STIGQter: STIG Summary: Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

Trust anchors must be exported from authoritative Windows 2012 DNS Servers and distributed to validating Windows 2012 DNS Servers.

DISA Rule

SV-215620r561297_rule

Vulnerability Number

V-215620

Group Title

SRG-APP-000215-DNS-000026

Rule Version

WDNS-SC-000012

Severity

CAT II

CCI(s)

• CCI-001663 - The information system, when operating as part of a distributed, hierarchical namespace, provides the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).

Weight

10

Fix Recommendation

Log onto the primary DNS server and click Windows Explorer on the taskbar.

Navigate to C:\Windows\System32, right-click the dns folder, point to Share with, and then click Advanced sharing.

In the dns Properties dialog box, click Advanced Sharing, select the Share this folder check box, verify the Share name is dns, and then click OK.

Click Close and then close Windows Explorer.

Log onto each of the validating Windows 2012 DNS Servers.

In the DNS Manager console tree, navigate to the Trust Points folder.

Right-click Trust Points, point to Import, and then click DNSKEY.

In the Import DNSKEY dialog box, type \\primaryhost\dns\keyset-domain.mil (where primaryhost represent the FQDN of the Primary DNS Server and domain.mil represents the zone(s)).

Click OK.

Check Contents

Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Log onto each of the validating Windows 2012 DNS Servers.

In the DNS Manager console tree, navigate to each hosted zone under the Trust Points folder.

Two DNSKEY trust points should be displayed, one for the active key and one for the standby key.

If each validating Windows 2012 DNS Servers does not reflect the DNSKEY trust points for each of the hosted zone(s), this is a finding.

Vulnerability Number

V-215620

Documentable

False

Rule Version

WDNS-SC-000012

Severity Override Guidance

Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Log onto each of the validating Windows 2012 DNS Servers.

In the DNS Manager console tree, navigate to each hosted zone under the Trust Points folder.

Two DNSKEY trust points should be displayed, one for the active key and one for the standby key.

If each validating Windows 2012 DNS Servers does not reflect the DNSKEY trust points for each of the hosted zone(s), this is a finding.

Check Content Reference

M

Target Key

4016

Comments