STIGQter STIGQter: STIG Summary:

Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide

Version: 2

Release: 2 Benchmark Date: 23 Apr 2021

CheckedNameTitle
SV-215573r561297_ruleThe Windows 2012 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries.
SV-215574r561297_ruleForwarders on an authoritative Windows 2012 DNS Server, if enabled for external resolution, must only forward to either an internal, non-AD-integrated DNS server or to the DoD Enterprise Recursive Services (ERS).
SV-215575r561297_ruleThe Windows 2012 DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.
SV-215576r561297_ruleThe Windows 2012 DNS Server with a caching name server role must be secured against pollution by ensuring the authenticity and integrity of queried records.
SV-215577r561297_ruleThe Windows 2012 DNS Server must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
SV-215578r561297_ruleThe validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week.
SV-215579r561297_ruleNSEC3 must be used for all internal DNS zones.
SV-215580r561297_ruleThe Windows 2012 DNS Servers zone files must have NS records that point to active name servers authoritative for the domain specified in that record.
SV-215581r561297_ruleAll authoritative name servers for a zone must be located on different network segments.
SV-215582r561297_ruleAll authoritative name servers for a zone must have the same version of zone information.
SV-215583r561297_ruleThe Windows 2012 DNS Server must be configured to enable DNSSEC Resource Records.
SV-215584r561297_ruleDigital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.
SV-215585r561297_ruleFor zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.
SV-215586r561297_ruleIn a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
SV-215587r561297_ruleIn a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.
SV-215588r561297_rulePrimary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.
SV-215589r561297_ruleThe Windows 2012 DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows 2012 DNS Server service account and/or the DNS database administrator.
SV-215590r561297_ruleThe Windows 2012 DNS Server must implement internal/external role separation.
SV-215591r561297_ruleThe Windows 2012 DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain.
SV-215592r561297_ruleThe DNS name server software must be at the latest version.
SV-215593r561297_ruleThe Windows 2012 DNS Servers zone files must not include resource records that resolve to a fully qualified domain name residing in another zone.
SV-215594r561297_ruleThe Windows 2012 DNS Servers zone files must not include CNAME records pointing to a zone with lesser security for more than six months.
SV-215595r561297_ruleNon-routable IPv6 link-local scope addresses must not be configured in any zone.
SV-215596r561297_ruleAAAA addresses must not be configured in a zone for hosts that are not IPv6-aware.
SV-215597r561297_ruleIPv6 protocol must be disabled unless the Windows 2012 DNS server is configured to answer for and hosting IPv6 AAAA records.
SV-215598r561297_ruleThe Windows 2012 DNS Server must be configured to prohibit or restrict unapproved ports and protocols.
SV-215599r561297_ruleThe Windows 2012 DNS Server must require devices to re-authenticate for each dynamic update request connection attempt.
SV-215600r561297_ruleThe Windows 2012 DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction.
SV-215601r561297_ruleThe secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers.
SV-215602r561297_ruleThe Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.
SV-215603r561297_ruleThe Windows 2012 DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0).
SV-215604r561297_ruleThe Windows 2012 DNS Server must be configured to enforce authorized access to the corresponding private key.
SV-215605r561297_ruleThe Windows 2012 DNS Server key file must be owned by the account under which the Windows 2012 DNS Server service is run.
SV-215606r561297_ruleThe Windows 2012 DNS Server permissions must be set so that the key file can only be read or modified by the account that runs the name server software.
SV-215607r561297_ruleThe private key corresponding to the ZSK must only be stored on the name server that does support dynamic updates.
SV-215608r561297_ruleThe Windows 2012 DNS Server must implement a local cache of revocation data for PKIauthentication in the event revocation information via the network is not accessible.
SV-215609r561297_ruleThe salt value for zones signed using NSEC3 RRs must be changed every time the zone is completely re-signed.
SV-215610r561297_ruleThe Windows 2012 DNS Server must include data origin with authoritative data the system returns in response to external name/address resolution queries.
SV-215611r561297_ruleThe Windows 2012 DNS Servers IP address must be statically defined and configured locally on the server.
SV-215612r561297_ruleThe Windows 2012 DNS Server must return data information in responses to internal name/address resolution queries.
SV-215613r561297_ruleThe Windows 2012 DNS Server must use DNSSEC data within queries to confirm data origin to DNS resolvers.
SV-215614r561297_ruleWINS lookups must be disabled on the Windows 2012 DNS Server.
SV-215615r561297_ruleThe Windows 2012 DNS Server must use DNSSEC data within queries to confirm data integrity to DNS resolvers.
