STIGQter STIGQter: STIG Summary: Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide Version: 1 Release: 13 Benchmark Date: 24 Jan 2020: The Windows 2012 DNS Server must implement a local cache of revocation data for PKIauthentication in the event revocation information via the network is not accessible.

DISA Rule

SV-73079r3_rule

Vulnerability Number

V-58649

Group Title

SRG-APP-000401-DNS-000051

Rule Version

WDNS-IA-000011

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure local revocation data to be used in the event access to Certificate Authorities is hindered.

Check Contents

Consult with the SA to determine if there is a third-party CRL server being used for certificate revocation lookup.

If there is, verify if a documented procedure is in place to store a copy of the CRL locally (local to the site, as an alternative to querying the actual Certificate Authorities). An example would be an OCSP responder installed at the local site.

If there is no local cache of revocation data, this is a finding.

Vulnerability Number

V-58649

Documentable

False

Rule Version

WDNS-IA-000011

Severity Override Guidance

Consult with the SA to determine if there is a third-party CRL server being used for certificate revocation lookup.

If there is, verify if a documented procedure is in place to store a copy of the CRL locally (local to the site, as an alternative to querying the actual Certificate Authorities). An example would be an OCSP responder installed at the local site.

If there is no local cache of revocation data, this is a finding.

Check Content Reference

M

Target Key

2771

Comments