STIGQter: STIG Summary: Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Windows 2012 DNS Server must implement a local cache of revocation data for PKIauthentication in the event revocation information via the network is not accessible.

DISA Rule

SV-215608r561297_rule

Vulnerability Number

V-215608

Group Title

SRG-APP-000401-DNS-000051

Rule Version

WDNS-IA-000011

Severity

CAT II

CCI(s)

• CCI-001991 - The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

Weight

10

Fix Recommendation

Configure local revocation data to be used in the event access to Certificate Authorities is hindered.

Check Contents

Consult with the SA to determine if there is a third-party CRL server being used for certificate revocation lookup.

If there is, verify if a documented procedure is in place to store a copy of the CRL locally (local to the site, as an alternative to querying the actual Certificate Authorities). An example would be an OCSP responder installed at the local site.

If there is no local cache of revocation data, this is a finding.

Vulnerability Number

V-215608

Documentable

False

Rule Version

WDNS-IA-000011

Severity Override Guidance

Consult with the SA to determine if there is a third-party CRL server being used for certificate revocation lookup.

If there is, verify if a documented procedure is in place to store a copy of the CRL locally (local to the site, as an alternative to querying the actual Certificate Authorities). An example would be an OCSP responder installed at the local site.

If there is no local cache of revocation data, this is a finding.

Check Content Reference

M

Target Key

4016

Comments