UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Domain Name System (DNS) Security Requirements Guide


Overview

Date Finding Count (303)
2012-10-24 CAT I (High): 3 CAT II (Med): 288 CAT III (Low): 12
STIG Description
The DNS Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-34244 High The DNS implementation must verify each NS record in a zone file points to an active name server authoritative for the domain specified in that record.
V-34265 High The DNS implementation must enforce a Discretionary Access Control (DAC) policy to protect the transfer of zone information.
V-34261 High The DNS implementation must be fault-tolerant.
V-33958 Medium The network element must route all remote access traffic through managed access control points.
V-33959 Medium The network element must monitor for unauthorized remote connections to specific information systems on an organization defined frequency.
V-33956 Medium The DNS implementation must use approved cryptography to protect the confidentiality of remote access sessions such as zone transfers.
V-33957 Medium The DNS implementation must be configured to use cryptography to protect the integrity of remote access sessions such as zone transfers.
V-33954 Medium The network element must allow authorized users to associate security attributes with information.
V-33955 Medium The network element must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
V-33952 Medium The network element must only allow authorized entities to change security attributes.
V-33953 Medium The network element must maintain the binding of security attributes to information with sufficient assurance that the information attribute association can be used as the basis for automated policy actions.
V-34131 Medium The DNS implementation must employ cryptographic mechanisms to protect information in storage.
V-34130 Medium The network element must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
V-34133 Medium The network element must separate user functionality (including user interface services) from information system management functionality.
V-34132 Medium The network element must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency.
V-34135 Medium The DNS implementation must isolate security functions from non-security functions.
V-34134 Medium The network element must prevent the presentation of information system management-related functionality at an interface for general (i.e. non-privileged) users.
V-34137 Medium The DNS must implement a system isolation boundary to minimize the number of non-security functions included within the boundary containing security functions.
V-34136 Medium The DNS implementation must isolate security functions enforcing access and information flow control from both non-security functions and from other security functions.
V-34139 Medium The DNS implementation must prevent unauthorized and unintended information transfer via shared system resources.
V-34138 Medium The DNS implementation must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
V-34223 Medium The network element must prevent non-privileged users from circumventing intrusion detection and prevention capabilities.
V-34222 Medium The network element must provide near real-time alerts when any of the organization defined list of compromise or potential compromise indicators occur.
V-34225 Medium The network element must take an organization defined list of least-disruptive actions to terminate suspicious events.
V-34224 Medium The network element must notify an organization defined list of incident response personnel of suspicious events.
V-34227 Medium The network element must ensure all encrypted traffic is visible to network monitoring tools.
V-34226 Medium The network element must protect information obtained from intrusion monitoring tools from unauthorized access, modification, and deletion.
V-33862 Medium The network element must enforce security policies regarding information on interconnected systems.
V-33863 Medium The network element must uniquely identify source domains for information transfer.
V-33861 Medium The network element must provide the capability for a privileged administrator to configure the organization defined security policy filters to support different security policies.
V-34108 Medium The DNS implementation must enforce password complexity by the number of numeric characters used.
V-33964 Medium The network element must protect wireless access to the network using encryption.
V-34236 Medium The network element must detect unauthorized changes to software and information.
V-34237 Medium The DNS implementation must be configured to identify and respond to potential security-relevant error conditions.
V-33929 Medium The network element must provide the capability for a privileged administrator to configure organization defined security policy filters to support different security policies.
V-33928 Medium The network element must audit the use of privileged accounts when accessing configuration and operational commands enabled for non-privileged accounts.
V-34034 Medium The DNS implementation must provide an audit reduction capability.
V-34035 Medium The DNS implementation must provide a report generation capability.
V-34036 Medium The DNS implementation must provide the capability to automatically process log records for events of interest based upon selectable criteria.
V-34037 Medium The DNS implementation must use internal system clocks to generate time stamps for audit records.
V-33923 Medium All encrypted traffic must be decrypted prior to passing through content inspection and filtering mechanisms.
V-33922 Medium The network element must enforce dynamic traffic flow control based on policy allowing or disallowing flows based upon traffic types and rates within or out of profile.
V-33921 Medium The network element must implement security policies for all traffic flows by using security zones at various protection levels as a basis for flow control decisions.
