WDNS-AU-000003 - The Windows 2012 DNS Server must, in the event of an error validating another DNS servers identity, send notification to the DNS administrator.

Information

Failing to act on the validation errors may result in the use of invalid, corrupted, or compromised information. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Validations must be performed automatically.

At a minimum, the application must log the validation error. However, more stringent actions can be taken based on the security posture and value of the information. The organization should consider the system's environment and impact of the errors when defining the actions. Additional examples of actions include automated notification to administrators, halting system process, or halting the specific operation.

The DNS server should audit all failed attempts at server authentication through DNSSEC and TSIG/SIG(0). The actual auditing is performed by the OS/NDM, but the configuration to trigger the auditing is controlled by the DNS server.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To detect and notify the administrator, configure a third-party event monitoring system or, at a minimum, document and implement a procedure to require the administrator to check the DNS logs on a routine, daily basis.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_2012_Server_DNS_V2R7_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

References: 800-53|AU-10(2)(b), 800-53|CM-6b., CAT|II, CCI|CCI-000366, CCI|CCI-001906, Rule-ID|SV-215649r987679_rule, STIG-ID|WDNS-AU-000003, STIG-Legacy|SV-72977, STIG-Legacy|V-58547, Vuln-ID|V-215649

Plugin: Windows

Control ID: 4a51df04e85b7af419620f507a007b3f10fd400e81368439edc5f24ad63c018c