UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Microsoft Windows 2008 Server Domain Name System Security Technical Implementation Guide


Overview

Date Finding Count (43)
2019-01-04 CAT I (High): 1 CAT II (Med): 42 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-58593 High The Windows 2008 DNS Servers zone files must have NS records that point to active name servers authoritative for the domain specified in that record.
V-58597 Medium All authoritative name servers for a zone must have the same version of zone information.
V-58641 Medium The Windows 2008 DNS Server must be configured to enforce authorized access to the corresponding private key.
V-58621 Medium The Windows 2008 DNS Servers zone files must not include CNAME records pointing to a zone with lesser security for more than six months.
V-58643 Medium The Windows DNS Server key file must be owned by the account under which the Windows DNS Server service is run.
V-58649 Medium The Windows 2008 DNS Server must implement a local cache of revocation data for PKI authentication in the event revocation information via the network is not accessible.
V-58595 Medium All authoritative name servers for a zone must be located on different network segments.
V-58577 Medium The Windows DNS name servers for a zone must be geographically dispersed.
V-58625 Medium AAAA addresses must not be configured in a zone for hosts that are not IPv6-aware.
V-58605 Medium In a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
V-58607 Medium In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.
V-58609 Medium Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.
V-58553 Medium The Windows 2008 DNS Server logging criteria must only be configured by the ISSM or individuals appointed by the ISSM.
V-58573 Medium The Windows 2008 DNS Servers audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.
V-58661 Medium WINS lookups must be disabled on the Windows 2008 DNS Server.
V-58707 Medium The Windows 2008 DNS Server must be configured to only allow zone information that reflects the environment for which it is authoritative, to include IP ranges and IP versions.
V-58579 Medium The Windows 2008 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries.
V-58237 Medium The Windows 2008 DNS Server must restrict incoming dynamic update requests to known clients.
V-58697 Medium The Windows 2008 DNS Server must restrict individuals from using it for launching Denial of Service (DoS) attacks against other information systems.
V-58695 Medium The Windows 2008 DNS Server must not contain zone records that have not been validated in over a year.
V-58693 Medium The Windows 2008 DNS Server must protect secret/private cryptographic keys while at rest.
V-58699 Medium The Windows 2008 DNS Server must use DNS Notify to prevent denial of service through increase in workload.
V-58547 Medium The Windows 2008 DNS Server must, in the event of an error validating another DNS servers identity, send notification to the DNS administrator.
V-58737 Medium The DNS Name Server software must be configured to refuse queries for its version information.
V-58543 Medium The Windows 2008 DNS Server must be configured to record, and make available to authorized personnel, who added/modified/deleted DNS zone information.
V-58655 Medium The Windows 2008 DNS Servers IP address must be statically defined and configured locally on the server.
V-58739 Medium The HINFO, RP, TXT, and LOC RR types must not be used in the zone SOA.
V-58549 Medium The Windows 2008 DNS Server log must be enabled.
V-58583 Medium The Windows 2008 DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.
V-58581 Medium Forwarders on an authoritative Windows 2008 DNS Server, if enabled for external resolution, must only forward to either an internal, non-AD-integrated DNS server or to the DoD Enterprise Recursive Services (ERS).
V-58633 Medium The Windows 2008 DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction.
V-58713 Medium The Windows 2008 DNS Server must perform verification of the correct operation of security functions: upon system start-up and/or restart; upon command by a user with privileged access; and/or every 30 days.
V-58617 Medium The DNS name server software must be at the latest version.
V-58711 Medium The Windows 2008 DNS Server must, when a component failure is detected, activate a notification to the system administrator.
V-58615 Medium The Windows 2008 DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain.
V-58717 Medium The Windows 2008 DNS Server must be configured to notify the ISSO/ISSM/DNS administrator when functionality of Secure Updates has been removed or broken.
V-58613 Medium The Windows 2008 DNS Server must implement internal/external role separation.
V-58611 Medium The Windows 2008 DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows 2008 DNS Server service account and/or the DNS database administrator.
V-58627 Medium When IPv6 protocol is installed, the server must also be configured to answer for IPv6 AAAA records.
V-58709 Medium The Windows 2008 DNS Server must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality.
V-58603 Medium For zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.
V-58637 Medium The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.
V-58623 Medium Non-routable IPv6 link-local scope addresses must not be configured in any zone.