STIGQter STIGQter: STIG Summary: Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide

Version: 1

Release: 13 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-72667r3_ruleThe Windows 2012 DNS Server must restrict incoming dynamic update requests to known clients.
SV-72973r3_ruleThe Windows 2012 DNS Server must be configured to record, and make available to authorized personnel, who added/modified/deleted DNS zone information.
SV-72977r4_ruleThe Windows 2012 DNS Server must, in the event of an error validating another DNS servers identity, send notification to the DNS administrator.
SV-72979r3_ruleThe Windows 2012 DNS Server log must be enabled.
SV-72981r6_ruleThe Windows 2012 DNS Server logging must be enabled to record events from all DNS server functions.
SV-72983r5_ruleThe Windows 2012 DNS Server logging criteria must only be configured by the ISSM or individuals appointed by the ISSM.
SV-72985r5_ruleThe Windows 2012 DNS Server must generate audit records for the success and failure of all name server events.
SV-72987r5_ruleThe Windows 2012 DNS Server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.
SV-72991r3_ruleThe Windows 2012 DNS Server log must include event types within the log records.
SV-72993r3_ruleThe Windows 2012 DNS Server log must include time stamps within the log records.
SV-72995r3_ruleThe Windows 2012 DNS Server log must include origin of events within the log records.
SV-72997r3_ruleThe Windows 2012 DNS Server log must include the source of events within the log records.
SV-72999r3_ruleThe Windows 2012 DNS Server log must include results of events within the log records.
SV-73001r3_ruleThe Windows 2012 DNS Server log must include identity of individual or process associated with events within the log records.
SV-73003r4_ruleThe Windows 2012 DNS Servers audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.
SV-73005r4_ruleThe validity period for the RRSIGs covering the DS RR for a zones delegated children must be no less than two days and no more than one week.
SV-73007r4_ruleThe Windows DNS name servers for a zone must be geographically dispersed.
SV-73009r5_ruleThe Windows 2012 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries.
SV-73011r5_ruleForwarders on an authoritative Windows 2012 DNS Server, if enabled for external resolution, must only forward to either an internal, non-AD-integrated DNS server or to the DoD Enterprise Recursive Services (ERS).
SV-73013r5_ruleThe Windows 2012 DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.
SV-73015r4_ruleThe Windows 2012 DNS Server with a caching name server role must be secured against pollution by ensuring the authenticity and integrity of queried records.
SV-73017r6_ruleThe Windows 2012 DNS Server must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
SV-73019r5_ruleThe validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week.
SV-73021r4_ruleNSEC3 must be used for all internal DNS zones.
SV-73023r5_ruleThe Windows 2012 DNS Servers zone files must have NS records that point to active name servers authoritative for the domain specified in that record.
SV-73025r4_ruleAll authoritative name servers for a zone must be located on different network segments.
SV-73027r3_ruleAll authoritative name servers for a zone must have the same version of zone information.
SV-73029r5_ruleThe Windows 2012 DNS Server must be configured to enable DNSSEC Resource Records.
SV-73031r4_ruleDigital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.
SV-73033r3_ruleFor zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.
SV-73035r4_ruleIn a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
SV-73037r4_ruleIn a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.
SV-73039r3_rulePrimary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.
SV-73041r4_ruleThe Windows 2012 DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows 2012 DNS Server service account and/or the DNS database administrator.
SV-73043r3_ruleThe Windows 2012 DNS Server must implement internal/external role separation.
SV-73045r5_ruleThe Windows 2012 DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain.
SV-73047r4_ruleThe DNS name server software must be at the latest version.
SV-73049r3_ruleThe Windows 2012 DNS Servers zone files must not include resource records that resolve to a fully qualified domain name residing in another zone.
SV-73051r3_ruleThe Windows 2012 DNS Servers zone files must not include CNAME records pointing to a zone with lesser security for more than six months.
SV-73053r3_ruleNon-routable IPv6 link-local scope addresses must not be configured in any zone.
SV-73055r3_ruleAAAA addresses must not be configured in a zone for hosts that are not IPv6-aware.
SV-73057r6_ruleWhen IPv6 protocol is installed, the server must also be configured to answer for IPv6 AAAA records.
SV-73059r4_ruleThe Windows 2012 DNS Server must be configured to prohibit or restrict unapproved ports and protocols.
SV-73061r4_ruleThe Windows 2012 DNS Server must require devices to re-authenticate for each dynamic update request connection attempt.
SV-73063r4_ruleThe Windows 2012 DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction.
SV-73065r4_ruleThe secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers.
SV-73067r3_ruleThe Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.
SV-73069r5_ruleThe Windows 2012 DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0).
SV-73071r4_ruleThe Windows 2012 DNS Server must be configured to enforce authorized access to the corresponding private key.
SV-73073r4_ruleThe Windows 2012 DNS Server key file must be owned by the account under which the Windows 2012 DNS Server service is run.
