WDNS-IA-000001 - The Windows 2012 DNS Server must require devices to re-authenticate for each dynamic update request connection attempt.

Information

Without re-authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.

In addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of devices, including, but not limited to, the following other situations:
(i) When authenticators change;
(ii) When roles change;
(iii) When security categories of information systems change;
(iv) After a fixed period of time; or
(v) Periodically.

DNS does perform server authentication when DNSSEC or TSIG/SIG(0) are used, but this authentication is transactional in nature (each transaction has its own authentication performed). So this requirement is applicable for every server-to-server transaction request.

Solution

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

Once selected, right-click the name of the zone, and from the displayed context menu, go to Properties.

On the opened domain's properties box, click the General tab.

If the Type: is not Active Directory-Integrated, configure the zone for AD-integration.

Select 'Secure only' from the Dynamic updates: drop-down list.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_2012_Server_DNS_V2R7_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-11, CAT|II, CCI|CCI-002039, Rule-ID|SV-215599r982027_rule, STIG-ID|WDNS-IA-000001, STIG-Legacy|SV-73061, STIG-Legacy|V-58631, Vuln-ID|V-215599

Plugin: Windows

Control ID: b34aeb00ed6e1e801306514c1dd6d5a495324b39d3b90e8924354ee115e454ee