V-33920 Medium The DNS implementation must support organizational requirements to disable the user identifiers after an organization defined time period of inactivity.
V-33927 Medium The DNS implementation must implement separation of duties through assigned information system access authorizations.
V-33926 Medium The network element must enforce information flow control using organization defined security policy filters as a basis for flow control decisions.
V-34238 Medium The DNS implementation must generate error messages providing information necessary for corrective actions without revealing organization defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.
V-33924 Medium The network element enforces organization defined limitations on the embedding of data types within other data types.
V-34128 Medium The network element must enforce identification and authentication for the establishment of non-local maintenance and diagnostic sessions.
V-34129 Medium The network element must terminate all sessions when non-local maintenance is completed.
V-34126 Medium The network element protects non-local maintenance sessions by separating the maintenance session from other network sessions with the information system by either physically separated communications paths or logically separated communications paths based upon encryption.
V-34127 Medium The network element must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
V-34124 Medium The DNS system must log non-local maintenance and diagnostic sessions.
V-34125 Medium The DNS system must protect non-local maintenance sessions through the use of multifactor authentication.
V-34122 Medium The DNS implementation must invoke a shutdown of the DNS service in the event of an audit failure unless an alternative audit capability exists.
V-34123 Medium The network element must automate mechanisms to restrict the use of maintenance tools to authorized personnel only.
V-34120 Medium The network element must uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.
V-34121 Medium The network element must employ automated mechanisms to assist in the tracking of security incidents.
V-34229 Medium The network element must analyze outbound communications traffic at selected interior points within the network as deemed necessary to discover anomalies.
V-34228 Medium The network element must analyze outbound traffic at the external boundary of the network.
V-34232 Medium The DNS implementation must verify the correct operation of security functions in accordance with organization defined conditions and frequency.
V-34046 Medium The DNS implementation must have the capability to produce audit records on hardware-enforced write-once media.
V-33962 Medium The network element must enforce requirements for remote connections to the network.
V-33858 Medium The network element must enforce information flow control using explicit security attributes on information source and destination objects as a basis for flow control decisions.
V-33990 Medium The DNS implementation must be capable of taking organization defined actions upon audit failure (e.g. overwrite oldest audit records stop generating audit records cease processing notify of audit failure).
V-33938 Medium Upon successful logon the DNS implementation must display to the user the number of unsuccessful logon attempts since the last successful logon.
V-33939 Medium The DNS implementation must notify the user of the number of successful login attempts to the system occurring during an organization defined time period.
V-34241 Medium The DNS implementation must prohibit recursion on authoritative name servers.
V-34240 Medium The DNS implementation must activate an organization defined alarm when a system component failure is detected.
V-34247 Medium The DNS implementation must prevent access to organization defined security-relevant information except during secure non-operable system states.
V-34246 Medium The network element must display security attributes in human readable form on each object output from the system to system output devices to identify an organization-identified set of special dissemination, handling, or distribution instructions using organization identified human readable, standard naming conventions.
V-34245 Medium The network element disables network access by unauthorized devices and logs the information as a security violation.
V-33930 Medium The network element must be configured to automatically disable the device if any of the organization defined list of security violations are detected.
V-33931 Medium The DNS implementation must enforce the organization defined limit of consecutive invalid access attempts by a user during the organization defined time period.
V-33932 Medium The DNS implementation must enforce the organization defined time period during which the limit of consecutive invalid access attempts by a user is counted.
V-34248 Medium The network element must enforce information flow control on metadata.
V-33934 Medium The DNS implementation must display an approved system use notification message or warning banner before granting access to the system.
V-33935 Medium The DNS implementation must display an approved banner to the user and it must remain on the screen until the user takes explicit actions to log on.
V-33936 Medium The DNS implementation must display an approved system use notification message or warning banner before granting access to the system.
V-34085 Medium The network element must employ automated mechanisms to detect the addition of unauthorized components or devices. The monitoring may be accomplished on an ongoing basis or by the periodic scanning. Automated mechanisms can be implemented within the network element and/or in another separate information system or device.
V-34084 Medium The network element must employ automated mechanisms to prevent program execution in accordance with organization defined specifications.
V-34087 Medium The DNS implementation must support organizational requirements to conduct backups of system-level information contained in the information system per organization defined frequency.
