STIGQter: STIG Summary: Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Windows 2012 DNS Server must, in the event of an error validating another DNS servers identity, send notification to the DNS administrator.

DISA Rule

SV-215649r561297_rule

Vulnerability Number

V-215649

Group Title

SRG-APP-000350-DNS-000044

Rule Version

WDNS-AU-000003

Severity

CAT II

CCI(s)

• CCI-001906 - The information system performs organization-defined actions in the event of an error when validating the binding of the information producer identity to the information.
• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

To detect and notify the administrator, configure a third-party event monitoring system or, at a minimum, document and implement a procedure to require the administrator to check the DNS logs on a routine, daily basis.

Check Contents

Windows 2012 DNS servers, hosting Active Directory integrated zones, transfer zone information via AD replication. Windows 2012 DNS servers hosting non-AD-integrated zones as a secondary name server and/or are not hosting AD-integrated zones use zone transfer to sync zone data.

If the Windows 2012 DNS server only hosts AD-integrated zones and all other name servers for the zones hosted are Active Directory Domain Controllers, this requirement is not applicable.

If the Windows 2012 DNS server is not an Active Directory Domain Controller, or is a secondary name server for a zone with a non-AD-integrated name server as the master, this requirement is applicable.

Administrator notification is only possible if a third-party event monitoring system is configured or, at a minimum, there are documented procedures requiring the administrator to review the DNS logs on a routine, daily basis.

If a third-party event monitoring system is not configured, or a document procedure is not in place requiring the administrator to review the DNS logs on a routine, daily basis, this is a finding.

Vulnerability Number

V-215649

Documentable

False

Rule Version

WDNS-AU-000003

Severity Override Guidance

Windows 2012 DNS servers, hosting Active Directory integrated zones, transfer zone information via AD replication. Windows 2012 DNS servers hosting non-AD-integrated zones as a secondary name server and/or are not hosting AD-integrated zones use zone transfer to sync zone data.

If the Windows 2012 DNS server only hosts AD-integrated zones and all other name servers for the zones hosted are Active Directory Domain Controllers, this requirement is not applicable.

If the Windows 2012 DNS server is not an Active Directory Domain Controller, or is a secondary name server for a zone with a non-AD-integrated name server as the master, this requirement is applicable.

Administrator notification is only possible if a third-party event monitoring system is configured or, at a minimum, there are documented procedures requiring the administrator to review the DNS logs on a routine, daily basis.

If a third-party event monitoring system is not configured, or a document procedure is not in place requiring the administrator to review the DNS logs on a routine, daily basis, this is a finding.

Check Content Reference

M

Target Key

4016

Comments