STIGQter: STIG Summary: Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Windows 2012 DNS Server logging must be enabled to record events from all DNS server functions.

DISA Rule

SV-215651r684253_rule

Vulnerability Number

V-215651

Group Title

SRG-APP-000089-DNS-000005

Rule Version

WDNS-AU-000006

Severity

CAT II

CCI(s)

• CCI-000169 - The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components.

Weight

10

Fix Recommendation

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Open an elevated Windows PowerShell prompt on the DNS server to which event logging needs to be enabled.

Use the “Set-DnsServerDiagnostics” cmdlet to enable the required diagnostic events.

Set-DnsServerDiagnostics -<diagnostic event> $true <enter> for the required diagnostic events.
For example, to set EnableLoggingForLocalLookupEvent to true, enter the following at the command line:
Set-DnsServerDiagnostics -EnableLoggingForLocalLookupEvent $true <enter>

Check Contents

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Open an elevated Windows PowerShell prompt on a DNS server using the Domain Admin or Enterprise Admin account.

Use the “Get-DnsServerDiagnostics” cmdlet to view the status of individual diagnostic events.

Verify following diagnostic events are set to "True":
Queries, Answers, Notifications, Update, QuestionTransactions, UnmatchedResponse,UseSystemEventLog
Also set to “True” should be:
EnableLoggingForLocalLookupEvent
EnableLoggingForPluginDLLEvent
EnableLoggingForRecursiveLookupEvent
EnableLoggingForRemoteServerEvent
EnableLoggingForRemoteServerEvent
EnableLoggingForServerStartStopEvent
EnableLoggingForTombstoneEvent
EnableLoggingForZoneDataWriteEvent
EnableLoggingForZoneLoadingEvent

Note: The UseSystemEventLog does not have to be set to true if all other variables are logged per the requirement and it can be validated that the events are being logged to a different log file destination.

If all required diagnostic events are not set to "True", this is a finding.

Vulnerability Number

V-215651

Documentable

False

Rule Version

WDNS-AU-000006

Severity Override Guidance

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Open an elevated Windows PowerShell prompt on a DNS server using the Domain Admin or Enterprise Admin account.

Use the “Get-DnsServerDiagnostics” cmdlet to view the status of individual diagnostic events.

Verify following diagnostic events are set to "True":
Queries, Answers, Notifications, Update, QuestionTransactions, UnmatchedResponse,UseSystemEventLog
Also set to “True” should be:
EnableLoggingForLocalLookupEvent
EnableLoggingForPluginDLLEvent
EnableLoggingForRecursiveLookupEvent
EnableLoggingForRemoteServerEvent
EnableLoggingForRemoteServerEvent
EnableLoggingForServerStartStopEvent
EnableLoggingForTombstoneEvent
EnableLoggingForZoneDataWriteEvent
EnableLoggingForZoneLoadingEvent

Note: The UseSystemEventLog does not have to be set to true if all other variables are logged per the requirement and it can be validated that the events are being logged to a different log file destination.

If all required diagnostic events are not set to "True", this is a finding.

Check Content Reference

M

Target Key

4016

Comments