V-34158 Medium The DNS implementation must employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.
V-34039 Medium The DNS implementation must protect audit information from unauthorized access.
V-34220 Medium The network element must interconnect and configure individual intrusion detection tools into a system-wide intrusion detection system using common protocols.
V-34153 Medium The network element must route organization defined internal communications traffic to organization defined external networks through authenticated proxy servers within the managed interfaces of boundary protection devices.
V-34152 Medium The network element must deny network traffic by default and allow network traffic by exception at all interfaces at the network perimeter.
V-34151 Medium The network element must prevent access into the organizations internal networks except as explicitly permitted and controlled by employing boundary protection devices.
V-34089 Medium The DNS implementation must uniquely identify and authenticate all organizational users for access to accounts.
V-34088 Medium The DNS implementation must support organizational requirements to conduct backups of information system documentation including security-related documentation per organization defined frequency that is consistent with recovery time and recovery point object.
V-34155 Medium The network element must monitor and control traffic at both the external and internal boundary interfaces.
V-34154 Medium The network element must deny network traffic and audit internal addresses posing a threat to external information systems.
V-33947 Medium The network element must support and maintain the binding of organization defined security attributes to information in storage.
V-34109 Medium The DNS implementation must enforce password complexity by the number of special characters used.
V-33963 Medium The network element must protect wireless access to the network using authentication.
V-34062 Medium The DNS implementation must be configured to enable automated mechanisms to enforce access restrictions.
V-34049 Medium The network element must use cryptography to protect the integrity of audit tools.
V-34055 Medium The DNS implementation must allow authorized personnel to select which events are to be logged by specific components of the system.
V-34250 Medium The network element must implement policy filters that constrain data structure and content to organization defined information security policy requirements when transferring information between different security domains.
V-34251 Medium The network element must detect unsanctioned information when transferring information between different security domains.
V-34252 Medium The network element must prohibit the transfer of unsanctioned information in accordance with the security policy when transferring information between different security domains.
V-34253 Medium The DNS implementation must protect the audit records of non-local accesses to privileged accounts and the execution of privileged functions.
V-34254 Medium The network element must prevent the download of prohibited mobile code.
V-34255 Medium The network element must prevent the execution of prohibited mobile code.
V-34256 Medium The network element must prevent the automatic execution of mobile code in organization defined software applications and requires organization defined actions prior to executing the code.
V-34163 Medium The DNS implementation must terminate the connection associated with a communications session at the end of the session or after an organization defined time period of inactivity.
V-34092 Medium The DNS implementation must use multifactor authentication for local access to privileged accounts.
V-34093 Medium The DNS implementation must use multifactor authentication for local access to non-privileged accounts.
V-34090 Medium The DNS implementation must use multifactor authentication of all organizational users for access to privileged accounts.
V-34091 Medium The DNS implementation must use multifactor authentication for network access to non-privileged accounts.
V-34096 Medium The DNS implementation must enforce multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the DNS systems being accessed.
V-34097 Medium The DNS implementation must use organization defined replay-resistant authentication mechanisms for network access to privileged accounts.
V-34094 Medium The DNS implementation must support organizational requirements to ensure individuals are authenticated with an individual authenticator prior to using a group authenticator.
V-34095 Medium The DNS implementation must enforce multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the DNS implementation being accessed.
V-34140 Medium The DNS implementation must protect against or limits the effects of Denial of Service (DoS) attacks.
V-34141 Medium The DNS implementation must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-34142 Medium The DNS implementation must manage excess capacity bandwidth or other redundancy to limit the effects of information flooding types of denial of service attacks.
V-34099 Medium The DNS server must authenticate an organization defined list of specific devices by device type before establishing a connection.
V-34144 Medium The network element must check inbound traffic to ensure communications are coming from an authorized source and routed to an authorized destination.
V-34145 Medium The DNS implementation must implement host based boundary protection mechanisms.
V-34146 Medium The network element must isolate organization defined key information, security tools mechanisms, and support components from other internal information system components via physically separate subnets.
V-34147 Medium The network element must route all management traffic through a dedicated management interface for purposes of access control and auditing.
V-34148 Medium The network element must prevent discovery of specific system components or devices composing a managed interface.
V-34149 Medium The network element must employ automated mechanisms to enforce strict adherence to protocol format.
