DISA Microsoft Windows 2012 Server DNS STIG v1r14

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA Microsoft Windows 2012 Server DNS STIG v1r14

Updated: 1/28/2021

Authority: DISA STIG

Plugin: Windows

Revision: 1.2

Estimated Item Count: 104

Audit Items

DescriptionCategories
DISA_STIG_Windows_2012_Server_DNS_v1r14.audit from DISA Microsoft Windows 2012 Server Domain Name System v1r14 STIG
WDNS-AC-000001 - The Windows 2012 DNS Server must restrict incoming dynamic update requests to known clients.

SYSTEM AND COMMUNICATIONS PROTECTION

WDNS-AU-000001 - The Windows 2012 DNS Server must be configured to record, and make available to authorized personnel, who added/modified/deleted DNS zone information.

AUDIT AND ACCOUNTABILITY

WDNS-AU-000003 - The Windows 2012 DNS Server must, in the event of an error validating another DNS servers identity, send notification to the DNS administrator.
WDNS-AU-000005 - The Windows 2012 DNS Server log must be enabled.

AUDIT AND ACCOUNTABILITY

WDNS-AU-000006 - The Windows 2012 DNS Server logging must be enabled to record events from all DNS server functions.

AUDIT AND ACCOUNTABILITY

WDNS-AU-000007 - The Windows 2012 DNS Server logging criteria must only be configured by the ISSM or individuals appointed by the ISSM - manage

ACCESS CONTROL

WDNS-AU-000007 - The Windows 2012 DNS Server logging criteria must only be configured by the ISSM or individuals appointed by the ISSM - permissions

AUDIT AND ACCOUNTABILITY

WDNS-AU-000008 - The Windows 2012 DNS Server must generate audit records for the success and failure of all name server events - enabled

AUDIT AND ACCOUNTABILITY

WDNS-AU-000008 - The Windows 2012 DNS Server must generate audit records for the success and failure of all name server events - enhanced

AUDIT AND ACCOUNTABILITY

WDNS-AU-000010 - The Windows 2012 DNS Server log must include event types within the log records - enabled

AUDIT AND ACCOUNTABILITY

WDNS-AU-000010 - The Windows 2012 DNS Server log must include event types within the log records - enhanced

AUDIT AND ACCOUNTABILITY

WDNS-AU-000011 - The Windows 2012 DNS Server log must include time stamps within the log records - enabled

AUDIT AND ACCOUNTABILITY

WDNS-AU-000011 - The Windows 2012 DNS Server log must include time stamps within the log records - enhanced

AUDIT AND ACCOUNTABILITY

WDNS-AU-000012 - The Windows 2012 DNS Server log must include origin of events within the log records - enabled

AUDIT AND ACCOUNTABILITY

WDNS-AU-000012 - The Windows 2012 DNS Server log must include origin of events within the log records - enhanced

AUDIT AND ACCOUNTABILITY

WDNS-AU-000013 - The Windows 2012 DNS Server log must include the source of events within the log records - enabled

AUDIT AND ACCOUNTABILITY

WDNS-AU-000013 - The Windows 2012 DNS Server log must include the source of events within the log records - enhanced

AUDIT AND ACCOUNTABILITY

WDNS-AU-000014 - The Windows 2012 DNS Server log must include results of events within the log records - enabled

AUDIT AND ACCOUNTABILITY

WDNS-AU-000014 - The Windows 2012 DNS Server log must include results of events within the log records - enhanced

AUDIT AND ACCOUNTABILITY

WDNS-AU-000015 - The Windows 2012 DNS Server log must include identity of individual or process associated with events within the log records - enabled

AUDIT AND ACCOUNTABILITY

WDNS-AU-000015 - The Windows 2012 DNS Server log must include identity of individual or process associated with events within the log records - enhanced

AUDIT AND ACCOUNTABILITY

WDNS-AU-000016 - The Windows 2012 DNS Servers audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.
WDNS-CM-000001 - The validity period for the RRSIGs covering the DS RR for a zones delegated children must be no less than two days and no more than one week.

CONFIGURATION MANAGEMENT

WDNS-CM-000002 - The Windows DNS name servers for a zone must be geographically dispersed.
WDNS-CM-000003 - The Windows 2012 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries - recursion

SYSTEM AND COMMUNICATIONS PROTECTION

WDNS-CM-000003 - The Windows 2012 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries - root hints

CONFIGURATION MANAGEMENT

WDNS-CM-000004 - Forwarders on an authoritative Windows 2012 DNS Server, if enabled for external resolution, must only forward to either an internal, non-AD-integrated DNS server or to the DoD Enterprise Recursive Services (ERS) - forwarders

SYSTEM AND COMMUNICATIONS PROTECTION

WDNS-CM-000004 - Forwarders on an authoritative Windows 2012 DNS Server, if enabled for external resolution, must only forward to either an internal, non-AD-integrated DNS server or to the DoD Enterprise Recursive Services (ERS) - root hints

CONFIGURATION MANAGEMENT

WDNS-CM-000005 - The Windows 2012 DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.

SYSTEM AND COMMUNICATIONS PROTECTION

WDNS-CM-000006 - The Windows 2012 DNS Server with a caching name server role must be secured against pollution by ensuring the authenticity and integrity of queried records.

CONFIGURATION MANAGEMENT

WDNS-CM-000007 - The Windows 2012 DNS Server must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).

SYSTEM AND COMMUNICATIONS PROTECTION

WDNS-CM-000008 - The validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week.

CONFIGURATION MANAGEMENT

WDNS-CM-000009 - NSEC3 must be used for all internal DNS zones.

CONFIGURATION MANAGEMENT

WDNS-CM-000010 - The Windows 2012 DNS Servers zone files must have NS records that point to active name servers authoritative for the domain specified in that record.

CONFIGURATION MANAGEMENT

WDNS-CM-000012 - All authoritative name servers for a zone must be located on different network segments.

CONFIGURATION MANAGEMENT

WDNS-CM-000013 - All authoritative name servers for a zone must have the same version of zone information.

CONFIGURATION MANAGEMENT

WDNS-CM-000014 - The Windows 2012 DNS Server must be configured to enable DNSSEC Resource Records.

SYSTEM AND COMMUNICATIONS PROTECTION

WDNS-CM-000015 - Digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.

SYSTEM AND COMMUNICATIONS PROTECTION

WDNS-CM-000016 - For zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.
WDNS-CM-000017 - In a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
WDNS-CM-000018 - In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.
WDNS-CM-000019 - Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.

SYSTEM AND COMMUNICATIONS PROTECTION

WDNS-CM-000020 - The Windows 2012 DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows 2012 DNS Server service account and/or the DNS database administrator.

ACCESS CONTROL

WDNS-CM-000021 - The Windows 2012 DNS Server must implement internal/external role separation.
WDNS-CM-000022 - The Windows 2012 DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain.

CONFIGURATION MANAGEMENT

WDNS-CM-000023 - The DNS name server software must be at the latest version.
WDNS-CM-000024 - The Windows 2012 DNS Servers zone files must not include resource records that resolve to a fully qualified domain name residing in another zone.

CONFIGURATION MANAGEMENT

WDNS-CM-000025 - The Windows 2012 DNS Servers zone files must not include CNAME records pointing to a zone with lesser security for more than six months.

CONFIGURATION MANAGEMENT

WDNS-CM-000026 - Non-routable IPv6 link-local scope addresses must not be configured in any zone.

CONFIGURATION MANAGEMENT