The Windows 2012 DNS Server must be configured to record, and make available to authorized personnel, who added/modified/deleted DNS zone information.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-58543	WDNS-AU-000001	SV-72973r1_rule		Medium

Description
Without a means for identifying the individual that produced the information, the information cannot be relied upon. Identifying the validity of information may be delayed or deterred. This requirement ensures organizational personnel have a means to identify who produced or changed specific information in transfers, zone information, or DNS configuration changes.

STIG	Date
Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide	2015-03-30

Details

Check Text ( C-59415r1_chk )
Log on to the DNS server using the Domain Admin or Enterprise Admin account. Press Windows Key + R, execute dnsmgmt.msc. Right-click the DNS server, select Properties. Click on the Event Logging tab. By default, all events are logged. Verify "Errors and warnings" or "All events" is selected. If any option other than "Errors and warnings" or "All events" is selected, this is a finding. Log on to the DNS server using the Domain Admin or Enterprise Admin account. Open an elevated Windows PowerShell prompt on a DNS server using the Domain Admin or Enterprise Admin account. Use the Get-DnsServerDiagnostics cmdlet to view the status of individual diagnostic events. All diagnostic events should be set to "True". If all diagnostic events are not set to "True", this is a finding. For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled. Run eventvwr.msc at an elevated command prompt. In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs". Right-click Analytical and then click on Properties. Confirm the "Enable logging" check box is selected. If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding.

Check Text ( C-59415r1_chk )

Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

Right-click the DNS server, select Properties.

Click on the Event Logging tab. By default, all events are logged.

Verify "Errors and warnings" or "All events" is selected.

If any option other than "Errors and warnings" or "All events" is selected, this is a finding.

Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Open an elevated Windows PowerShell prompt on a DNS server using the Domain Admin or Enterprise Admin account.

Use the Get-DnsServerDiagnostics cmdlet to view the status of individual diagnostic events.

All diagnostic events should be set to "True".

If all diagnostic events are not set to "True", this is a finding.

For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled.

Run eventvwr.msc at an elevated command prompt.

In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server.

Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs".

Right-click Analytical and then click on Properties.

Confirm the "Enable logging" check box is selected.

If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding.

Fix Text (F-63927r1_fix)
Log on to the DNS server using the Domain Admin or Enterprise Admin account. If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen. On the opened Server Manager window, from the left pane, click to select DNS. From the right pane, under the SERVERS section, right-click the DNS server. From the displayed context menu, click the DNS Manager option. Click on the Event Logging tab. Select the "Errors and warnings" or "All events" option. Click on Apply. Click on OK. For Windows 2012 R2 DNS Server, run eventvwr.msc at an elevated command prompt. In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs". Right-click Analytical and then click on Properties. Select the "Enable logging" check box. Click on OK. Log on to the DNS server using the Domain Admin or Enterprise Admin account. Open an elevated Windows PowerShell prompt on the DNS server on which event logging needs to be enabled. Use the Set-DnsServerDiagnostics cmdlet to enable all diagnostic events at once. Set-DnsServerDiagnostics -All $true ; Also enable debug log rollover. Set-DnsServerDiagnostics - EnableLogFileRollover $true ;

Fix Text (F-63927r1_fix)

Log on to the DNS server using the Domain Admin or Enterprise Admin account.

If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen.

On the opened Server Manager window, from the left pane, click to select DNS.

From the right pane, under the SERVERS section, right-click the DNS server.

From the displayed context menu, click the DNS Manager option.

Click on the Event Logging tab.

Select the "Errors and warnings" or "All events" option.

Click on Apply.

Click on OK.

For Windows 2012 R2 DNS Server, run eventvwr.msc at an elevated command prompt.

In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server.

Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs".

Right-click Analytical and then click on Properties.

Select the "Enable logging" check box.

Click on OK.

Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Open an elevated Windows PowerShell prompt on the DNS server on which event logging needs to be enabled.

Use the Set-DnsServerDiagnostics cmdlet to enable all diagnostic events at once.

Set-DnsServerDiagnostics -All $true ;

Also enable debug log rollover.

Set-DnsServerDiagnostics - EnableLogFileRollover $true ;