V-34040 Medium The DNS implementation must protect audit information from unauthorized modification.
V-33838 Medium The DNS implementation must notify the appropriate individuals when accounts are created.
V-33979 Medium The DNS implementation must produce log records containing sufficient information to determine if the event was a success or failure.
V-34100 Medium The DNS server must authenticate devices before establishing remote network connections using bidirectional authentication between cryptographically based devices.
V-33833 Medium The DNS implementation must automatically terminate temporary accounts after an organization defined time period for each type of account.
V-33832 Medium The DNS implementation must provide automated support for account management functions.
V-33835 Medium The login credentials for an emergency account must be physically protected.
V-33834 Medium The DNS implementation must automatically terminate emergency accounts after an organization defined time period.
V-33837 Medium The DNS implementation must automatically audit the creation of accounts.
V-33836 Medium The DNS implementation must automatically disable inactive accounts after an organization defined time period of inactivity.
V-34243 Medium The DNS implementation must ensure each NS record in a zone file points to an active name server authoritative for the domain specified in that record.
V-34171 Medium The network element must employ NSA-approved cryptography to protect classified information.
V-34170 Medium The DNS implementation must employ FIPS validated cryptography to protect unclassified information.
V-33978 Medium The DNS implementation must produce log records containing sufficient information to establish the sources of the events.
V-34242 Medium The DNS must utilize valid root name servers in the local root zone file.
V-34264 Medium The DNS implementation must enforce a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user.
V-34267 Medium The network element protects against unauthorized physical connections across the boundary protections implemented at organization defined list of managed interfaces.
V-34266 Medium The DNS implementation must employ FIPS-validated cryptography to implement digital signatures.
V-34263 Medium The DNS implementation must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights.
V-34262 Medium The DNS implementation must implement internal/external role separation.
V-34214 Medium The network element must be configured to perform organization defined actions in response to malicious code detection.
V-34069 Medium The network element must employ automated mechanisms to centrally manage configuration settings.
V-34068 Medium The network element must implement automatic safeguards and countermeasures if security functions or mechanisms are changed inappropriately.
V-34067 Medium The DNS implementation must limit privileges to change software resident within software libraries, including privileged programs.
V-34065 Medium The DNS implementation must enforce a two-person rule for changes to organization defined information system components and system-level information.
V-34064 Medium The network element must prevent the installation of organization defined critical software programs not signed with a certificate that is recognized and approved by the organization.
V-34063 Medium The DNS implementation must be configured to enable automated mechanisms to support auditing of the enforcement actions.
V-34098 Medium The DNS implementation must use organization defined replay-resistant authentication mechanisms for network access to non-privileged accounts.
V-34061 Medium The DNS implementation must enforce access restrictions associated with changes to the information system.
V-34060 Medium The DNS implementation must generate audit records for the success and failure of start and stop of the name server service or daemon.
V-34143 Medium The DNS implementation must limit the use of resources by priority.
V-33989 Medium The DNS implementation must be configured to send an alert to designated personnel in the event of an audit processing failure.
V-33988 Medium The DNS implementation must reject or delay network traffic generated above configurable traffic volume thresholds as defined by the organization.
V-33985 Medium The DNS implementation must provide a warning when the logging storage capacity reaches an organization defined percentage of maximum capacity.
V-33984 Medium The DNS implementation logging facility must be configured to reduce the likelihood of log record capacity being exceeded.
V-33987 Medium The DNS implementation must enforce configurable traffic volume thresholds representing auditing capacity for network traffic to be logged.
V-33986 Medium The DNS implementation must provide a real-time alert when organization defined audit failure events occur.
V-33981 Medium The network element must produce log records that contain detailed information for events identified by type location and subject.
V-33980 Medium The DNS implementation must produce audit records that contain sufficient information to establish the identity of any user or subject associated with the event.
V-33983 Medium The DNS implementation must be configured to allocate audit record storage capacity.
V-33982 Medium The DNS implementation must support the requirement to centrally manage the content of audit records generated by DNS components.
V-34268 Medium The DNS implementation must initiate session auditing upon startup.
V-34212 Medium The network element must employ malicious code protection mechanisms to perform periodic scans of the information system on an organization defined frequency.
V-34221 Medium The network element must monitor inbound and outbound communications for unusual or unauthorized activities or conditions.
