DISA Microsoft Windows 2012 Server DNS STIG v2r7

Audit Details

Name: DISA Microsoft Windows 2012 Server DNS STIG v2r7

Updated: 8/26/2024

Authority: DISA STIG

Plugin: Windows

Revision: 1.0

Estimated Item Count: 83

File Details

Filename: DISA_STIG_Microsoft_Windows_2012_Server_DNS_v2r7.audit

Size: 241 kB

MD5: 4168edb8cc918413d44a441482000661
SHA256: f5f6fc6a156be2f352eb297940f2120cf667711030e1b8648e41cadea3a303a6

Audit Items

DescriptionCategories
DISA_STIG_Microsoft_Windows_2012_Server_DNS_v2r7.audit from DISA Microsoft Windows 2012 Server Domain Name System v2r7 STIG
WDNS-AC-000001 - The Windows 2012 DNS Server must restrict incoming dynamic update requests to known clients.

ACCESS CONTROL

WDNS-AU-000001 - The Windows 2012 DNS Server must be configured to record, and make available to authorized personnel, who added/modified/deleted DNS zone information.

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

WDNS-AU-000003 - The Windows 2012 DNS Server must, in the event of an error validating another DNS servers identity, send notification to the DNS administrator.

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

WDNS-AU-000005 - The Windows 2012 DNS Server log must be enabled.

AUDIT AND ACCOUNTABILITY

WDNS-AU-000006 - The Windows 2012 DNS Server logging must be enabled to record events from all DNS server functions.

AUDIT AND ACCOUNTABILITY

WDNS-AU-000007 - The Windows 2012 DNS Server logging criteria must only be configured by the ISSM or individuals appointed by the ISSM.

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

WDNS-AU-000016 - The Windows 2012 DNS Servers audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.

AUDIT AND ACCOUNTABILITY

WDNS-CM-000001 - The validity period for the RRSIGs covering the DS RR for a zones delegated children must be no less than two days and no more than one week.

CONFIGURATION MANAGEMENT

WDNS-CM-000002 - The Windows DNS name servers for a zone must be geographically dispersed.

CONFIGURATION MANAGEMENT

WDNS-CM-000003 - The Windows 2012 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries.

CONFIGURATION MANAGEMENT

WDNS-CM-000004 - Forwarders on an authoritative Windows 2012 DNS Server, if enabled for external resolution, must only forward to either an internal, non-AD-integrated DNS server or to the DoD Enterprise Recursive Services (ERS).

CONFIGURATION MANAGEMENT

WDNS-CM-000005 - The Windows 2012 DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.

CONFIGURATION MANAGEMENT

WDNS-CM-000006 - The Windows 2012 DNS Server with a caching name server role must be secured against pollution by ensuring the authenticity and integrity of queried records.

CONFIGURATION MANAGEMENT

WDNS-CM-000007 - The Windows 2012 DNS Server must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).

CONFIGURATION MANAGEMENT

WDNS-CM-000008 - The validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week.

CONFIGURATION MANAGEMENT

WDNS-CM-000009 - NSEC3 must be used for all internal DNS zones.

CONFIGURATION MANAGEMENT

WDNS-CM-000010 - The Windows 2012 DNS Servers zone files must have NS records that point to active name servers authoritative for the domain specified in that record.

CONFIGURATION MANAGEMENT

WDNS-CM-000012 - All authoritative name servers for a zone must be located on different network segments.

CONFIGURATION MANAGEMENT

WDNS-CM-000013 - All authoritative name servers for a zone must have the same version of zone information.

CONFIGURATION MANAGEMENT

WDNS-CM-000014 - The Windows 2012 DNS Server must be configured to enable DNSSEC Resource Records.

CONFIGURATION MANAGEMENT

WDNS-CM-000015 - Digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.

CONFIGURATION MANAGEMENT

WDNS-CM-000016 - For zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.

