STIGQter: STIG Summary: Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:SV-215631r561297_rule
V-215631
SRG-APP-000428-DNS-000061
WDNS-SC-000025
CAT II
10
Create a separate database to maintain record documentation for non-AD-integrated zones.
Develop a procedure to validate annually all zone information on the DNS server against the separately maintained database.
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.
Press Windows Key + R, execute dnsmgmt.msc.
On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.
From the expanded list, click to select the zone.
Select the zone records which have not been validated in over a year and revalidate.
This requirement is not applicable for a Windows DNS Server which is only hosting AD-integrated zones.
For a Windows DNS Server which hosts a mix of AD-integrated zones and manually maintained zones, ask the DNS database administrator if they maintain a separate database with record documentation for the non-AD-integrated zone information. The reviewer should check that the record's last verified date is less than one year prior to the date of the review.
If a separate database with record documentation is not maintained for the non-AD-integrated zone information, this is a finding.
If a separate database with record documentation is maintained for the non-AD-integrated zone information, Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.
Press Windows Key + R, execute dnsmgmt.msc.
On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.
From the expanded list, click to select the zone.
Review the zone records of the non-AD-integrated zones and compare to the separate documentation maintained.
Determine if any records have not been validated in over a year.
If zone records exist which have not been validated in over a year, this is a finding.
V-215631
False
WDNS-SC-000025
This requirement is not applicable for a Windows DNS Server which is only hosting AD-integrated zones.
For a Windows DNS Server which hosts a mix of AD-integrated zones and manually maintained zones, ask the DNS database administrator if they maintain a separate database with record documentation for the non-AD-integrated zone information. The reviewer should check that the record's last verified date is less than one year prior to the date of the review.
If a separate database with record documentation is not maintained for the non-AD-integrated zone information, this is a finding.
If a separate database with record documentation is maintained for the non-AD-integrated zone information, Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.
Press Windows Key + R, execute dnsmgmt.msc.
On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.
From the expanded list, click to select the zone.
Review the zone records of the non-AD-integrated zones and compare to the separate documentation maintained.
Determine if any records have not been validated in over a year.
If zone records exist which have not been validated in over a year, this is a finding.
M
4016