V-34213 Medium The network element must be configured to perform real-time scans of files from external sources as they are downloaded and prior to being opened or executed.
V-34249 Medium The network element must identify information flows by data type specification and usage when transferring information between different security domains.
V-33967 Medium The network element must be configured to disable functionality that provides the capability for automatic execution of code on mobile devices without user direction.
V-33966 Medium The network element must enforce requirements for the connection of mobile devices to organizational information systems.
V-34160 Medium The DNS implementation must protect the confidentiality of zone transfers.
V-33933 Medium The DNS implementation must automatically lock out an account after the maximum number of unsuccessful attempts is exceeded and remain locked for an organization defined time period or until released by an administrator.
V-34166 Medium The DNS implementation must produce, control, and distribute symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes.
V-34167 Medium The DNS implementation must produce, control, and distribute asymmetric cryptographic keys using prepositioned keying material.
V-33961 Medium The DNS implementation must disable use of non-secure protocols.
V-33960 Medium The network element must audit remote sessions for accessing an organization defined list of security functions and security-relevant information.
V-34272 Medium The network element must enforce dual authorization based on organizational policies and procedures for organization defined privileged commands.
V-34193 Medium The network element must take corrective action when unauthorized mobile code is identified.
V-34168 Medium The network element must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the users private key.
V-34271 Medium The DNS implementation must restrict error messages so only authorized personnel may view them.
V-34274 Medium The DNS implementation must be conformant to the IETF DNS specification.
V-33968 Medium The DNS implementation must produce log records that contain sufficient information to establish what type of events occurred.
V-34118 Medium The DNS implementation must obscure feedback of authentication information during the authentication process to protect the information from possible use by unauthorized individuals.
V-34219 Medium The network element must not allow users to introduce removable media into the information system.
V-34074 Medium The DNS implementation must not have unnecessary services and capabilities enabled.
V-34075 Medium The DNS implementation must be configured to prohibit or restrict the use of organization defined functions, ports, protocols, and services.
V-34070 Medium The network element must employ automated mechanisms to centrally apply configuration settings.
V-34071 Medium The network element must employ automated mechanisms to centrally verify configuration settings.
V-34072 Medium The network element must employ automated mechanisms to respond to unauthorized changes to organization defined configuration settings.
V-34073 Medium The network element must ensure detected unauthorized security-relevant configuration changes are tracked.
V-34156 Medium The DNS implementation must connect to external networks only through managed interfaces (proxy) consisting of boundary protection devices arranged in accordance with an organizational security architecture.
V-33852 Medium The network element must be configured to dynamically manage administrative privileges and associated command authorizations.
V-33851 Medium The DNS implementation must monitor for irregular usage of administrative user accounts.
V-33850 Medium The DNS implementation must notify the appropriate individuals for account termination.
V-34164 Medium The DNS implementation must establish a trusted communications path between the user and organization defined security functions within the information system.
V-33856 Medium The network element must enforce approved authorizations for controlling the flow of information in accordance with applicable policy.
V-33855 Medium The DNS implementation must implement non-discretionary access control policies over privileged level users and resources to protect the DNS database or zone files.
V-33854 Medium The DNS implementation must enforce approved authorizations for logical access to the system in accordance with applicable policy.
V-33859 Medium The network element must enforce the highest privilege level administrative access to enable or disable security policy filters.
V-33991 Medium The network element must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
V-34270 Medium The DNS implementation must check the validity of data inputs.
V-34159 Medium The network element must maintain the integrity of information during aggregation packaging and transformation in preparation for transmission.
V-34086 Medium The network element must support organizational requirements to conduct backups of user-level information contained in the device per organization defined frequency that is consistent with recovery time and recovery point objectives.
V-33917 Medium The network element must uniquely authenticate source domains for information transfer.
V-34188 Medium The DNS implementation must protect the integrity and availability of publicly available information.
V-33918 Medium The network element must uniquely identify and validate destination domains for information transfer.
V-33919 Medium The network element must uniquely authenticate destination domains for information transfer.
V-33945 Medium The network element must support and maintain the binding of organization defined security attributes to information in transmission.
V-33965 Medium The network element must monitor for unauthorized connections of mobile devices to information systems.
V-34162 Medium The network element must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.
