UCF STIG Viewer Logo

Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide


Overview

Date Finding Count (90)
2018-04-05 CAT I (High): 3 CAT II (Med): 87 CAT III (Low): 0
STIG Description
The Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-58593 High The Windows 2012 DNS Servers zone files must have NS records that point to active name servers authoritative for the domain specified in that record.
V-58599 High The Windows 2012 DNS Server must be configured to enable DNSSEC Resource Records.
V-58687 High The Windows 2012 DNS Server must protect the authenticity of dynamic updates via transaction signing.
V-58595 Medium All authoritative name servers for a zone must be located on different network segments.
V-58597 Medium All authoritative name servers for a zone must have the same version of zone information.
V-58591 Medium NSEC3 must be used for all internal DNS zones.
V-58663 Medium The Windows 2012 DNS Server must use DNSSEC data within queries to confirm data integrity to DNS resolvers.
V-58661 Medium WINS lookups must be disabled on the Windows 2012 DNS Server.
V-58667 Medium The Windows 2012 DNS Server must enforce approved authorizations between DNS servers through the use of digital signatures in the RRSet.
V-58665 Medium The Windows 2012 DNS Server must be configured with the DS RR carrying the signature for the RR that contains the public key of the child zone.
V-58589 Medium The validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week.
V-58697 Medium The Windows 2012 DNS Server must restrict individuals from using it for launching Denial of Service (DoS) attacks against other information systems.
V-58695 Medium The Windows 2012 DNS Server must not contain zone records that have not been validated in over a year.
V-58693 Medium The Windows 2012 DNS Server must protect secret/private cryptographic keys while at rest.
V-58691 Medium The Windows 2012 DNS Server must only allow the use of an approved DoD PKI-established certificate authorities for verification of the establishment of protected transactions.
V-58699 Medium The Windows 2012 DNS Server must use DNS Notify to prevent denial of service through increase in workload.
V-58583 Medium The Windows 2012 DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.
V-58581 Medium Forwarders on an authoritative Windows 2012 DNS Server, if enabled for external resolution, must only forward to either an internal, non-AD-integrated DNS server or to the DoD Enterprise Recursive Services (ERS).
V-58587 Medium The Windows 2012 DNS Server must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
V-58585 Medium The Windows 2012 DNS Server with a caching name server role must be secured against pollution by ensuring the authenticity and integrity of queried records.
V-58671 Medium The Windows 2012 DNS Server must be configured to validate an authentication chain of parent and child domains via response data.
V-58673 Medium Trust anchors must be exported from authoritative Windows 2012 DNS Servers and distributed to validating Windows 2012 DNS Servers.
V-58675 Medium Automatic Update of Trust Anchors must be enabled on key rollover.
V-58677 Medium The Windows DNS secondary servers must request data origin authentication verification from the primary server when requesting name/address resolution.
V-58669 Medium The Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain.
V-58645 Medium The Windows 2012 DNS Server permissions must be set so that the key file can only be read or modified by the account that runs the name server software.
V-58647 Medium The private key corresponding to the ZSK must only be stored on the name server that does support dynamic updates.
V-58641 Medium The Windows 2012 DNS Server must be configured to enforce authorized access to the corresponding private key.
V-58643 Medium The Windows 2012 DNS Server key file must be owned by the account under which the Windows 2012 DNS Server service is run.
V-58649 Medium The Windows 2012 DNS Server must implement a local cache of revocation data for PKIauthentication in the event revocation information via the network is not accessible.
V-58579 Medium The Windows 2012 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries.
V-58577 Medium The Windows DNS name servers for a zone must be geographically dispersed.
V-58575 Medium The validity period for the RRSIGs covering the DS RR for a zones delegated children must be no less than two days and no more than one week.
V-58573 Medium The Windows 2012 DNS Servers audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.
V-58571 Medium The Windows 2012 DNS Server log must include identity of individual or process associated with events within the log records.
V-58557 Medium The Windows 2012 DNS Server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.
V-58653 Medium The Windows 2012 DNS Server must include data origin with authoritative data the system returns in response to external name/address resolution queries.
V-58651 Medium The salt value for zones signed using NSEC3 RRs must be changed every time the zone is completely re-signed.
V-58657 Medium The Windows 2012 DNS Server must return data information in responses to internal name/address resolution queries.
V-58655 Medium The Windows 2012 DNS Servers IP address must be statically defined and configured locally on the server.
V-58659 Medium The Windows 2012 DNS Server must use DNSSEC data within queries to confirm data origin to DNS resolvers.
V-58719 Medium The Windows 2012 DNS Server must generate audit records for the success and failure of start and stop of the DNS Server service.
