STIGQter: STIG Summary: Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Windows 2012 DNS Server must be configured to enforce authorized access to the corresponding private key.

DISA Rule

SV-215604r561297_rule

Vulnerability Number

V-215604

Group Title

SRG-APP-000176-DNS-000017

Rule Version

WDNS-IA-000006

Severity

CAT II

CCI(s)

• CCI-000186 - The information system, for PKI-based authentication, enforces authorized access to the corresponding private key.

Weight

10

Fix Recommendation

Access Windows Explorer.

Navigate to the following location:

%ALLUSERSPROFILE%\Microsoft\Crypto

Modify permissions on the keys folder, sub-folders, and files to be limited to SYSTEM and Administrators FULL CONTROL and to all other Users/Groups to READ.

Check Contents

Access Windows Explorer.

Navigate to the following location:

%ALLUSERSPROFILE%\Microsoft\Crypto
Note: If the %ALLUSERSPROFILE%\Microsoft\Crypto folder doesn't exist, this is not applicable.

Verify the permissions on the keys folder, sub-folders, and files are limited to SYSTEM and Administrators FULL CONTROL.

If any other user or group has greater than READ privileges to the %ALLUSERSPROFILE%\Microsoft\Crypto folder, sub-folders and files, this is a finding.

Vulnerability Number

V-215604

Documentable

False

Rule Version

WDNS-IA-000006

Severity Override Guidance

Access Windows Explorer.

Navigate to the following location:

%ALLUSERSPROFILE%\Microsoft\Crypto
Note: If the %ALLUSERSPROFILE%\Microsoft\Crypto folder doesn't exist, this is not applicable.

Verify the permissions on the keys folder, sub-folders, and files are limited to SYSTEM and Administrators FULL CONTROL.

If any other user or group has greater than READ privileges to the %ALLUSERSPROFILE%\Microsoft\Crypto folder, sub-folders and files, this is a finding.

Check Content Reference

M

Target Key

4016

Comments