V-33976 Medium The DNS implementation must produce log records containing sufficient information to establish when the events occurred.
V-33977 Medium The DNS implementation must produce log records containing sufficient information to establish where the events occurred.
V-34111 Medium The DNS implementation must enforce password encryption for storage.
V-34199 Medium The DNS implementation must recognize only system-generated session identifiers.
V-34198 Medium The DNS implementation must generate a unique session identifier for each session.
V-34197 Medium The DNS implementation must invalidate session identifiers upon user logout or other session termination.
V-34196 Medium The DNS implementation must provide mechanisms to protect the authenticity of communications sessions for queries.
V-34195 Medium The DNS implementation must provide mechanisms to protect the authenticity of communications sessions for dynamic updates.
V-34194 Medium The DNS implementation must provide mechanisms to protect the authenticity of communications sessions for zone transfers.
V-34161 Medium The DNS implementation must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.
V-34032 Medium The network element must centralize the review and analysis of audit records from multiple network elements within the network.
V-34191 Medium The network element must issue public key certificates under an appropriate certificate policy or obtain public key certificates under an appropriate certificate policy from an approved service provider.
V-34190 Medium The network element must validate the integrity of security attributes exchanged between network elements.
V-34117 Medium The DNS implementation must map the authenticated identity to the user account for PKI-based authentication.
V-34048 Medium The network element must use cryptographic mechanisms to protect the integrity of audit information.
V-34115 Medium The DNS implementation must validate DNS keys used for PKI-based authentication against an accepted trust anchor.
V-34235 Medium The DNS implementation must provide automated support for the management of distributed security testing.
V-34113 Medium The DNS implementation must enforce minimum password lifetime restrictions.
V-34112 Medium The DNS implementation must enforce password encryption for transmission.
V-34209 Medium The network element must employ malicious code protection mechanisms to detect and eradicate malicious code at the network perimeter.
V-34110 Medium The DNS implementation must enforce the number of characters changed when passwords are changed.
V-34207 Medium The network element must be configured to implement automated mechanisms on an organization defined frequency to determine the state of information system components with regard to flaw remediation.
V-34206 Medium The network element must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission.
V-34205 Medium The DNS implementation must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.
V-34042 Medium The network element must protect audit tools from unauthorized access.
V-34203 Medium The network element must include components to proactively seek to identify web-based malicious code.
V-34202 Medium The DNS implementation must preserve organization defined system state information in the event of a system failure.
V-34201 Medium The DNS implementation must fail to an organization defined known-state for organization defined types of failures.
V-34233 Medium The DNS implementation must respond to security function anomalies in accordance with organization defined responses and alternative actions.
V-34041 Medium The DNS implementation must protect audit information from unauthorized deletion.
V-34204 Medium The DNS implementation must protect the confidentiality and integrity of system information at rest.
V-34230 Medium The network element must detect attack attempts to the wireless network.
V-33847 Medium The DNS implementation must automatically audit account disabling actions.
V-33848 Medium The DNS implementation must notify the appropriate individuals when account disabling actions are taken.
V-34157 Medium The DNS implementation must protect the integrity of transmitted information.
V-34231 Medium The network element must detect rogue wireless devices attack attempts and potential compromises or breaches to the wireless network.
V-34044 Medium The network element must protect audit tools from unauthorized deletion.
V-34116 Medium The DNS implementation must enforce authorized access to the corresponding private key for PKI-based authentication.
V-34038 Medium The DNS implementation must synchronize its internal clock on an organization defined frequency with an organization defined authoritative time source.
V-34119 Medium The DNS implementation must use NIST validated FIPS 140-2 cryptography to implement authentication encryption mechanisms.
V-34047 Medium The DNS implementation must backup audit data on an organization defined frequency onto a different system or media.
V-34273 Medium The DNS implementation must implement non-discretionary access control policies over resources to protect the name server executables/daemons and service configuration files.
V-34101 Medium The network element must authenticate devices before establishing wireless network connections using bidirectional authentication between cryptographically based devices.
V-34200 Medium The DNS implementation must generate unique session identifiers with organization defined randomness requirements.
V-33857 Medium The network element must enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
V-34056 Medium The DNS implementation must generate audit records for the success and failure organization defined events on the DNS server.
