STIGQter: STIG Summary: Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Windows 2012 DNS Server must be configured to only allow zone information that reflects the environment for which it is authoritative, to include IP ranges and IP versions.

DISA Rule

SV-215638r561297_rule

Vulnerability Number

V-215638

Group Title

SRG-APP-000251-DNS-000037

Rule Version

WDNS-SI-000001

Severity

CAT II

CCI(s)

• CCI-001310 - The information system checks the validity of organization-defined inputs.

Weight

10

Fix Recommendation

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

If not automatically started, initialize the “Server Manager” window by clicking its icon from the bottom left corner of the screen.

Once the “Server Manager” window is initialized, from the left pane, click to select the DNS category.

From the right pane, under the “SERVERS” section, right-click the DNS server.

From the context menu that appears, click DNS Manager.

On the opened DNS Manager snap-in from the left pane, expand the server name and then expand Forward Lookup Zones.

Remove any zone information which is not part of the environment.

Check Contents

Consult with the System Administrator to determine the IP ranges for the environment.

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

If not automatically started, initialize the “Server Manager” window by clicking its icon from the bottom left corner of the screen.

Once the “Server Manager” window is initialized, from the left pane, click to select the DNS category.

From the right pane, under the “SERVERS” section, right-click the DNS server.

From the context menu that appears, click DNS Manager.

On the opened DNS Manager snap-in from the left pane, expand the server name and then expand Forward Lookup Zones.

From the expanded list, click to select and then right-click the zone name.

Review the zone information and compare to the IP ranges for the environment.

If any zone information is for a different IP range or domain, this is a finding.

Vulnerability Number

V-215638

Documentable

False

Rule Version

WDNS-SI-000001

Severity Override Guidance

Consult with the System Administrator to determine the IP ranges for the environment.

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

If not automatically started, initialize the “Server Manager” window by clicking its icon from the bottom left corner of the screen.

Once the “Server Manager” window is initialized, from the left pane, click to select the DNS category.

From the right pane, under the “SERVERS” section, right-click the DNS server.

From the context menu that appears, click DNS Manager.

On the opened DNS Manager snap-in from the left pane, expand the server name and then expand Forward Lookup Zones.

From the expanded list, click to select and then right-click the zone name.

Review the zone information and compare to the IP ranges for the environment.

If any zone information is for a different IP range or domain, this is a finding.

Check Content Reference

M

Target Key

4016

Comments