Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The Windows 2012 DNS Server must be configured to record, and make available to authorized personnel, who added/modified/deleted DNS zone information.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-58543 | WDNS-AU-000001 | SV-72973r1_rule | Medium |
| Description |
|---|
| Without a means for identifying the individual that produced the information, the information cannot be relied upon. Identifying the validity of information may be delayed or deterred. This requirement ensures organizational personnel have a means to identify who produced or changed specific information in transfers, zone information, or DNS configuration changes. |
| STIG | Date |
|---|---|
| Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide | 2015-03-30 |
Details
| Check Text ( C-59415r1_chk ) |
|---|
| Log on to the DNS server using the Domain Admin or Enterprise Admin account. Press Windows Key + R, execute dnsmgmt.msc. Right-click the DNS server, select Properties. Click on the Event Logging tab. By default, all events are logged. Verify "Errors and warnings" or "All events" is selected. If any option other than "Errors and warnings" or "All events" is selected, this is a finding. Log on to the DNS server using the Domain Admin or Enterprise Admin account. Open an elevated Windows PowerShell prompt on a DNS server using the Domain Admin or Enterprise Admin account. Use the Get-DnsServerDiagnostics cmdlet to view the status of individual diagnostic events. All diagnostic events should be set to "True". If all diagnostic events are not set to "True", this is a finding. For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled. Run eventvwr.msc at an elevated command prompt. In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs". Right-click Analytical and then click on Properties. Confirm the "Enable logging" check box is selected. If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding. |
| Fix Text (F-63927r1_fix) |
|---|
| Log on to the DNS server using the Domain Admin or Enterprise Admin account. If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen. On the opened Server Manager window, from the left pane, click to select DNS. From the right pane, under the SERVERS section, right-click the DNS server. From the displayed context menu, click the DNS Manager option. Click on the Event Logging tab. Select the "Errors and warnings" or "All events" option. Click on Apply. Click on OK. For Windows 2012 R2 DNS Server, run eventvwr.msc at an elevated command prompt. In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs". Right-click Analytical and then click on Properties. Select the "Enable logging" check box. Click on OK. Log on to the DNS server using the Domain Admin or Enterprise Admin account. Open an elevated Windows PowerShell prompt on the DNS server on which event logging needs to be enabled. Use the Set-DnsServerDiagnostics cmdlet to enable all diagnostic events at once. Set-DnsServerDiagnostics -All $true Also enable debug log rollover. Set-DnsServerDiagnostics - EnableLogFileRollover $true |