CONFIGURATION MANAGEMENT

WDNS-CM-000017 - In a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.

CONFIGURATION MANAGEMENT

WDNS-CM-000018 - In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.

CONFIGURATION MANAGEMENT

WDNS-CM-000019 - Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.

CONFIGURATION MANAGEMENT

WDNS-CM-000020 - The Windows 2012 DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows 2012 DNS Server service account and/or the DNS database administrator.

CONFIGURATION MANAGEMENT

WDNS-CM-000021 - The Windows 2012 DNS Server must implement internal/external role separation.

CONFIGURATION MANAGEMENT

WDNS-CM-000022 - The Windows 2012 DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain.

CONFIGURATION MANAGEMENT

WDNS-CM-000023 - The DNS name server software must be at the latest version.

CONFIGURATION MANAGEMENT

WDNS-CM-000024 - The Windows 2012 DNS Servers zone files must not include resource records that resolve to a fully qualified domain name residing in another zone.

CONFIGURATION MANAGEMENT

WDNS-CM-000025 - The Windows 2012 DNS Servers zone files must not include CNAME records pointing to a zone with lesser security for more than six months.

CONFIGURATION MANAGEMENT

WDNS-CM-000026 - Non-routable IPv6 link-local scope addresses must not be configured in any zone.

CONFIGURATION MANAGEMENT

WDNS-CM-000027 - AAAA addresses must not be configured in a zone for hosts that are not IPv6-aware.

CONFIGURATION MANAGEMENT

WDNS-CM-000029 - The Windows 2012 DNS Server must be configured to prohibit or restrict unapproved ports and protocols.

CONFIGURATION MANAGEMENT

WDNS-CM-999999 - The Windows 2012 DNS Server must be a vendor supported release.

CONFIGURATION MANAGEMENT

WDNS-IA-000001 - The Windows 2012 DNS Server must require devices to re-authenticate for each dynamic update request connection attempt.

IDENTIFICATION AND AUTHENTICATION

WDNS-IA-000002 - The Windows 2012 DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction.

IDENTIFICATION AND AUTHENTICATION

WDNS-IA-000003 - The secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers.

IDENTIFICATION AND AUTHENTICATION

WDNS-IA-000004 - The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.

IDENTIFICATION AND AUTHENTICATION

WDNS-IA-000005 - The Windows 2012 DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0).

IDENTIFICATION AND AUTHENTICATION

WDNS-IA-000006 - The Windows 2012 DNS Server must be configured to enforce authorized access to the corresponding private key.

IDENTIFICATION AND AUTHENTICATION

WDNS-IA-000007 - The Windows 2012 DNS Server key file must be owned by the account under which the Windows 2012 DNS Server service is run.

IDENTIFICATION AND AUTHENTICATION

WDNS-IA-000008 - The Windows 2012 DNS Server permissions must be set so that the key file can only be read or modified by the account that runs the name server software.

IDENTIFICATION AND AUTHENTICATION

WDNS-IA-000009 - The private key corresponding to the ZSK must only be stored on the name server that does support dynamic updates.

IDENTIFICATION AND AUTHENTICATION

WDNS-IA-000011 - The Windows 2012 DNS Server must implement a local cache of revocation data for PKIauthentication in the event revocation information via the network is not accessible.

IDENTIFICATION AND AUTHENTICATION

WDNS-SC-000001 - The salt value for zones signed using NSEC3 RRs must be changed every time the zone is completely re-signed.

SYSTEM AND COMMUNICATIONS PROTECTION

WDNS-SC-000002 - The Windows 2012 DNS Server must include data origin with authoritative data the system returns in response to external name/address resolution queries.

SYSTEM AND COMMUNICATIONS PROTECTION

WDNS-SC-000003 - The Windows 2012 DNS Servers IP address must be statically defined and configured locally on the server.

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

WDNS-SC-000004 - The Windows 2012 DNS Server must return data information in responses to internal name/address resolution queries.

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION