STIGQter: STIG Summary: Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Windows 2012 DNS Server logging criteria must only be configured by the ISSM or individuals appointed by the ISSM.

DISA Rule

SV-215652r561297_rule

Vulnerability Number

V-215652

Group Title

SRG-APP-000516-DNS-000500

Rule Version

WDNS-AU-000007

Severity

CAT II

CCI(s)

• CCI-000171 - The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system.
• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the permissions on the DNS logs.

Standard user accounts or groups must not have greater than READ access.

The default permissions listed below satisfy this requirement:

Eventlog - Full Control
SYSTEM - Full Control
Administrators - Full Control

The default locations are:

DNS Server %SystemRoot%\System32\Winevt\Logs\DNS Server.evtx

Check Contents

Verify the effective setting in Local Group Policy Editor.

Run "gpedit.msc".

Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.

If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding:

Administrators
Auditors (if the site has an Auditors group that further limits this privilege.)

If an application requires this user right, this would not be a finding.
Vendor documentation must support the requirement for having the user right.
The requirement must be documented with the ISSO.
The application account must meet requirements for application account passwords.

Verify the permissions on the DNS logs.

Standard user accounts or groups must not have greater than READ access.

The default locations are:

DNS Server %SystemRoot%\System32\Winevt\Logs\DNS Server.evtx

Using the file explorer tool navigate to the DNS Server log file.

Right click on the log file, select the “Security” tab.

The default permissions listed below satisfy this requirement:

Eventlog - Full Control
SYSTEM - Full Control
Administrators - Full Control

If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.

Vulnerability Number

V-215652

Documentable

False

Rule Version

WDNS-AU-000007

Severity Override Guidance

Verify the effective setting in Local Group Policy Editor.

Run "gpedit.msc".

Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.

If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding:

Administrators
Auditors (if the site has an Auditors group that further limits this privilege.)

If an application requires this user right, this would not be a finding.
Vendor documentation must support the requirement for having the user right.
The requirement must be documented with the ISSO.
The application account must meet requirements for application account passwords.

Verify the permissions on the DNS logs.

Standard user accounts or groups must not have greater than READ access.

The default locations are:

DNS Server %SystemRoot%\System32\Winevt\Logs\DNS Server.evtx

Using the file explorer tool navigate to the DNS Server log file.

Right click on the log file, select the “Security” tab.

The default permissions listed below satisfy this requirement:

Eventlog - Full Control
SYSTEM - Full Control
Administrators - Full Control

If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.

Check Content Reference

M

Target Key

4016

Comments