SV-73075r6_ruleThe Windows 2012 DNS Server permissions must be set so that the key file can only be read or modified by the account that runs the name server software.
SV-73077r4_ruleThe private key corresponding to the ZSK must only be stored on the name server that does support dynamic updates.
SV-73079r3_ruleThe Windows 2012 DNS Server must implement a local cache of revocation data for PKIauthentication in the event revocation information via the network is not accessible.
SV-73081r4_ruleThe salt value for zones signed using NSEC3 RRs must be changed every time the zone is completely re-signed.
SV-73083r5_ruleThe Windows 2012 DNS Server must include data origin with authoritative data the system returns in response to external name/address resolution queries.
SV-73085r3_ruleThe Windows 2012 DNS Servers IP address must be statically defined and configured locally on the server.
SV-73087r5_ruleThe Windows 2012 DNS Server must return data information in responses to internal name/address resolution queries.
SV-73089r5_ruleThe Windows 2012 DNS Server must use DNSSEC data within queries to confirm data origin to DNS resolvers.
SV-73091r3_ruleWINS lookups must be disabled on the Windows 2012 DNS Server.
SV-73093r5_ruleThe Windows 2012 DNS Server must use DNSSEC data within queries to confirm data integrity to DNS resolvers.
SV-73095r5_ruleThe Windows 2012 DNS Server must be configured with the DS RR carrying the signature for the RR that contains the public key of the child zone.
SV-73097r4_ruleThe Windows 2012 DNS Server must enforce approved authorizations between DNS servers through the use of digital signatures in the RRSet.
SV-73099r4_ruleThe Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain.
SV-73101r6_ruleThe Windows 2012 DNS Server must be configured to validate an authentication chain of parent and child domains via response data.
SV-73103r5_ruleTrust anchors must be exported from authoritative Windows 2012 DNS Servers and distributed to validating Windows 2012 DNS Servers.
SV-73105r4_ruleAutomatic Update of Trust Anchors must be enabled on key rollover.
SV-73107r4_ruleThe Windows DNS secondary servers must request data origin authentication verification from the primary server when requesting name/address resolution.
SV-73109r5_ruleThe Windows DNS secondary server must request data integrity verification from the primary server when requesting name/address resolution.
SV-73111r5_ruleThe Windows DNS secondary server must validate data integrity verification on the name/address resolution responses received from primary name servers.
SV-73113r5_ruleThe Windows DNS secondary server must validate data origin verification authentication on the name/address resolution responses received from primary name servers.
SV-73115r3_ruleThe Windows 2012 DNS Server must protect the authenticity of zone transfers via transaction signing.
SV-73117r6_ruleThe Windows 2012 DNS Server must protect the authenticity of dynamic updates via transaction signing.
SV-73119r5_ruleThe Windows 2012 DNS Server must protect the authenticity of query responses via DNSSEC.
SV-73121r3_ruleThe Windows 2012 DNS Server must only allow the use of an approved DoD PKI-established certificate authorities for verification of the establishment of protected transactions.
SV-73123r4_ruleThe Windows 2012 DNS Server must protect secret/private cryptographic keys while at rest.
SV-73125r4_ruleThe Windows 2012 DNS Server must not contain zone records that have not been validated in over a year.
SV-73127r3_ruleThe Windows 2012 DNS Server must restrict individuals from using it for launching Denial of Service (DoS) attacks against other information systems.
SV-73129r3_ruleThe Windows 2012 DNS Server must use DNS Notify to prevent denial of service through increase in workload.
SV-73131r5_ruleThe Windows 2012 DNS Server must protect the integrity of transmitted information.
SV-73133r5_ruleThe Windows 2012 DNS Server must maintain the integrity of information during preparation for transmission.
SV-73135r5_ruleThe Windows 2012 DNS Server must maintain the integrity of information during reception.
SV-73137r3_ruleThe Windows 2012 DNS Server must be configured to only allow zone information that reflects the environment for which it is authoritative, to include IP ranges and IP versions.
SV-73139r3_ruleThe Windows 2012 DNS Server must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality.
SV-73141r4_ruleThe Windows 2012 DNS Server must, when a component failure is detected, activate a notification to the system administrator.
SV-73143r4_ruleThe Windows 2012 DNS Server must perform verification of the correct operation of security functions: upon system start-up and/or restart; upon command by a user with privileged access; and/or every 30 days.
SV-73145r3_ruleThe Windows 2012 DNS Server must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered.
SV-73147r5_ruleThe Windows 2012 DNS Server must be configured to notify the ISSO/ISSM/DNS administrator when functionality of DNSSEC/TSIG has been removed or broken.
SV-73149r3_ruleThe Windows 2012 DNS Server must generate audit records for the success and failure of start and stop of the DNS Server service.
SV-73167r3_ruleThe DNS Name Server software must be configured to refuse queries for its version information.
SV-73169r4_ruleThe HINFO, RP, TXT and LOC RR types must not be used in the zone SOA.