SV-215616r561297_ruleThe Windows 2012 DNS Server must be configured with the DS RR carrying the signature for the RR that contains the public key of the child zone.
SV-215617r561297_ruleThe Windows 2012 DNS Server must enforce approved authorizations between DNS servers through the use of digital signatures in the RRSet.
SV-215618r561297_ruleThe Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain.
SV-215619r561297_ruleThe Windows 2012 DNS Server must be configured to validate an authentication chain of parent and child domains via response data.
SV-215620r561297_ruleTrust anchors must be exported from authoritative Windows 2012 DNS Servers and distributed to validating Windows 2012 DNS Servers.
SV-215621r561297_ruleAutomatic Update of Trust Anchors must be enabled on key rollover.
SV-215622r561297_ruleThe Windows DNS secondary servers must request data origin authentication verification from the primary server when requesting name/address resolution.
SV-215623r561297_ruleThe Windows DNS secondary server must request data integrity verification from the primary server when requesting name/address resolution.
SV-215624r561297_ruleThe Windows DNS secondary server must validate data integrity verification on the name/address resolution responses received from primary name servers.
SV-215625r561297_ruleThe Windows DNS secondary server must validate data origin verification authentication on the name/address resolution responses received from primary name servers.
SV-215626r561297_ruleThe Windows 2012 DNS Server must protect the authenticity of zone transfers via transaction signing.
SV-215627r561297_ruleThe Windows 2012 DNS Server must protect the authenticity of dynamic updates via transaction signing.
SV-215628r561297_ruleThe Windows 2012 DNS Server must protect the authenticity of query responses via DNSSEC.
SV-215629r561297_ruleThe Windows 2012 DNS Server must only allow the use of an approved DoD PKI-established certificate authorities for verification of the establishment of protected transactions.
SV-215630r561297_ruleThe Windows 2012 DNS Server must protect secret/private cryptographic keys while at rest.
SV-215631r561297_ruleThe Windows 2012 DNS Server must not contain zone records that have not been validated in over a year.
SV-215632r561297_ruleThe Windows 2012 DNS Server must restrict individuals from using it for launching Denial of Service (DoS) attacks against other information systems.
SV-215633r561297_ruleThe Windows 2012 DNS Server must use DNS Notify to prevent denial of service through increase in workload.
SV-215634r561297_ruleThe Windows 2012 DNS Server must protect the integrity of transmitted information.
SV-215635r561297_ruleThe Windows 2012 DNS Server must maintain the integrity of information during preparation for transmission.
SV-215636r561297_ruleThe Windows 2012 DNS Server must maintain the integrity of information during reception.
SV-215637r561297_ruleThe Windows 2012 DNS Server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.
SV-215638r561297_ruleThe Windows 2012 DNS Server must be configured to only allow zone information that reflects the environment for which it is authoritative, to include IP ranges and IP versions.
SV-215639r561297_ruleThe Windows 2012 DNS Server must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality.
SV-215640r561297_ruleThe DNS Name Server software must be configured to refuse queries for its version information.
SV-215641r561297_ruleThe HINFO, RP, TXT and LOC RR types must not be used in the zone SOA.
SV-215642r561297_ruleThe Windows 2012 DNS Server must, when a component failure is detected, activate a notification to the system administrator.
SV-215643r561297_ruleThe Windows 2012 DNS Server must perform verification of the correct operation of security functions: upon system start-up and/or restart; upon command by a user with privileged access; and/or every 30 days.
SV-215644r561297_ruleThe Windows 2012 DNS Server must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered.
SV-215645r561297_ruleThe Windows 2012 DNS Server must be configured to notify the ISSO/ISSM/DNS administrator when functionality of DNSSEC/TSIG has been removed or broken.
SV-215647r561297_ruleThe Windows 2012 DNS Server must restrict incoming dynamic update requests to known clients.
SV-215648r561297_ruleThe Windows 2012 DNS Server must be configured to record, and make available to authorized personnel, who added/modified/deleted DNS zone information.
SV-215649r561297_ruleThe Windows 2012 DNS Server must, in the event of an error validating another DNS servers identity, send notification to the DNS administrator.
SV-215650r561297_ruleThe Windows 2012 DNS Server log must be enabled.
SV-215651r684253_ruleThe Windows 2012 DNS Server logging must be enabled to record events from all DNS server functions.
SV-215652r561297_ruleThe Windows 2012 DNS Server logging criteria must only be configured by the ISSM or individuals appointed by the ISSM.
SV-215660r561297_ruleThe Windows 2012 DNS Servers audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.
SV-215661r561297_ruleThe validity period for the RRSIGs covering the DS RR for a zones delegated children must be no less than two days and no more than one week.
SV-228571r561297_ruleThe Windows DNS name servers for a zone must be geographically dispersed.