V-58569 Medium The Windows 2012 DNS Server log must include results of events within the log records.
V-58713 Medium The Windows 2012 DNS Server must perform verification of the correct operation of security functions: upon system start-up and/or restart; upon command by a user with privileged access; and/or every 30 days.
V-58565 Medium The Windows 2012 DNS Server log must include origin of events within the log records.
V-58711 Medium The Windows 2012 DNS Server must, when a component failure is detected, activate a notification to the system administrator.
V-58567 Medium The Windows 2012 DNS Server log must include the source of events within the log records.
V-58717 Medium The Windows 2012 DNS Server must be configured to notify the ISSO/ISSM/DNS administrator when functionality of DNSSEC/TSIG has been removed or broken.
V-58561 Medium The Windows 2012 DNS Server log must include event types within the log records.
V-58715 Medium The Windows 2012 DNS Server must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered.
V-58563 Medium The Windows 2012 DNS Server log must include time stamps within the log records.
V-58627 Medium When IPv6 protocol is installed, the server must also be configured to answer for IPv6 AAAA records.
V-58709 Medium The Windows 2012 DNS Server must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality.
V-58625 Medium AAAA addresses must not be configured in a zone for hosts that are not IPv6-aware.
V-58623 Medium Non-routable IPv6 link-local scope addresses must not be configured in any zone.
V-58621 Medium The Windows 2012 DNS Servers zone files must not include CNAME records pointing to a zone with lesser security for more than six months.
V-58551 Medium The Windows 2012 DNS Server logging must be enabled to record events from all DNS server functions.
V-58701 Medium The Windows 2012 DNS Server must protect the integrity of transmitted information.
V-58553 Medium The Windows 2012 DNS Server logging criteria must only be configured by the ISSM or individuals appointed by the ISSM.
V-58703 Medium The Windows 2012 DNS Server must maintain the integrity of information during preparation for transmission.
V-58555 Medium The Windows 2012 DNS Server must generate audit records for the success and failure of all name server events.
V-58705 Medium The Windows 2012 DNS Server must maintain the integrity of information during reception.
V-58629 Medium The Windows 2012 DNS Server must be configured to prohibit or restrict unapproved ports and protocols.
V-58707 Medium The Windows 2012 DNS Server must be configured to only allow zone information that reflects the environment for which it is authoritative, to include IP ranges and IP versions.
V-58547 Medium The Windows 2012 DNS Server must, in the event of an error validating another DNS servers identity, send notification to the DNS administrator.
V-58737 Medium The DNS Name Server software must be configured to refuse queries for its version information.
V-58543 Medium The Windows 2012 DNS Server must be configured to record, and make available to authorized personnel, who added/modified/deleted DNS zone information.
V-58739 Medium The HINFO, RP, TXT and LOC RR types must not be used in the zone SOA.
V-58549 Medium The Windows 2012 DNS Server log must be enabled.
V-58635 Medium The secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers.
V-58637 Medium The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.
V-58631 Medium The Windows 2012 DNS Server must require devices to re-authenticate for each dynamic update request connection attempt.
V-58633 Medium The Windows 2012 DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction.
V-58639 Medium The Windows 2012 DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0).
V-58689 Medium The Windows 2012 DNS Server must protect the authenticity of query responses via DNSSEC.
V-58681 Medium The Windows DNS secondary server must validate data integrity verification on the name/address resolution responses received from primary name servers.
V-58683 Medium The Windows DNS secondary server must validate data origin verification authentication on the name/address resolution responses received from primary name servers.
V-58685 Medium The Windows 2012 DNS Server must protect the authenticity of zone transfers via transaction signing.
V-58601 Medium Digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.
V-58603 Medium For zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.
V-58605 Medium In a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
V-58607 Medium In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.
V-58609 Medium Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.
V-58237 Medium The Windows 2012 DNS Server must restrict incoming dynamic update requests to known clients.
V-58619 Medium The Windows 2012 DNS Servers zone files must not include resource records that resolve to a fully qualified domain name residing in another zone.
V-58617 Medium The DNS name server software must be at the latest version.
V-58615 Medium The Windows 2012 DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain.
V-58613 Medium The Windows 2012 DNS Server must implement internal/external role separation.
V-58611 Medium The Windows 2012 DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows 2012 DNS Server service account and/or the DNS database administrator.
V-58679 Medium The Windows DNS secondary server must request data integrity verification from the primary server when requesting name/address resolution.