can only be read or modified by the account that runs the name server software.
- Ships Affected
- 1
- Total Findings
- 1
- Open
- 1
- Closed
- 0
Check Text
Access Windows Explorer.
Navigate to the following location:
%ALLUSERSPROFILE%\Microsoft\Crypto
Note: If the folder above does not exist, this check is not applicable.
Verify the permissions on the folder, subfolders, and files are limited to "SYSTEM" and Administrators for "FULL CONTROL".
If any other user or group has greater than READ permissions to the %ALLUSERSPROFILE%\Microsoft\Crypto folder, subfolders, and files, this is a finding.
Fix Text
Access Windows Explorer.
Navigate to the following location:
%ALLUSERSPROFILE%\Microsoft\Crypto
Modify permissions on the folder, subfolders, and files to "FULL CONTROL" for "SYSTEM" and Administrators and to "READ" for all other users/groups. If additional permissions are needed, it must be documented and approved by the ISSO or ISSM.
STIG Reference
- STIG
- Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide
- Version
- 2
- Release
- 3
- Rule ID
- SV-259369r1081081_rule
All Occurrences
This vulnerability appears on 1 ship(s)
| Ship | Hull # | Source File | Status | Assigned To | Scan Date | Actions |
|---|---|---|---|---|---|---|
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_WinServerDNS_V2R3_20251023-172313.ckl | Unassigned | 2026-01-14T12:57:38.179760 | View in Context |