V-34057 Medium The DNS implementation must generate audit records for the success and failure of zone transfers on the DNS server.
V-34054 Medium The DNS implementation must provide audit record generation capability for organization defined auditable events occurring within DNS.
V-34169 Medium The DNS implementation must employ cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
V-34052 Medium The DNS implementation must produce a system-wide audit trail composed of log records in a standardized format.
V-34189 Medium The network element must associate security attributes with information exchanged between network elements.
V-34050 Medium The DNS implementation must protect against an individual falsely denying having performed a particular action.
V-34051 Medium The DNS implementation must compile log data from multiple components into a system-wide audit trail that is time correlated to within organization defined level of tolerance.
V-34192 Medium The network element must implement detection and inspection mechanisms to identify unauthorized mobile code.
V-34187 Medium The network element must employ FIPS-validated cryptography to protect information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals.
V-34058 Medium The DNS implementation must generate audit records for the success and failure of zone update notifications on the DNS server.
V-34059 Medium The DNS implementation must generate audit records for the success and failure of dynamic updates of the name server service or daemon.
V-34104 Medium The DNS implementation must enforce minimum password length.
V-34105 Medium The DNS implementation must prohibit password reuse for the organization defined number of generations.
V-34106 Medium The DNS implementation must enforce password complexity by the number of upper case characters used.
V-34107 Medium The DNS implementation must enforce password complexity by the number of lower case characters used.
V-34218 Medium The network element must only update malicious code protection mechanisms when directed by a privileged user.
V-33925 Medium The network element must enforce organization defined one-way traffic flows using hardware mechanisms.
V-33946 Medium The network element must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined.
V-34103 Medium The network element must dynamically manage identifiers attributes and associated access authorizations to enable user access to the network with the appropriate and authorized privileges.
V-34102 Medium The DNS server must authenticate devices before establishing network connections using bidirectional authentication between cryptographically based devices.
V-34215 Medium The network element must address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.
V-34216 Medium The network element must automatically update malicious code protection mechanisms and signature definitions.
V-34239 Medium The DNS implementation must support the requirement to activate an alarm and/or automatically shut down the information system if an application component failure is detected. This can include conducting a graceful application shutdown to avoid losing information.
V-34210 Medium The network element must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted through the exploitation of information system vulnerabilities.
V-34211 Medium The network element must update malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures.
V-34043 Medium The network element must protect audit tools from unauthorized modification.
V-34033 Medium The DNS implementation must employ automated mechanisms to alert security personnel of any organization defined inappropriate or unusual activities with security implications.
V-34165 Medium The DNS implementation must produce, control, and distribute symmetric cryptographic keys, such as TSIG, using NIST-approved key management technology and processes.
V-34114 Medium The DNS implementation must enforce maximum password lifetime restrictions.
V-33944 Medium The network element must support and maintain the binding of organization defined security attributes to information in process.
V-34208 Medium The network element must be configured to implement automated patch management tools to facilitate flaw remediation to network components.
V-33849 Medium The DNS implementation must automatically audit account termination.
V-34217 Medium The network element must prevent non-privileged users from circumventing malicious code protection capabilities.
V-34234 Low The DNS implementation must provide notification of failed automated security tests.
V-33937 Low Upon successful logon the DNS implementation must display the date and time of the last logon of the user.
V-34257 Low The DNS implementation, as the distributed, hierarchical namespace, must provide the means to indicate the security status of child domains and enable verification of a chain of trust among parent and child domains.
V-34258 Low The DNS implementation, as the distributed, hierarchical namespace, must provide the means to indicate the security status of child domains and enable verification of a chain of trust among parent and child domains.
V-34259 Low The DNS implementation must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.
V-33943 Low The DNS implementation must limit the number of concurrent sessions for each system account which for DNS consist of zone transfers and client connections to an organization defined number.
V-34260 Low The DNS implementation must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service.
V-33940 Low The DNS implementation must notify the user of the number of unsuccessful login attempts to the system occurring during organization defined time period.
V-34269 Low The DNS implementation must provide additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries.
V-33941 Low The DNS implementation must notify the user of security-related changes to the users account occurring during the organization defined time period.
V-33846 Low The DNS implementation must notify the appropriate individuals when accounts are modified.
V-33845 Low The DNS implementation must automatically audit account modification.