STIGQter STIGQter: STIG Summary: Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide Version: 1 Release: 13 Benchmark Date: 24 Jan 2020: The Windows 2012 DNS Server logging must be enabled to record events from all DNS server functions.

DISA Rule

SV-72981r6_rule

Vulnerability Number

V-58551

Group Title

SRG-APP-000089-DNS-000005

Rule Version

WDNS-AU-000006

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Open an elevated Windows PowerShell prompt on the DNS server to which event logging needs to be enabled.

Use the “Set-DnsServerDiagnostics” cmdlet to enable the required diagnostic events.

Set-DnsServerDiagnostics -<diagnostic event> $true <enter> for the required diagnostic events.
For example, to set EnableLoggingForLocalLookupEvent to true, enter the following at the command line:
Set-DnsServerDiagnostics -EnableLoggingForLocalLookupEvent $true <enter>

Check Contents

Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Open an elevated Windows PowerShell prompt on a DNS server using the Domain Admin or Enterprise Admin account.

Use the “Get-DnsServerDiagnostics” cmdlet to view the status of individual diagnostic events.

Verify following diagnostic events are set to "True":
Queries, Answers, Notifications, Update, QuestionTransactions, UnmatcheResponse, SendPackets, ReceivePackets, TcpPackets, UdpPackets, FullPackets, UseSystemEventLog
Also set to “True” should be:
EnableLoggingForLocalLookupEvent
EnableLoggingForPluginDLLEvent
EnableLoggingForRecursiveLookupEvent
EnableLoggingForRemoteServerEvent
EnableLoggingForRemoteServerEvent
EnableLoggingForServerStartStopEvent
EnableLoggingForTombstoneEvent
EnableLoggingForZoneDataWriteEvent
EnableLoggingForZoneLoadingEvent

If all required diagnostic events are not set to "True", this is a finding.

Vulnerability Number

V-58551

Documentable

False

Rule Version

WDNS-AU-000006

Severity Override Guidance

Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Open an elevated Windows PowerShell prompt on a DNS server using the Domain Admin or Enterprise Admin account.

Use the “Get-DnsServerDiagnostics” cmdlet to view the status of individual diagnostic events.

Verify following diagnostic events are set to "True":
Queries, Answers, Notifications, Update, QuestionTransactions, UnmatcheResponse, SendPackets, ReceivePackets, TcpPackets, UdpPackets, FullPackets, UseSystemEventLog
Also set to “True” should be:
EnableLoggingForLocalLookupEvent
EnableLoggingForPluginDLLEvent
EnableLoggingForRecursiveLookupEvent
EnableLoggingForRemoteServerEvent
EnableLoggingForRemoteServerEvent
EnableLoggingForServerStartStopEvent
EnableLoggingForTombstoneEvent
EnableLoggingForZoneDataWriteEvent
EnableLoggingForZoneLoadingEvent

If all required diagnostic events are not set to "True", this is a finding.

Check Content Reference

M

Target Key

2771

Comments