Detections
Analytics

DISA Microsoft Windows 2012 Server DNS STIG v2r5

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA Microsoft Windows 2012 Server DNS STIG v2r5

Updated: 5/28/2024

Authority: DISA STIG

Plugin: Windows

Revision: 1.3

Estimated Item Count: 87

Audit Items

DescriptionCategories
DISA_STIG_Windows_2012_Server_DNS_v2r5.audit from DISA Microsoft Windows 2012 Server Domain Name System v2r5 STIG
WDNS-AC-000001 - The Windows 2012 DNS Server must restrict incoming dynamic update requests to known clients.
WDNS-AU-000001 - The Windows 2012 DNS Server must be configured to record, and make available to authorized personnel, who added/modified/deleted DNS zone information.
WDNS-AU-000003 - The Windows 2012 DNS Server must, in the event of an error validating another DNS servers identity, send notification to the DNS administrator.
WDNS-AU-000005 - The Windows 2012 DNS Server log must be enabled.
WDNS-AU-000006 - The Windows 2012 DNS Server logging must be enabled to record events from all DNS server functions.
WDNS-AU-000007 - The Windows 2012 DNS Server logging criteria must only be configured by the ISSM or individuals appointed by the ISSM - manage
WDNS-AU-000007 - The Windows 2012 DNS Server logging criteria must only be configured by the ISSM or individuals appointed by the ISSM - permissions
WDNS-AU-000016 - The Windows 2012 DNS Servers audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.
WDNS-CM-000001 - The validity period for the RRSIGs covering the DS RR for a zones delegated children must be no less than two days and no more than one week.
WDNS-CM-000002 - The Windows DNS name servers for a zone must be geographically dispersed.
WDNS-CM-000003 - The Windows 2012 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries - recursion
WDNS-CM-000003 - The Windows 2012 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries - root hints
WDNS-CM-000004 - Forwarders on an authoritative Windows 2012 DNS Server, if enabled for external resolution, must only forward to either an internal, non-AD-integrated DNS server or to the DoD Enterprise Recursive Services (ERS) - forwarders
WDNS-CM-000004 - Forwarders on an authoritative Windows 2012 DNS Server, if enabled for external resolution, must only forward to either an internal, non-AD-integrated DNS server or to the DoD Enterprise Recursive Services (ERS) - root hints
WDNS-CM-000005 - The Windows 2012 DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.
WDNS-CM-000006 - The Windows 2012 DNS Server with a caching name server role must be secured against pollution by ensuring the authenticity and integrity of queried records.
WDNS-CM-000007 - The Windows 2012 DNS Server must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
WDNS-CM-000008 - The validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week.
WDNS-CM-000009 - NSEC3 must be used for all internal DNS zones.
WDNS-CM-000010 - The Windows 2012 DNS Servers zone files must have NS records that point to active name servers authoritative for the domain specified in that record.
WDNS-CM-000012 - All authoritative name servers for a zone must be located on different network segments.
WDNS-CM-000013 - All authoritative name servers for a zone must have the same version of zone information.
WDNS-CM-000014 - The Windows 2012 DNS Server must be configured to enable DNSSEC Resource Records.
WDNS-CM-000015 - Digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.
WDNS-CM-000016 - For zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.
WDNS-CM-000017 - In a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
WDNS-CM-000018 - In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.
WDNS-CM-000019 - Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.
WDNS-CM-000020 - The Windows 2012 DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows 2012 DNS Server service account and/or the DNS database administrator.
WDNS-CM-000021 - The Windows 2012 DNS Server must implement internal/external role separation.
WDNS-CM-000022 - The Windows 2012 DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain.
WDNS-CM-000023 - The DNS name server software must be at the latest version.
WDNS-CM-000024 - The Windows 2012 DNS Servers zone files must not include resource records that resolve to a fully qualified domain name residing in another zone.
WDNS-CM-000025 - The Windows 2012 DNS Servers zone files must not include CNAME records pointing to a zone with lesser security for more than six months.
WDNS-CM-000026 - Non-routable IPv6 link-local scope addresses must not be configured in any zone.
WDNS-CM-000027 - AAAA addresses must not be configured in a zone for hosts that are not IPv6-aware.
WDNS-CM-000029 - The Windows 2012 DNS Server must be configured to prohibit or restrict unapproved ports and protocols.
WDNS-IA-000001 - The Windows 2012 DNS Server must require devices to re-authenticate for each dynamic update request connection attempt.
WDNS-IA-000002 - The Windows 2012 DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction.
WDNS-IA-000003 - The secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers.
WDNS-IA-000004 - The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.
WDNS-IA-000005 - The Windows 2012 DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0).
WDNS-IA-000006 - The Windows 2012 DNS Server must be configured to enforce authorized access to the corresponding private key.
WDNS-IA-000007 - The Windows 2012 DNS Server key file must be owned by the account under which the Windows 2012 DNS Server service is run.
WDNS-IA-000008 - The Windows 2012 DNS Server permissions must be set so that the key file can only be read or modified by the account that runs the name server software.
WDNS-IA-000009 - The private key corresponding to the ZSK must only be stored on the name server that does support dynamic updates.
WDNS-IA-000011 - The Windows 2012 DNS Server must implement a local cache of revocation data for PKIauthentication in the event revocation information via the network is not accessible.
WDNS-SC-000001 - The salt value for zones signed using NSEC3 RRs must be changed every time the zone is completely re-signed.
WDNS-SC-000002 - The Windows 2012 DNS Server must include data origin with authoritative data the system returns in response to external name/address resolution queries.