WDNS-IA-000011 - The Windows 2012 DNS Server must implement a local cache of revocation data for PKIauthentication in the event revocation information via the network is not accessible.

Information

Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).

SIG(0) is used for server-to-server authentication for DNS transactions, and it uses PKI-based authentication. So, in cases where SIG(0) is being used instead of TSIG (which uses a shared key, not PKI-based authentication), this requirement is applicable.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configure local revocation data to be used in the event access to Certificate Authorities is hindered.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_2012_Server_DNS_V2R7_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2)(d), CAT|II, CCI|CCI-001991, Rule-ID|SV-215608r982028_rule, STIG-ID|WDNS-IA-000011, STIG-Legacy|SV-73079, STIG-Legacy|V-58649, Vuln-ID|V-215608

Plugin: Windows

Control ID: 6a26568bcab3c01d4cefc0a4591b90ac28d25e199c4d48a073c0ff362b5be16b